Bug 205236 - getent group <groupname> and id -a and nscd crash on certain group lengths
getent group <groupname> and id -a and nscd crash on certain group lengths
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
4.3
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-05 10:54 EDT by Albert Fluegel
Modified: 2015-01-07 19:14 EST (History)
3 users (show)

See Also:
Fixed In Version: 226-18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-15 09:48:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to fix the bytesleft Bug in ldap-nss.h (417 bytes, patch)
2006-09-05 10:58 EDT, Albert Fluegel
no flags Details | Diff
Group on whitch getent passwd crashes (5.61 KB, application/octet-stream)
2006-11-29 12:38 EST, Lauri Jesmin
no flags Details

  None (edit)
Description Albert Fluegel 2006-09-05 10:54:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5

Description of problem:
i found a problem in nss_ldap querying the group map. It is
basically the issue fixed with nss_ldap-244 regarding bytesleft.
In the code it's fixed with a comment "bytesleft should not
return values < 0".
I fixed it a bit differently casting all relevent stuff to int.
The problem leads to a segfault of nscd or any programs
querying group entries in a certain size range, probably others
are affected, too, but typically they don't reach the necessary
size.

Anyway please apply the fix to the nss_ldap currently recommended
for update on the supported RedHat versions i.e. Enterprise-4. On
Enterprise-3 we have not seen the problem yet, so probably better
never port the problem to this version :-)


Version-Release number of selected component (if applicable):
nss_ldap-226-13.i386.rpm

How reproducible:
Always


Steps to Reproduce:
1. Create a group in LDAP resulting in an entry with group name length 7, password *, group id length 5 and members length 992
2. On an ldap client run: getent group <groupname>
3. Or run id -a <accountname> with an accountname contained in the group

Actual Results:
The program (getent or id or whatever querying the group entry) crashes with segfault and a possibly running nscd crashes, too

Expected Results:
nscd keeps running, regular output of the commands.


Additional info:
It the classical thing, an unsigned int is never < 0, 2 - 4 is 2^31-2, and
this is never < e.g. 567, so the code tries to stil put e.g. 567 bytes into
the buffer, where only 2 bytes space are left.
Comment 1 Albert Fluegel 2006-09-05 10:58:07 EDT
Created attachment 135565 [details]
Patch to fix the bytesleft Bug in ldap-nss.h
Comment 2 Nicolas A. Barriga 2006-10-23 14:05:15 EDT
Great, this solved the problem of nscd segfaulting on CentOS 4.4 on an x86_64. I
think it is the same bug as  200963, 170320 and  190431.
Comment 3 Albert Fluegel 2006-10-24 03:21:30 EDT
Just a note: agree with 200963 and 190431. In my opinion 170320 is a different
problem. I consider it quite unlikely, that the problem occurs with passwd or
hosts entries and 170320 seems not to relate to ldap.
Comment 4 Lauri Jesmin 2006-11-29 12:38:53 EST
Created attachment 142391 [details]
Group on whitch getent passwd crashes

On this group getent group wwwftp crashes for me on x86_64 platform, RHEL 4
with all latest paches (29.11.2006).
Comment 5 Albert Fluegel 2006-11-30 03:26:21 EST
If someone wants to test,
RPMs containing my patch can be downloaded as
http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-14.x86_64.rpm
http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-14.i386.rpm
Comment 6 Albert Fluegel 2007-02-20 09:45:33 EST
I can't believe it.
So the bytesleft patch is now in the source RPM of nss_ldap-226-17, but
commented out, so the problem is still alive. Believe it, it's a bug,
it's fixed in padl's sources and the patch fixes the problem.
I've put patches to
http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-17b.x86_64.rpm
http://www.muc.de/~af/nss_ldap-rpms/nss_ldap-226-17b.i386.rpm
Comment 7 Nalin Dahyabhai 2007-02-20 12:00:41 EST
Indeed, that patch had to be commented out because it wasn't part of the set
of changes planned for the security update (which must include only the fixes
for the security issues noted in the advisory).  It (along with another) is
planned for inclusion in the next update, though.
Comment 8 Jay Turner 2011-02-15 09:48:06 EST
Closing out.  The fix went out as part of https://rhn.redhat.com/errata/RHBA-2007-0267.html.

Note You need to log in before you can comment on or make changes to this bug.