Description of problem: In ldap/servers/slapd/pw.c pw_in_history() a couple of fixed arrays of 25 values are used to store previous passwords before calling slapi_pw_find_sv(). It stores them so it can strip off the general time also stored with the password. If somehow 26 passwords got into the password history bad things would happen.
Note that you'd have to go out of your way to do this because an attr check function is defined for this attribute: {CONFIG_PW_INHISTORY_ATTRIBUTE, attr_check_minmax, 2, 24},
Created attachment 368279 [details] Proposed Patch The password history code was using a fixed length array to store the historical password values that are used to compare to the new password. The array was hardcoded to 25 values. The server will allow a maximum 24 password history values to be kept by limiting the passwordInHistory configuration value, though it would be possible to do something such as import an LDIF with more than 24 historical password values in an entry, causing the server to crash when the next password change occurs. This patch eliminates the fixed length array and dynamically allocates the array based off of the number of values that exist in the entry whose password is being modified.
Patch from comment#2 pushed to master. Counting objects: 11, done. Delta compression using 2 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 1.26 KiB, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 07b5f94..45507e8 master -> master
added the following user with dn: uid=jgalipea,ou=People,dc=example,dc=com uid: jgalipea givenName: Jenny objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Galipeau cn: Jenny Galipeau userPassword: {MD5}OaYrKTECd0CwXtnoDZYJ+w== creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20100521143329Z modifyTimestamp: 20100521143542Z nsUniqueId: cf24fb81-1dd111b2-80cfd07b-bc250000 passwordHistory: 20100521143343Z{MD5}9ujCKMT9pydeywJN6WqdJA== passwordHistory: 20100521143352Z{MD5}xzfguKDwrTC9i5wyLhodDw== passwordHistory: 20100521143400Z{MD5}qn5MhXu+tlneiCpJTwmfDw== passwordHistory: 20100521143410Z{MD5}9pnwFu2hN2c3QqDPzNFK/Q== passwordHistory: 20100521143418Z{MD5}LL/yMHyG7PfLlOtmyWjsCA== passwordHistory: 20100521143429Z{MD5}E9al3M4521M2Rs77XzX0Ng== passwordHistory: 20100521143438Z{MD5}WLyko+IOkzs5Q6gRBFUvBg== passwordHistory: 20100521143446Z{MD5}BwqWFKx0WUjmNAZ7LBuuCw== passwordHistory: 20100521143456Z{MD5}Rgo61DXG9hHz0RzMm0M2qQ== passwordHistory: 20100521143504Z{MD5}f5T92rALf2mLYC1SQp0CdA== passwordHistory: 20100521143513Z{MD5}m9UJ4qBjiZuwqSsPsQPx+Q== passwordHistory: 20100521143521Z{MD5}evzNRvzhgq3+Gm60LqGbGg== passwordHistory: 20100521143528Z{MD5}N6lmekPDF+LuNvYn2lQDtA== passwordHistory: 20100521143535Z{MD5}zus0QIYENUIGHm6++stheg== passwordHistory: 20100521143542Z{MD5}yyr+yPi7d7FdMuVBcJdspQ== passwordHistory: 20100521142211Z{MD5}eYH9nbemWk4Dn321KHvo4Q== passwordHistory: 20100521142225Z{MD5}FhPzbQY0IwP2lGn1obKcIQ== passwordHistory: 20100521142234Z{MD5}CUv+ZkFhIT+iWRgNeoEv5Q== passwordHistory: 20100521142244Z{MD5}JvaGV9o4EljYMJoWtcYs3w== passwordHistory: 20100521142250Z{MD5}J5BtahGvkQp5+xzHSSNKMw== passwordHistory: 20100521142305Z{MD5}SfNVfjQnjXQv5ovxCeMmiA== passwordHistory: 20100521142314Z{MD5}HBoAvhbcYTpaY2462wj5TA== passwordHistory: 20100521142319Z{MD5}C9PsYHtxtAXPS2CBlqQiXA== passwordHistory: 20100521142329Z{MD5}dfN4s5iHbG/wZb2M7Fis+g== passwordHistory: 20100521142336Z{MD5}bvigpuP0SYcepCy6R1MZCQ== passwordHistory: 20100521142344Z{MD5}D2+sHZ07hZ8rwZ5xnEOMOg== passwordHistory: 