532892 – getent -s ldap hosts ... fails with segfault (stack overflow) without nscd

Bug 532892 - getent -s ldap hosts ... fails with segfault (stack overflow) without nscd

Summary: getent -s ldap hosts ... fails with segfault (stack overflow) without nscd

Keywords:
Status:	CLOSED DUPLICATE of bug 448883
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss_ldap
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-04 08:49 UTC by Albert Flügel
Modified:	2010-05-04 20:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-05-04 20:23:12 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Albert Flügel 2009-11-04 08:49:31 UTC

Description of problem:
When nscd is not running and ldap is used (possibly among other) as nameservice, running getent -s ldap hosts ...
leads to a segmentation fault. The problem occurs on RedHat Enterprise 3 - 5.4
(don't have a newer version here). It only happens with the hosts database.
Queries e.g. to passwd or netgroup do work. It does not matter whether a
hostname is given or getent is called to list them all.
Running without -s ldap is no problem.

Running in gdb shows, that the problem seems to be a stack overflow. This
function calling loop can be seen again and again:
#7923 0x00002b417d1d992c in _nss_ldap_gethostbyname2_r ()
   from /lib64/libnss_ldap.so.2
#7924 0x00002b417d1d998e in _nss_ldap_gethostbyname_r ()
   from /lib64/libnss_ldap.so.2
#7925 0x00000035f5aea164 in gethostbyname_r@@GLIBC_2.2.5 ()
   from /lib64/libc.so.6
#7926 0x00002b417d1f2bd0 in ?? () from /lib64/libnss_ldap.so.2
#7927 0x00002b417d1f2c7e in ?? () from /lib64/libnss_ldap.so.2
#7928 0x00002b417d1f1907 in ?? () from /lib64/libnss_ldap.so.2
#7929 0x00002b417d1dffd6 in ?? () from /lib64/libnss_ldap.so.2
#7930 0x00002b417d1e035a in ?? () from /lib64/libnss_ldap.so.2
#7931 0x00002b417d1d3bcb in ?? () from /lib64/libnss_ldap.so.2
#7932 0x00002b417d1d5fa0 in _nss_ldap_search_s () from /lib64/libnss_ldap.so.2
#7933 0x00002b417d1d6c2b in _nss_ldap_getbyname () from /lib64/libnss_ldap.so.2
now the first call appears again and this loop repeats infinitely until segfault.

The segfault occurs in
0x00002b50343a6a69 in ?? () from /lib64/libnss_ldap.so.2
#0  0x00002b50343a6a69 in ?? () from /lib64/libnss_ldap.so.2
#1  0x00002b50343a8fa0 in _nss_ldap_search_s () from /lib64/libnss_ldap.so.2
#2  0x00002b50343a9c2b in _nss_ldap_getbyname () from /lib64/libnss_ldap.so.2

Stack trace starts with
#18998 0x00002b83296a3fa0 in _nss_ldap_search_s () from /lib64/libnss_ldap.so.2
#18999 0x00002b83296a4c2b in _nss_ldap_getbyname ()
   from /lib64/libnss_ldap.so.2
#19000 0x00002b83296a792c in _nss_ldap_gethostbyname2_r ()
   from /lib64/libnss_ldap.so.2
#19001 0x00000035f5ae9ec8 in gethostbyname2_r@@GLIBC_2.2.5 ()
   from /lib64/libc.so.6
#19002 0x00000035f5ae9c86 in gethostbyname2 () from /lib64/libc.so.6
#19003 0x0000000000402ae7 in ?? ()
#19004 0x0000000000402f5e in ?? ()
#19005 0x00000035f5a1d994 in __libc_start_main () from /lib64/libc.so.6
#19006 0x0000000000402009 in ?? ()
#19007 0x00007fffc75cdcd8 in ?? ()

Version-Release number of selected component (if applicable):
glibc-2.5-42
glibc-common-2.5-42
nss_ldap-253-21.el5

How reproducible:
This way:

Steps to Reproduce:
1. configure ldap properly (cannot be explained here in detail)
2. /etc/init.d/nscd stop
3. getent -s ldap hosts
  
Actual results:
segfault

Expected results:
list of hosts is printed

Additional info:

Comment 1 Albert Flügel 2009-11-04 11:54:46 UTC

Narrowed down the problem, so openldap-2.3.43-3.el5 is involved, too.
do_init_session in ldap-nss.c from nss_ldap calls ldap_initialize,
who can be found in libraries/libldap/open.c of openldap . ldap_initialize
calls ldap_create in the same file, who calls ldap_int_initialize in
libraries/libldap/init.c ,
who calls ldap_pvt_get_fqdn with the variable name as argument,
who has been set to ldap_int_hostname, what is NULL at that time.
When name is NULL, ldap_pvt_get_fqdn calls gethostname, what returns
the name of the host itself i.e. the ldap client. Now it calls
ldap_pvt_gethostbyname_a in the same file, who in turn calls
gethostbyname_r and the loop is complete, because in getent.c
the lookup has been setup to only use ldap, so the local /etc/hosts
is not read.

I guess, ldap_initialize is determining the name of the host itself
for later possibly initializing SSL using a client side certificate,
but i don't know, what the use of this is in this place.
Anyway at that time somehow the lookup should not use any other
nameservice than the local files for the host itself etc (s.a.).

When this has been fixed, the next problem might arise, when the
ldap servers in /etc/ldap.conf are given by name for being looked up
in /etc/hosts. As far as i remember, this is not an issue (any more)
and can be found out easily by putting the IP-adress of one or more
servers into /etc/ldap.conf .

HTH.

Comment 2 Dmitri Pal 2010-05-04 20:23:12 UTC


*** This bug has been marked as a duplicate of bug 448883 ***

Note You need to log in before you can comment on or make changes to this bug.