Bug 720059
| Summary: | RDN with % can cause crashes or missing entries | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Diego Woitasen <diego> | ||||
| Component: | Directory Server | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.2.8 | CC: | amsharma, nhosoi | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 720452 (view as bug list) | Environment: | |||||
| Last Closed: | 2015-12-07 16:34:47 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 434915, 708096, 720452 | ||||||
| Attachments: |
|
||||||
|
Description
Diego Woitasen
2011-07-08 21:35:54 UTC
Backtrace:
#0 0x00007ffff550eb60 in strlen () from /lib64/libc.so.6
#1 0x00007ffff5e36c7c in cvt_s (ss=0x478056d0, fmt=<value optimized out>,
ap=<value optimized out>) at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:396
#2 dosprintf (ss=0x478056d0, fmt=<value optimized out>, ap=<value optimized out>)
at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:980
#3 0x00007ffff5e36e64 in PR_vsnprintf (out=<value optimized out>,
outlen=<value optimized out>, fmt=0xffffffff <Address 0xffffffff out of bounds>,
ap=0x7) at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:1184
#4 0x00007ffff5e37103 in PR_snprintf (out=0x9 <Address 0x9 out of bounds>, outlen=115,
fmt=0x47805748 "\t") at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:1164
#5 0x00007fffef1d5305 in _entryrdn_new_rdn_elem (be=<value optimized out>,
id=<value optimized out>, srdn=<value optimized out>, length=<value optimized out>)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1358
#6 0x00007fffef1d5984 in _entryrdn_index_read (be=0x8626f0, cursor=0x9004d0,
srdn=0x478079b0, elem=0x478079f0, parentelem=0x0, childelems=0x0, db_txn=0x0)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:2622
#7 0x00007fffef1d7acc in entryrdn_index_read (be=0x8626f0, sdn=<value optimized out>,
id=0x47807a7c, txn=<value optimized out>)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:368
#8 0x00007fffef1b16c9 in dn2entry (be=0x8626f0, sdn=0x47807ac0, txn=0x47807d30,
err=0x47807afc) at ldap/servers/slapd/back-ldbm/dn2entry.c:80
#9 0x00007fffef1b1885 in get_copy_of_entry (pb=0xb62cc0, addr=0x47807cd0,
txn=0x47807d30, plock_parameter=61, must_exist=1)
at ldap/servers/slapd/back-ldbm/dn2entry.c:261
Created attachment 512258 [details]
0001-Bug-720059-RDN-with-can-cause-crashes-or-missing-ent.patch
To ssh://git.fedorahosted.org/git/389/ds.git
d2960e2..0263e0b master -> master
commit 0263e0bffdfcb9cf59b7c6ba29f060987d06449a
Author: Rich Megginson <rmeggins>
Date: Mon Jul 11 10:08:56 2011 -0600
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The code was using PR_snprintf to copy the RDN to the
buffer used to store the value in the entryrdn index. If there was
a % in the value, the PR_snprintf was interpreting the next char as a
formatting directive. But since we don't pass any varargs arguments,
the formatting directive was using random garbage on the stack, which
can lead to crashes or missing entries or other undefined behavior.
The fix is to use PL_strncpyz which will just copy the string up to
the correct buffer size and will make sure the string is properly
null terminated.
You can use a simple C program to illustrate this problem:
int
main(int argc, char *argv[])
{
char buf[10];
argv++;
for (; *argv; ++argv) {
PR_snprintf(buf, sizeof(buf), *argv);
printf("buf is [%s]\n", buf);
}
return 0;
}
gcc -o testit testit.c -lnspr4
Then pass in values like %d %100s %100.100s and so on. You will either
get crashes or random output.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
The patch works for me. I built the packages with the patch applied if anybody needs them: http://50.57.106.86/files/389-ds-base-1.2.8.3-2.1.diegows.x86_64.rpm http://50.57.106.86/files/389-ds-base-libs-1.2.8.3-2.1.diegows.x86_64.rpm [root@rheltest ~]# ldapadd -x -h localhost -p 1389 -D "cn=directory manager" -w Secret123 << EOF > dn: ou=SUDOers,ou=groups,dc=pnq,dc=redhat,dc=com > ou: SUDOers > objectClass: top > objectClass: organizationalUnit > EOF adding new entry "ou=SUDOers,ou=groups,dc=pnq,dc=redhat,dc=com" [root@rheltest ~]# ldapadd -x -h localhost -p 1389 -D "cn=directory manager" -w Secret123 << EOF > dn: cn=segu,ou=groups,dc=pnq,dc=redhat,dc=com > gidNumber: 1100 > objectClass: top > objectClass: groupofuniquenames > objectClass: posixgroup > cn: segu > EOF adding new entry "cn=segu,ou=groups,dc=pnq,dc=redhat,dc=com" [root@rheltest ~]# ldapadd -x -h localhost -p 1389 -D "cn=directory manager" -w Secret123 << EOF > dn: cn=%segu,ou=SUDOers,ou=groups,dc=pnq,dc=redhat,dc=com > objectClass: top > objectClass: sudoRole > cn: %segu > sudoUser: %segu > sudoHost: ALL > sudoCommand: /usr/bin/passwd root > sudoCommand: /usr/sbin/useradd > sudoCommand: /usr/bin/passwd > sudoCommand: /usr/bin/chage > sudoCommand: /usr/sbin/userdel > sudoCommand: /sbin/pam_tally2 > sudoOption: !authenticate > EOF adding new entry "cn=%segu,ou=SUDOers,ou=groups,dc=pnq,dc=redhat,dc=com" Hence VERIFIED. |