Bug 670906

Summary: ldapcmp crashes on large attribute diffs
Product: Red Hat Enterprise Linux 6 Reporter: Martin Poole <mpoole>
Component: mozldapAssignee: Rich Megginson <rmeggins>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: benl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 670905 Environment:
Last Closed: 2011-01-19 16:29:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 670905    
Bug Blocks:    

Description Martin Poole 2011-01-19 16:15:28 UTC 
+++ This bug was initially created as a clone of Bug #670905 +++

Created attachment 474307 [details]
large attribute object ldif

Description of problem:

ldapcmp crashes when comparing two attributes that require more than 1000 characters to print their values.  It also crashes if the total differences in an object require more than 5000 characters to display.


Version-Release number of selected component (if applicable):

mozldap-tools-6.0.5-1.el5

How reproducible:

always

Steps to Reproduce:

load attached cmpcrash.ldif into one server
load slightly modified version (one char in description) into second server.
ldapcmp -b cn=cmpcrash,dc=example,dc=com -h server1 -h server2

Actual results:

*** buffer overflow detected ***: /usr/lib/mozldap/ldapcmp terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x21f431]
/lib/libc.so.6[0x21e807]
/usr/lib/mozldap/ldapcmp[0x804aa23]
/usr/lib/mozldap/ldapcmp[0x804b209]
/lib/libc.so.6(__libc_start_main+0xdc)[0x14ee9c]
/usr/lib/mozldap/ldapcmp(__gxx_personality_v0+0xbd)[0x804a2c1]
======= Memory map: ========
00110000-00137000 r-xp 00000000 fc:00 454758     /lib/libm-2.5.so
00137000-00138000 r-xp 00026000 fc:00 454758     /lib/libm-2.5.so
00138000-00139000 rwxp 00027000 fc:00 454758     /lib/libm-2.5.so
00139000-0028c000 r-xp 00000000 fc:00 454750     /lib/libc-2.5.so
0028c000-0028e000 r-xp 00152000 fc:00 454750     /lib/libc-2.5.so
0028e000-0028f000 rwxp 00154000 fc:00 454750     /lib/libc-2.5.so
0028f000-00292000 rwxp 0028f000 00:00 0 
00292000-00296000 r-xp 00000000 fc:00 554997     /usr/lib/sasl2/libplain.so.2.0.22
00296000-00297000 rwxp 00003000 fc:00 554997     /usr/lib/sasl2/libplain.so.2.0.22
00297000-003c1000 r-xp 00000000 fc:00 454931     /lib/libcrypto.so.0.9.8e
003c1000-003d4000 rwxp 00129000 fc:00 454931     /lib/libcrypto.so.0.9.8e
003d4000-003d8000 rwxp 003d4000 00:00 0 
003d8000-004b3000 r-xp 00000000 fc:00 555007     /usr/lib/sasl2/libsasldb.so.2.0.22
004b3000-004b5000 rwxp 000db000 fc:00 555007     /usr/lib/sasl2/libsasldb.so.2.0.22
004b5000-004bb000 r-xp 00000000 fc:00 555019     /usr/lib/sasl2/libgssapiv2.so.2.0.22
004bb000-004bc000 rwxp 00006000 fc:00 555019     /usr/lib/sasl2/libgssapiv2.so.2.0.22
004bc000-004e9000 r-xp 00000000 fc:00 500993     /usr/lib/libgssapi_krb5.so.2.2
004e9000-004ea000 rwxp 0002d000 fc:00 500993     /usr/lib/libgssapi_krb5.so.2.2
004ea000-0057d000 r-xp 00000000 fc:00 499851     /usr/lib/libkrb5.so.3.3
0057d000-00580000 rwxp 00092000 fc:00 499851     /usr/lib/libkrb5.so.3.3
00580000-005a6000 r-xp 00000000 fc:00 499572     /usr/lib/libk5crypto.so.3.1
005a6000-005a7000 rwxp 00025000 fc:00 499572     /usr/lib/libk5crypto.so.3.1
005a7000-005a9000 r-xp 00000000 fc:00 454811     /lib/libcom_err.so.2.1
005a9000-005aa000 rwxp 00001000 fc:00 454811     /lib/libcom_err.so.2.1
