Bug 206438 - Fix off-by-one crasher in _nss_ldap_parse_gr
Summary: Fix off-by-one crasher in _nss_ldap_parse_gr
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2006-09-14 13:23 UTC by Bastien Nocera
Modified: 2018-10-19 20:18 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2007-05-01 17:32:16 UTC

Attachments (Terms of Use)
group.ldif (2.58 KB, text/plain)
2006-09-14 13:23 UTC, Bastien Nocera
no flags Details
nss_ldap-244-bytesleft.patch (463 bytes, patch)
2006-09-14 13:26 UTC, Bastien Nocera
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0267 normal SHIPPED_LIVE nss_ldap bug fix update 2007-05-01 17:31:31 UTC

Description Bastien Nocera 2006-09-14 13:23:05 UTC

1. Install openldap-servers
2. slapadd -l group.ldif
3. chown -R ldap.ldap /var/lib/ldap
3. Edit /etc/ldap.conf to have the line:
base dc=my-domain,dc=com
4. service ldap start
5. Edit /etc/nsswitch.conf and add "ldap" to the group line
6. Run "getent group" and see the crash

valgrind says:
==32742== Invalid write of size 1
==32742==    at 0x40062B6: memcpy (mac_replace_strmem.c:394)
==32742==    by 0x434C227: ??? (ldap-grp.c:559)
==32742==    by 0x434A11C: _nss_ldap_getent_ex (ldap-nss.c:2395)
==32742==    by 0x434A286: _nss_ldap_getent (ldap-nss.c:2851)
==32742==    by 0x434C92A: _nss_ldap_getgrent_r (ldap-grp.c:1080)
==32742==    by 0x6C82BC: __nss_getent_r (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x6773F0: getgrent_r@@GLIBC_2.1.2 (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x6C7F17: __nss_getent (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x676C89: getgrent (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x8049AFB: (within /usr/bin/getent)
==32742==    by 0x804AE61: (within /usr/bin/getent)
==32742==    by 0x603E22: (below main) (in /lib/tls/libc-2.3.4.so)
==32742==  Address 0x401A5A0 is 0 bytes after a block of size 1,024 alloc'd
==32742==    at 0x4004405: malloc (vg_replace_malloc.c:149)
==32742==    by 0x6C7F5A: __nss_getent (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x676C89: getgrent (in /lib/tls/libc-2.3.4.so)
==32742==    by 0x8049AFB: (within /usr/bin/getent)
==32742==    by 0x804AE61: (within /usr/bin/getent)
==32742==    by 0x603E22: (below main) (in /lib/tls/libc-2.3.4.so)

Backtrace of the crash is:
#0  fixup (l=0x9f37810, reloc_offset=Variable "reloc_offset" is not available.)
at dl-runtime.c:70
#1  0x00665ba0 in _dl_runtime_resolve () at dl-runtime.c:62
#2  0x00a721b4 in _nss_ldap_parse_gr (e=0x9f38628, pvt=0x9f38558,
    result=0x79bfe8, buffer=0x9f379fc "", buflen=4294966796) at ldap-grp.c:638
#3  0x00a7011d in _nss_ldap_getent_ex (args=0x0, ctx=0xc86e14,
    result=0x79bfe8, buffer=0x9f37408 "500", buflen=1024, errnop=0xb7f00a80,
    filterprot=0xc906e0 "(&(objectclass=posixGroup))", sel=LM_GROUP,
    user_attrs=0x0, parser=0xa71f66 <_nss_ldap_parse_gr>) at ldap-nss.c:2395
#4  0x00a70287 in _nss_ldap_getent (ctx=0x9f37518, result=0x9f37518,
    buffer=0x9f37518 "hammerschmidt", buflen=166950168, errnop=0x9f37518,
    filterprot=0x9f37518 "hammerschmidt", sel=166950168, parser=0x9f37518)
    at ldap-nss.c:2851
#5  0x00a72938 in _nss_ldap_getgrent_r (result=0x9f37518,
    buffer=0x9f37518 "hammerschmidt", buflen=1024, errnop=0xb7f00a80)
    at ldap-grp.c:1080
#6  0x0074ca7d in __nss_getent_r (getent_func_name=0x78ee84 "getgrent_r",
    setent_func_name=0x78ee8f "setgrent",
    lookup_fct=0x74d570 <__nss_group_lookup>, nip=0x79c02c, startp=0x79c034,
    last_nip=0x79c030, stayopen_tmp=0x0, res=0, resbuf=0x79bfe8,
    buffer=0x9f37408 "500", buflen=1024, result=0xbfe9837c, h_errnop=0x0)
    at getnssent_r.c:165
#7  0x006fb751 in __getgrent_r (resbuf=0x9f37518,
    buffer=0x9f37518 "hammerschmidt", buflen=166950168, result=0x9f37518)
    at ../nss/getXXent_r.c:161
#8  0x0074c6d8 in __nss_getent (func=0x6fb6b0 <__getgrent_r>, resbuf=0x79bfe8,
    buffer=0x79b098, buflen=1024, buffer_size=0x79bfe4, h_errnop=0x0)
    at getnssent.c:51
#9  0x006fafea in getgrent () at ../nss/getXXent.c:84
#10 0x08049b2c in group_keys (number=0, key=0xbfe9848c)
    at ../libio/bits/stdio.h:93
#11 0x0804ae92 in main (argc=1, argv=0xbfe98484) at getent.c:858
#12 0x00687de3 in __libc_start_main (main=0x804adfc <main>, argc=2,
    ubp_av=0xbfe98484, init=0x804aefc <__libc_csu_init>,
    fini=0x804af50 <__libc_csu_fini>, rtld_fini=0x6666f0 <_dl_fini>,
    stack_end=0xbfe9847c) at ../sysdeps/generic/libc-start.c:209
#13 0x08049675 in _start () at ../sysdeps/i386/elf/start.S:119

Patch from upstream attached (backported by Carsten Clashom
<clasohm@redhat.com>). The changelog for those is:

* Tue Nov 29 2005 - rhafer@suse.de
 - nss_ldap.bytesleft.dif: Fixes the bytesleft macro to only return
   non-negative values, this fixes a crash when handling groups with
   large amounts of members (Bugzilla: #117217)

244 Luke Howard <lukeh@padl.com>

* patch from Ralf Haferkamp <rhafer@suse.de>:
 enusre bytesleft macro does not return values < 0

Comment 1 Bastien Nocera 2006-09-14 13:23:07 UTC
Created attachment 136254 [details]

Comment 2 Bastien Nocera 2006-09-14 13:26:45 UTC
Created attachment 136255 [details]

Comment 4 RHEL Product and Program Management 2006-09-14 19:17:25 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 18 Red Hat Bugzilla 2007-05-01 17:32:16 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 20 Issue Tracker 2007-07-03 14:30:35 UTC

This issue is fixed therefore I close this IT.



Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 4.5'

This event sent from IssueTracker by saime 
 issue 93013

Note You need to log in before you can comment on or make changes to this bug.