Bug 644013 - uniqueness plugin segfault bug
Summary: uniqueness plugin segfault bug
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Server - Plugins
Version: 1.2.6
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.7 639035
TreeView+ depends on / blocked
 
Reported: 2010-10-18 18:40 UTC by Simo Sorce
Modified: 2015-12-07 16:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:49:57 UTC


Attachments (Terms of Use)

Description Simo Sorce 2010-10-18 18:40:52 UTC
In the uniqueness plugin the addMod() function is buggy and will modify arbitrary memory if more then one mod is added to the array passed to the function.

The error is in servers/plugins/uiquniq/uid.c at line 650

*modary[*nmods] = toadd;

this is incorrect and wors only for element [0] of the array.
the correct code reads:
(*modary)[*nmods] = toadd;

The segfault happens later on when the modify_preop() code will try to dereference the second element of the array finding a pointer to 0.
The stack of the modify_preop is probably also compromised because the next address after the checkmods array has been changed.

Note that the servers/plugins/uiquniq/7bit.c file has the same addMod() function, but the code is correct there. Yay for code duplication :-/

Comment 1 Rich Megginson 2010-10-18 18:46:27 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   52632d7..f4c6760  master -> master
commit f4c6760ea5da7849e5b1f3b2f8d08bd7f6eedd1a
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Mon Oct 18 12:47:14 2010 -0600
    Reviewed by: self - one liner
    Branch: master
    Fix Description: Access the array pointer correctly
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no

Comment 2 Amita Sharma 2011-05-16 11:20:24 UTC
Seems to be a code issue in addMod().
Can I verify/Test this? 
If yes, then please add the steps.

Thanks,
ami

Comment 3 Rich Megginson 2011-05-16 15:01:46 UTC
(In reply to comment #2)
> Seems to be a code issue in addMod().
> Can I verify/Test this? 
> If yes, then please add the steps.
> 
> Thanks,
> ami

Submit a modify operation that has more than one uid value in it.  For example:
       changetype: modify
       delete: uid
       uid: balster1950
       -
       add: uid
       uid: scottg
the server should not crash

Comment 4 Amita Sharma 2011-05-17 09:29:14 UTC
No crash found.


Note You need to log in before you can comment on or make changes to this bug.