20100521142352Z{MD5}bTw1fCHDaHH+cU7jrgNj+g== passwordHistory: 20100521142359Z{MD5}jCjXd/r9k64In6WtXbIPrQ== passwordHistory: 20100521142411Z{MD5}K0vIzivdiY/lXyFDgf19Cw== passwordHistory: 20100521143115Z{MD5}Yyff+pu4xwzleC2YzVdokg== passwordGraceUserTime: 0 Server crashed trying to change password: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1376732256 (LWP 30853)] normalize_mods2bvals (mods=0xadf06ab8) at ldap/servers/slapd/util.c:452 452 vlen = strlen(*mvp); (gdb) bt #0 normalize_mods2bvals (mods=0xadf06ab8) at ldap/servers/slapd/util.c:452 #1 0x0098c051 in modify_internal_pb (pb=0xadf06ad0) at ldap/servers/slapd/modify.c:513 #2 0x009a142e in update_pw_info (pb=0xadf0afb0, old_pw=Variable "old_pw" is not available. ) at ldap/servers/slapd/pw.c:1139 #3 0x0098b86e in op_shared_modify (pb=0xadf0afb0, pw_change=1, old_pw=0x0) at ldap/servers/slapd/modify.c:849 #4 0x0098c191 in modify_internal_pb (pb=0xadf0afb0) at ldap/servers/slapd/modify.c:553 #5 0x080651bd in passwd_modify_extop (pb=0x870f168) at ldap/servers/slapd/passwd_extop.c:181 #6 0x0099705d in plugin_call_exop_plugins (pb=0x870f168, oid=0x86f0000 "1.3.6.1.4.1.4203.1.11.1") at ldap/servers/slapd/plugin.c:448 #7 0x0805deed in do_extended (pb=0x870f168) at ldap/servers/slapd/extendop.c:376 #8 0x08059e8d in connection_threadmain () at ldap/servers/slapd/connection.c:617 #9 0x035d78ad in PR_Select () from /usr/lib/libnspr4.so #10 0x0024e5cc in start_thread () from /lib/tls/libpthread.so.0 #11 0x001e4fae in clone () from /lib/tls/libc.so.6 (gdb)
The crash shares the same cause with this bug. Bug 593453 - Creating password policy with ns-newpolicy.pl on Replicated Server Causes Crash I tested w/ this test entry and did not observe the server crash. dn: uid=tuser0,ou=People,dc=example,dc=com uid: tuser0 givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: user0 cn: test user0 userPassword: {MD5}Cnqn6FiyZIXO12oB/kcyVA== creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20100524224725Z modifyTimestamp: 20100524224935Z nsUniqueId: 3e207f85-678611df-a721e288-d9573427 passwordHistory: 20100524224739Z{MD5}RiWg//A7jg672e3yxVg49g== passwordHistory: 20100524224754Z{MD5}I+Cj5wBRPjLdMU8u+8ysaQ== passwordHistory: 20100524224809Z{MD5}4qz1jwLZhHk/4RK+tO29iA== passwordHistory: 20100524224819Z{MD5}LFZD+sieDUAN7rYEIGVivg== passwordHistory: 20100524224830Z{MD5}a8o52u7MkqFQio8uz7CfoQ== passwordHistory: 20100524224842Z{MD5}Ey91UC1zzk01csCQz8UH5A== passwordHistory: 20100524224855Z{MD5}gSrN/Q81DGX8edWlE3aFVg== passwordHistory: 20100524224921Z{MD5}pVjOZrS1SN6D1N/kvYXscQ== passwordHistory: 20100524224935Z{MD5}63Iazc52nOLi4ckSePvLUA== passwordGraceUserTime: 0 # /usr/lib64/mozldap/ldapsearch -p 10389 -D 'cn=directory manager' -w Secret123 -b "dc=example,dc=com" "(uid=*)" passwordhistory version: 1 dn: uid=tuser0,ou=People,dc=example,dc=com passwordhistory: 20100524224739Z{MD5}RiWg//A7jg672e3yxVg49g== passwordhistory: 20100524224754Z{MD5}I+Cj5wBRPjLdMU8u+8ysaQ== passwordhistory: 20100524224809Z{MD5}4qz1jwLZhHk/4RK+tO29iA== passwordhistory: 20100524224819Z{MD5}LFZD+sieDUAN7rYEIGVivg== passwordhistory: 20100524224830Z{MD5}a8o52u7MkqFQio8uz7CfoQ== passwordhistory: 20100524224842Z{MD5}Ey91UC1zzk01csCQz8UH5A== passwordhistory: 20100524224855Z{MD5}gSrN/Q81DGX8edWlE3aFVg== passwordhistory: 20100524224921Z{MD5}pVjOZrS1SN6D1N/kvYXscQ== passwordhistory: 20100524224935Z{MD5}63Iazc52nOLi4ckSePvLUA==
So can we close this bug as a duplicate of Bug 593453?
