From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5 Description of problem: i found a problem in nss_ldap querying the group map. It is basically the issue fixed with nss_ldap-244 regarding bytesleft. In the code it's fixed with a comment "bytesleft should not return values < 0". I fixed it a bit differently casting all relevent stuff to int. The problem leads to a segfault of nscd or any programs querying group entries in a certain size range, probably others are affected, too, but typically they don't reach the necessary size. Anyway please apply the fix to the nss_ldap currently recommended for update on the supported RedHat versions i.e. Enterprise-4. On Enterprise-3 we have not seen the problem yet, so probably better never port the problem to this version :-) Version-Release number of selected component (if applicable): nss_ldap-226-13.i386.rpm How reproducible: Always Steps to Reproduce: 1. Create a group in LDAP resulting in an entry with group name length 7, password *, group id length 5 and members length 992 2. On an ldap client run: getent group <groupname> 3. Or run id -a <accountname> with an accountname contained in the group Actual Results: The program (getent or id or whatever querying the group entry) crashes with segfault and a possibly running nscd crashes, too Expected Results: nscd keeps running, regular output of the commands. Additional info: It the classical thing, an unsigned int is never < 0, 2 - 4 is 2^31-2, and this is never < e.g. 567, so the code tries to stil put e.g. 567 bytes into the buffer, where only 2 bytes space are left.
Created attachment 135565 [details] Patch to fix the bytesleft Bug in ldap-nss.h
Great, this solved the problem of nscd segfaulting on CentOS 4.4 on an x86_64. I think it is the same bug as 200963, 170320 and 190431.
Just a note: agree with 200963 and 190431. In my opinion 170320 is a different problem. I consider it quite unlikely, that the problem occurs with passwd or hosts entries and 170320 seems not to relate to ldap.
Created attachment 142391 [details] Group on whitch getent passwd crashes On this group getent group wwwftp crashes for me on x86_64 platform, RHEL 4 with all latest paches (29.11.2006).
If someone wants to test, RPMs containing my patch can be downloaded as http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-14.x86_64.rpm http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-14.i386.rpm
I can't believe it. So the bytesleft patch is now in the source RPM of nss_ldap-226-17, but commented out, so the problem is still alive. Believe it, it's a bug, it's fixed in padl's sources and the patch fixes the problem. I've put patches to http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-17b.x86_64.rpm http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-17b.i386.rpm
Indeed, that patch had to be commented out because it wasn't part of the set of changes planned for the security update (which must include only the fixes for the security issues noted in the advisory). It (along with another) is planned for inclusion in the next update, though.
Closing out. The fix went out as part of https://rhn.redhat.com/errata/RHBA-2007-0267.html.