In the uniqueness plugin the addMod() function is buggy and will modify arbitrary memory if more then one mod is added to the array passed to the function. The error is in servers/plugins/uiquniq/uid.c at line 650 *modary[*nmods] = toadd; this is incorrect and wors only for element [0] of the array. the correct code reads: (*modary)[*nmods] = toadd; The segfault happens later on when the modify_preop() code will try to dereference the second element of the array finding a pointer to 0. The stack of the modify_preop is probably also compromised because the next address after the checkmods array has been changed. Note that the servers/plugins/uiquniq/7bit.c file has the same addMod() function, but the code is correct there. Yay for code duplication :-/
To ssh://git.fedorahosted.org/git/389/ds.git 52632d7..f4c6760 master -> master commit f4c6760ea5da7849e5b1f3b2f8d08bd7f6eedd1a Author: Rich Megginson <rmeggins> Date: Mon Oct 18 12:47:14 2010 -0600 Reviewed by: self - one liner Branch: master Fix Description: Access the array pointer correctly Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
Seems to be a code issue in addMod(). Can I verify/Test this? If yes, then please add the steps. Thanks, ami
(In reply to comment #2) > Seems to be a code issue in addMod(). > Can I verify/Test this? > If yes, then please add the steps. > > Thanks, > ami Submit a modify operation that has more than one uid value in it. For example: changetype: modify delete: uid uid: balster1950 - add: uid uid: scottg the server should not crash
No crash found.