(In reply to comment #6) > So can we close this bug as a duplicate of Bug 593453? Well, it's a bit more complicated. :) There was an original bug (511112), which Nathan fixed. Then, I added another bug while I was working on the new DN format (593453). It regressed this bug, but they were 2 separated bugs...
May I ask why you changed the status to ON_DEV? What I meant in the comment 7 is this bug should be verified by QE separately from bug 593453. They are 2 different bugs. Note: I tested the test case using the latest bit and the test has passed for me (see comment 5).
noriko - shouldn't your test case in comment 5 have atleast 26 or more passwordhistory attr values ?. i'm counting only 9 there.
I will try this again, but I think it will still crash as I verified the other bug against an earlier build than this one - that failed verification. I'll let you know. Thanks Jenny
(In reply to comment #10) > I will try this again, but I think it will still crash as I verified the other > bug against an earlier build than this one - that failed verification. I'll > let you know. Thanks Jenny Sorry... I should have increased the count to 26. Let me try it again... Thanks...
It took several failed password change attempts , was getting "invalid password syntax" trying to set the password to !online3 tried from command line and console and then attempted to change password to Secret123 for console and ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1387234400 (LWP 29124)] normalize_mods2bvals (mods=0xad500e78) at ldap/servers/slapd/util.c:452 452 vlen = strlen(*mvp); (gdb) bt #0 normalize_mods2bvals (mods=0xad500e78) at ldap/servers/slapd/util.c:452 #1 0x006d8051 in modify_internal_pb (pb=0xad500e90) at ldap/servers/slapd/modify.c:513 #2 0x006ed42e in update_pw_info (pb=0x8ae0ea0, old_pw=Variable "old_pw" is not available. ) at ldap/servers/slapd/pw.c:1139 #3 0x006d786e in op_shared_modify (pb=0x8ae0ea0, pw_change=1, old_pw=0x0) at ldap/servers/slapd/modify.c:849 #4 0x006d888a in do_modify (pb=0x8ae0ea0) at ldap/servers/slapd/modify.c:376 #5 0x08059f3c in connection_threadmain () at ldap/servers/slapd/connection.c:559 #6 0x035d78ad in PR_Select () from /usr/lib/libnspr4.so #7 0x009875cc in start_thread () from /lib/tls/libpthread.so.0 #8 0x008f0fae in clone () from /lib/tls/libc.so.6
Created attachment 416590 [details] git patch file (9.0) Thanks to Jenny for finding out this bug. You found yet another bug in pw history. Although the password history is limited to 24, you could add an entry already storing password histories more than 25. Then, the next password modify attempt crashes the server.
Thanks to Rich for reviewing the fix. Pushed to master: commit caaa2b7c5fdab6d3bf8c3155f32020eae8fc82ce Author: Noriko Hosoi <nhosoi> Date: Tue May 25 17:47:47 2010 -0700 511112 - Password history limited to 25 values https://bugzilla.redhat.com/show_bug.cgi?id=511112 Fix Description: If an entry already having more than 25 password history attributes is added and password modify is performed on the entry, it overflows the fixed length values_replace array and crashes the server. This patch protects the overflow. $ git merge work Updating 50d1c0a..caaa2b7 Fast forward ldap/servers/slapd/pw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) [nhosoi@kiki ldapserver 1253]$ git push Counting objects: 11, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 764 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 50d1c0a..caaa2b7 master -> master Pushed to Directory_Server_8_2_Branch, as well: $ git push origin ds82-local:Directory_Server_8_2_Branch Counting objects: 11, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 765 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 1ebcfd4..142fc25 ds82-local -> Directory_Server_8_2_Branch
fix verified: able to change password from both console and using ldappasswd version: redhat-ds-base-8.2.0-2010052704.el4dsrv