Bug 204623 - deleting attributes when changing password causes server crash
deleting attributes when changing password causes server crash
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.0.2
All Linux
medium Severity high
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: 152373 fds103trackingbug 240316
  Show dependency treegraph
 
Reported: 2006-08-30 10:24 EDT by Michal Vocu
Modified: 2015-12-07 11:56 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:56:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch (486 bytes, patch)
2006-08-30 10:24 EDT, Michal Vocu
no flags Details | Diff
new diffs for mod_values case (919 bytes, patch)
2006-10-12 17:55 EDT, Rich Megginson
no flags Details | Diff
perl script used to verify bug with (630 bytes, application/x-perl)
2007-12-11 17:17 EST, Michael Gregg
no flags Details

  None (edit)
Description Michal Vocu 2006-08-30 10:24:23 EDT
Description of problem:
The server crashes when performing single operation involving both password
change and attribute deletion, if the password is subject to password policy
syntax checking.


Version-Release number of selected component (if applicable):
1.0.2

How reproducible: Always.


Steps to Reproduce:
1. create password policy with password syntax checking on
2. modify userPassword and delete another attribute using single operation, like
(in Perl):

$ldap = new Net::LDAP(...);
...
$ldap->modify("dn",
               changes => [ replace => [ mail => [], userPassword => "pw" ] ] ]
             );
  
Actual results: Server crash.


Expected results: Server performs the requested operation.


Additional info:

The function mod2smod does not check for mod->mod_bvalues being NULL and tries
to dereference it (modutil.c:370). This function happens to be called only by
slapi_mods_get_{first,next}_smod(), which are in turn called only by
check_trivial_words() in pw.c; this is why the crash appears only when checking
password syntax.

The attached patch fixes that.
Comment 1 Michal Vocu 2006-08-30 10:24:23 EDT
Created attachment 135210 [details]
patch
Comment 2 Rich Megginson 2006-08-30 11:37:17 EDT
Thanks!
Comment 3 Rich Megginson 2006-09-29 17:23:05 EDT
We would like to get this fix into the upcoming 1.0.3 version.  However, in
order to use your patch, we require either an Individual or Corporate
Contributor License Agreement.  Please see
http://directory.fedora.redhat.com/wiki/Contributing for more information.
Comment 4 Rich Megginson 2006-10-09 16:13:49 EDT
Have you submitted your CLA yet?  This is required, otherwise we cannot accept
your patch for inclusion in the product.
Comment 5 Michal Vocu 2006-10-11 10:23:01 EDT
I did about an hour ago; hope it got through. Sorry, I did not mean to cause
delays in schedule.
Comment 6 Rich Megginson 2006-10-11 10:34:32 EDT
Thanks!

> Sorry, I did not mean to cause delays in schedule.

No, no problem.  I should have asked you to submit a CLA months ago when you
submitted the patch.  I keep forgetting.  We're all still getting used to this
open source development process.

Thanks again for the patch and keep them coming!
Comment 7 Rich Megginson 2006-10-12 17:55:21 EDT
Created attachment 138386 [details]
new diffs for mod_values case

Looks like we have the same problem in the mod_values case (even though the
code says this should never be called, better to be safe than sorry).
Comment 8 Noriko Hosoi 2006-10-13 13:50:10 EDT
Looks good!
Comment 9 Rich Megginson 2006-10-13 13:57:41 EDT
Reviewed by: nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: From Michal: "The function mod2smod does not check for
mod->mod_bvalues being NULL and tries
to dereference it (modutil.c:370). This function happens to be called only by
slapi_mods_get_{first,next}_smod(), which are in turn called only by
check_trivial_words() in pw.c; this is why the crash appears only when checking
password syntax."
I added the same check for the mod_values case - even though the
code says this should never be called, better to be safe than sorry.
Platforms tested: RHEL4

Checking in modutil.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modutil.c,v  <--  modutil.c
new revision: 1.6; previous revision: 1.5
done
Comment 10 Michael Gregg 2007-12-11 17:17:25 EST
Created attachment 284721 [details]
perl script used to verify bug with
Comment 11 Michael Gregg 2007-12-11 17:20:01 EST
 
Used the previous script to make the change and delete.
Had the following output:
[root@legbreaker ~]#  ./modldap.pl 
modifing:
dn: uid=12,ou=People, o=my.com
        mail: 12@1234.com
        uid: 12
        givenName: 1
        objectClass: top
        sn: 2
        cn: 1 2
        userPassword: {SSHA}GXmHVv1cWhz/QUtxDlZyC5hUgNovYCClwaqHxw==

[root@legbreaker ~]#  ./modldap.pl 
modifing:
dn: uid=12,ou=People, o=my.com
        uid: 12
        givenName: 1
        objectClass: top
        sn: 2
        cn: 1 2
        userPassword: {SSHA}qMir6JcJ3Dk4djGefX7dXj3WABj2iiCeDCVS1w==


The email was removed and the password hash changed.

Bug verified aginst:
1197402236 redhat-ds-base-8.0.0-11.el5dsrv Tue Dec 11 2007 
1197402244 redhat-ds-admin-8.0.0-1.15.el5dsrv Tue Dec 11 2007 
1197402246 redhat-ds-console-8.0.0-8.el5dsrv Tue Dec 11 2007 
1197402247 redhat-admin-console-8.0.0-9.el5dsrv Tue Dec 11 2007 

Note You need to log in before you can comment on or make changes to this bug.