1007421 – Connectionless LDAP is broken for IPv6

Bug 1007421 - Connectionless LDAP is broken for IPv6

Summary: Connectionless LDAP is broken for IPv6

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Jan Synacek
QA Contact:	David Spurek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	917637 1004442
TreeView+	depends on / blocked

Reported:	2013-09-12 13:06 UTC by Stef Walter
Modified:	2015-03-02 05:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openldap-2.4.35-7.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:05:33 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Patch for openldap 2.4.35 (8.61 KB, patch) 2013-09-12 15:16 UTC, Stef Walter	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenLDAP ITS	7694	0	None	None	None	Never
Red Hat Bugzilla	1018688	0	unspecified	CLOSED	Connectionless LDAP is broken for IPv6	2021-02-22 00:41:40 UTC

Internal Links: 1018688

Description Stef Walter 2013-09-12 13:06:34 UTC

Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for IPv6 for current versions of openldap. Tested with version 2.4.35

It's not clear if this ever worked properly.

Connections immediately fail with:

ldap_search_ext: Can't contact LDAP server (-1)

Comment 1 Stef Walter 2013-09-12 13:11:52 UTC

The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix containing an address in a "struct sockaddr". However, struct sockaddr, is not a concrete type. In particular struct sockaddr_in6 is longer than struct sockaddr.

Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l886

So this leads to failures when using IPv6 as the code assumes that the address length is equal to sizeof (struct sockaddr). Seen here:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/liblber/sockbuf.c;h=d997e92910954b943e5b3fe7139ff4caaeaf49bf;hb=HEAD#l940

Comment 3 Stef Walter 2013-09-12 15:15:43 UTC

Example command:

$ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon

Output will contain this:

ldap_write: want=96 error=Invalid argument

Which is the EINVAL resulting from bad value passed to sendto().

Comment 4 Stef Walter 2013-09-12 15:16:56 UTC

Created attachment 796913 [details]
Patch for openldap 2.4.35

Comment 5 Jan Synacek 2013-10-08 10:48:23 UTC

I'm quite reluctant to apply this patch without it being upstreamed first.

Comment 6 Jan Synacek 2013-10-11 05:45:07 UTC

The fixes have landed in upstream git.

Comment 7 Jan Synacek 2013-10-14 11:53:47 UTC

Fix pushed to 'private-jsynacek-rhel-7-cldap-fix'.

http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=private-jsynacek-rhel-7-cldap-fix&id=80e0e83b19c3bcbe04b91de9019a27c689d5bd54

Comment 12 Ludek Smid 2014-06-13 12:05:33 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.