nss_ldap-226-13 1. Install openldap-servers 2. slapadd -l group.ldif 3. chown -R ldap.ldap /var/lib/ldap 3. Edit /etc/ldap.conf to have the line: base dc=my-domain,dc=com 4. service ldap start 5. Edit /etc/nsswitch.conf and add "ldap" to the group line 6. Run "getent group" and see the crash valgrind says: ==32742== Invalid write of size 1 ==32742== at 0x40062B6: memcpy (mac_replace_strmem.c:394) ==32742== by 0x434C227: ??? (ldap-grp.c:559) ==32742== by 0x434A11C: _nss_ldap_getent_ex (ldap-nss.c:2395) ==32742== by 0x434A286: _nss_ldap_getent (ldap-nss.c:2851) ==32742== by 0x434C92A: _nss_ldap_getgrent_r (ldap-grp.c:1080) ==32742== by 0x6C82BC: __nss_getent_r (in /lib/tls/libc-2.3.4.so) ==32742== by 0x6773F0: getgrent_r@@GLIBC_2.1.2 (in /lib/tls/libc-2.3.4.so) ==32742== by 0x6C7F17: __nss_getent (in /lib/tls/libc-2.3.4.so) ==32742== by 0x676C89: getgrent (in /lib/tls/libc-2.3.4.so) ==32742== by 0x8049AFB: (within /usr/bin/getent) ==32742== by 0x804AE61: (within /usr/bin/getent) ==32742== by 0x603E22: (below main) (in /lib/tls/libc-2.3.4.so) ==32742== Address 0x401A5A0 is 0 bytes after a block of size 1,024 alloc'd ==32742== at 0x4004405: malloc (vg_replace_malloc.c:149) ==32742== by 0x6C7F5A: __nss_getent (in /lib/tls/libc-2.3.4.so) ==32742== by 0x676C89: getgrent (in /lib/tls/libc-2.3.4.so) ==32742== by 0x8049AFB: (within /usr/bin/getent) ==32742== by 0x804AE61: (within /usr/bin/getent) ==32742== by 0x603E22: (below main) (in /lib/tls/libc-2.3.4.so) Backtrace of the crash is: #0 fixup (l=0x9f37810, reloc_offset=Variable "reloc_offset" is not available.) at dl-runtime.c:70 #1 0x00665ba0 in _dl_runtime_resolve () at dl-runtime.c:62 #2 0x00a721b4 in _nss_ldap_parse_gr (e=0x9f38628, pvt=0x9f38558, result=0x79bfe8, buffer=0x9f379fc "", buflen=4294966796) at ldap-grp.c:638 #3 0x00a7011d in _nss_ldap_getent_ex (args=0x0, ctx=0xc86e14, result=0x79bfe8, buffer=0x9f37408 "500", buflen=1024, errnop=0xb7f00a80, filterprot=0xc906e0 "(&(objectclass=posixGroup))", sel=LM_GROUP, user_attrs=0x0, parser=0xa71f66 <_nss_ldap_parse_gr>) at ldap-nss.c:2395 #4 0x00a70287 in _nss_ldap_getent (ctx=0x9f37518, result=0x9f37518, buffer=0x9f37518 "hammerschmidt", buflen=166950168, errnop=0x9f37518, filterprot=0x9f37518 "hammerschmidt", sel=166950168, parser=0x9f37518) at ldap-nss.c:2851 #5 0x00a72938 in _nss_ldap_getgrent_r (result=0x9f37518, buffer=0x9f37518 "hammerschmidt", buflen=1024, errnop=0xb7f00a80) at ldap-grp.c:1080 #6 0x0074ca7d in __nss_getent_r (getent_func_name=0x78ee84 "getgrent_r", setent_func_name=0x78ee8f "setgrent", lookup_fct=0x74d570 <__nss_group_lookup>, nip=0x79c02c, startp=0x79c034, last_nip=0x79c030, stayopen_tmp=0x0, res=0, resbuf=0x79bfe8, buffer=0x9f37408 "500", buflen=1024, result=0xbfe9837c, h_errnop=0x0) at getnssent_r.c:165 #7 0x006fb751 in __getgrent_r (resbuf=0x9f37518, buffer=0x9f37518 "hammerschmidt", buflen=166950168, result=0x9f37518) at ../nss/getXXent_r.c:161 #8 0x0074c6d8 in __nss_getent (func=0x6fb6b0 <__getgrent_r>, resbuf=0x79bfe8, buffer=0x79b098, buflen=1024, buffer_size=0x79bfe4, h_errnop=0x0) at getnssent.c:51 #9 0x006fafea in getgrent () at ../nss/getXXent.c:84 #10 0x08049b2c in group_keys (number=0, key=0xbfe9848c) at ../libio/bits/stdio.h:93 #11 0x0804ae92 in main (argc=1, argv=0xbfe98484) at getent.c:858 #12 0x00687de3 in __libc_start_main (main=0x804adfc <main>, argc=2, ubp_av=0xbfe98484, init=0x804aefc <__libc_csu_init>, fini=0x804af50 <__libc_csu_fini>, rtld_fini=0x6666f0 <_dl_fini>, stack_end=0xbfe9847c) at ../sysdeps/generic/libc-start.c:209 #13 0x08049675 in _start () at ../sysdeps/i386/elf/start.S:119 Patch from upstream attached (backported by Carsten Clashom <clasohm>). The changelog for those is: * Tue Nov 29 2005 - rhafer - nss_ldap.bytesleft.dif: Fixes the bytesleft macro to only return non-negative values, this fixes a crash when handling groups with large amounts of members (Bugzilla: #117217) 244 Luke Howard <lukeh> * patch from Ralf Haferkamp <rhafer>: enusre bytesleft macro does not return values < 0
Created attachment 136254 [details] group.ldif
Created attachment 136255 [details] nss_ldap-244-bytesleft.patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0267.html
Hi, This issue is fixed therefore I close this IT. Cheers, Sebastien. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 4.5' This event sent from IssueTracker by saime issue 93013
http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/tests/nss_ldap/nss_ldap/bz206438/