Red Hat Bugzilla – Bug 205236
getent group <groupname> and id -a and nscd crash on certain group lengths
Last modified: 2015-01-07 19:14:25 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:126.96.36.199) Gecko/20060719 Firefox/188.8.131.52
Description of problem:
i found a problem in nss_ldap querying the group map. It is
basically the issue fixed with nss_ldap-244 regarding bytesleft.
In the code it's fixed with a comment "bytesleft should not
return values < 0".
I fixed it a bit differently casting all relevent stuff to int.
The problem leads to a segfault of nscd or any programs
querying group entries in a certain size range, probably others
are affected, too, but typically they don't reach the necessary
Anyway please apply the fix to the nss_ldap currently recommended
for update on the supported RedHat versions i.e. Enterprise-4. On
Enterprise-3 we have not seen the problem yet, so probably better
never port the problem to this version :-)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a group in LDAP resulting in an entry with group name length 7, password *, group id length 5 and members length 992
2. On an ldap client run: getent group <groupname>
3. Or run id -a <accountname> with an accountname contained in the group
The program (getent or id or whatever querying the group entry) crashes with segfault and a possibly running nscd crashes, too
nscd keeps running, regular output of the commands.
It the classical thing, an unsigned int is never < 0, 2 - 4 is 2^31-2, and
this is never < e.g. 567, so the code tries to stil put e.g. 567 bytes into
the buffer, where only 2 bytes space are left.
Created attachment 135565 [details]
Patch to fix the bytesleft Bug in ldap-nss.h
Great, this solved the problem of nscd segfaulting on CentOS 4.4 on an x86_64. I
think it is the same bug as 200963, 170320 and 190431.
Just a note: agree with 200963 and 190431. In my opinion 170320 is a different
problem. I consider it quite unlikely, that the problem occurs with passwd or
hosts entries and 170320 seems not to relate to ldap.
Created attachment 142391 [details]
Group on whitch getent passwd crashes
On this group getent group wwwftp crashes for me on x86_64 platform, RHEL 4
with all latest paches (29.11.2006).
If someone wants to test,
RPMs containing my patch can be downloaded as
I can't believe it.
So the bytesleft patch is now in the source RPM of nss_ldap-226-17, but
commented out, so the problem is still alive. Believe it, it's a bug,
it's fixed in padl's sources and the patch fixes the problem.
I've put patches to
Indeed, that patch had to be commented out because it wasn't part of the set
of changes planned for the security update (which must include only the fixes
for the security issues noted in the advisory). It (along with another) is
planned for inclusion in the next update, though.
Closing out. The fix went out as part of https://rhn.redhat.com/errata/RHBA-2007-0267.html.