005aa000-005b2000 r-xp 00000000 fc:00 495299     /usr/lib/libkrb5support.so.0.1
005b2000-005b3000 rwxp 00007000 fc:00 495299     /usr/lib/libkrb5support.so.0.1
005b3000-005b5000 r-xp 00000000 fc:00 456535     /lib/libkeyutils-1.2.so
005b5000-005b6000 rwxp 00001000 fc:00 456535     /lib/libkeyutils-1.2.so
005b6000-005ba000 r-xp 00000000 fc:00 554993     /usr/lib/sasl2/liblogin.so.2.0.22
005ba000-005bb000 rwxp 00003000 fc:00 554993     /usr/lib/sasl2/liblogin.so.2.0.22
005bb000-005c5000 r-xp 00000000 fc:00 454794     /lib/libnss_files-2.5.so
005c5000-005c6000 r-xp 00009000 fc:00 454794     /lib/libnss_files-2.5.so
005c6000-005c7000 rwxp 0000a000 fc:00 454794     /lib/libnss_files-2.5.so
005c7000-005cb000 r-xp 00000000 fc:00 454756     /lib/libnss_dns-2.5.so
005cb000-005cc000 r-xp 00003000 fc:00 454756     /lib/libnss_dns-2.5.so
005cc000-005cd000 rwxp 00004000 fc:00 454756     /lib/libnss_dns-2.5.so
006ae000-006c9000 r-xp 00000000 fc:00 454748     /lib/ld-2.5.so
006c9000-006ca000 r-xp 0001a000 fc:00 454748     /lib/ld-2.5.so
006ca000-006cb000 rwxp 0001b000 fc:00 454748     /lib/ld-2.5.so
00789000-0078d000 r-xp 00000000 fc:00 554724     /usr/lib/sasl2/libanonymous.so.2.0.22
0078d000-0078e000 rwxp 00003000 fc:00 554724     /usr/lib/sasl2/libanonymous.so.2.0.22
007f4000-007fd000 r-xp 00000000 fc:00 496656     /usr/lib/libssldap60.so
007fd000-007fe000 rwxp 00009000 fc:00 496656     /usr/lib/libssldap60.so
00828000-0082b000 r-xp 00000000 fc:00 454768     /lib/libdl-2.5.so
0082b000-0082c000 r-xp 00002000 fc:00 454768     /lib/libdl-2.5.so
0082c000-0082d000 rwxp 00003000 fc:00 454768     /lib/libdl-2.5.so
0082f000-00844000 r-xp 00000000 fc:00 454754     /lib/libpthread-2.5.so
00844000-00845000 r-xp 00015000 fc:00 454754     /lib/libpthread-2.5.so
00845000-00846000 rwxp 00016000 fc:00 454754     /lib/libpthread-2.5.so
00846000-00848000 rwxp 00846000 00:00 0 
0084a000-0085c000 r-xp 00000000 fc:00 495184     /usr/lib/libz.so.1.2.3
00Aborted


Expected results:

DN:cn=cmpcrash,dc=example,dc=com

cn=cmpcrash,dc=example,dc=com
different: description
        1: This is a very long attribute designed to crash the ldapcmproutine, and as long as I have at least 500 characters in this descriptionit will crash due to the use of a fixed size buffer of 1000 charactersin the cmp_attrs routine to display both attributes.There is also a problem if the total diffs between a pair of objects exceedsa total of 5000 characters due to a different fixed-size buffer.and the padding data which we tweak between servers.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
        2: This is a very long attribute designed to crash the ldapcmproutine, and as long as I have at least 500 characters in this descriptionit will crash due to the use of a fixed size buffer of 1000 charactersin the cmp_attrs routine to display both attributes.There is also a problem if the total diffs between a pair of objects exceedsa total of 5000 characters due to a different fixed-size buffer.and the padding data which we tweak between servers. version b.

Additional info:

This is due to the use of fixed sized buffers in cmp_attrs()
Comment 1 RHEL Program Management 2011-01-19 16:28:36 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 2 Rich Megginson 2011-01-19 16:29:45 UTC 
mozldap is not in RHEL6 - closing the RHEL6 bug