Red Hat Bugzilla – Bug 1002161
large number of sudo rules results in error - Unable to create response: Invalid argument
Last modified: 2013-11-21 17:22:15 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2059 This code in sss_packet_grow() is used to pad data to 512 bytes. {{{ if (totlen < len) { int n = len % SSSSRV_PACKET_MEM_SIZE + 1; totlen += n * SSSSRV_PACKET_MEM_SIZE; if (totlen < len) { return EINVAL; } } }}} If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number, we can end up with totlen < len and return EINVAL. It also does not pad the length, but usually allocates much more memory than is desired. {{{ len = 1024 n = 1024 % 512 + 1 = 0 + 1 = 1 totlen = 1 * 512 = 512 => totlen < len len = 511 n = 511 % 512 + 1 = 511 + 1 totlen = 512 * 512 = 262144 totlen is way bigger than it was supposed to be }}} Operator / should be used instead of %.
Steps to reproduce: 1. create large amount of large rules so that their combined size exceeds 265KB 2. run sssd 3. login as sudo user associated with these rules 4. $ sudo -l User user-1 is not allowed to run sudo on client. In sssd_sudo.log you will see: [sudosrv_cmd_send_reply] (0x0020): Unable to create response: Invalid argument
Fixed upstream.
Verified and automated the bug on SSSD version : sssd-1.9.2-127.el6.x86_64 Steps followed during verification: 1. Created hundreds of different groups with an ldap user as member to all. 2. Assigned large sudo rules to all the groups, thereby associating the ldap user with numerous sudo rules. 3. Reproduced the bug with older build by executing "sudo -l". Got the following error message in sssd_sudo.log: # cat /var/log/sssd/sssd_sudo.log | grep "Invalid argument" (Wed Sep 11 16:08:14 2013) [sssd[sudo]] [sudosrv_cmd_send_reply] (0x0020): Unable to create response: Invalid argument (Wed Sep 11 16:09:06 2013) [sssd[sudo]] [sudosrv_cmd_send_reply] (0x0020): Unable to create response: Invalid argument See the automated beaker output of the bug: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Bug 1002161 - large number of sudo rules results in error :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running '> /var/log/sssd/sssd_sudo.log' Stopping sssd: [ OK ] [ OK ] sssd: [ OK ] :: [07:16:08] :: Sleeping for 5 seconds :: [ PASS ] :: Running 'restart_clearing_cache' sudo_test_user:*:13111:10021:Kuch toh:/home/sudo_test_user:/bin/bash :: [ PASS ] :: Running 'getent passwd -s sss sudo_test_user' [sudo] password for sudo_test_user: :: [ PASS ] :: User can execute sudo command :: [ PASS ] :: File '/var/log/sssd/sssd_sudo.log' should not contain 'Unable to create response: Invalid argument' NOTE: With the latest build, user is able to execute sudo commands successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1680.html