Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
+++ This bug was initially created as a clone of Bug #720059 +++
Description of problem:
If I have an object with RDN "cn=foo" and I add a second object with RDN "cn=%foo" ns-slapd segfaults.
Version-Release number of selected component (if applicable):
389 ds-base 1.2.8.3 - Installed from EPEL repo.
Centos 5.4
Steps to Reproduce:
1. Configure an standalone 389 Directory server with 389-test as rootdn.
2. Try to add the following entries:
dn: ou=SUDOers,ou=Groups,dc=389-test
ou: SUDOers
objectClass: top
objectClass: organizationalUnit
dn: cn=segu,ou=Groups,dc=389-test
gidNumber: 1100
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: segu
dn: cn=%segu,ou=SUDOers,ou=Groups,dc=389-test
objectClass: top
objectClass: sudoRole
cn: %segu
sudoUser: %segu
sudoHost: ALL
sudoCommand: /usr/bin/passwd root
sudoCommand: /usr/sbin/useradd
sudoCommand: /usr/bin/passwd
sudoCommand: /usr/bin/chage
sudoCommand: /usr/sbin/userdel
sudoCommand: /sbin/pam_tally2
sudoOption: !authenticate
I tried renaming the object to %bar and works.
--- Additional comment from diego.ar on 2011-07-08 17:54:59 EDT ---
Backtrace:
#0 0x00007ffff550eb60 in strlen () from /lib64/libc.so.6
#1 0x00007ffff5e36c7c in cvt_s (ss=0x478056d0, fmt=<value optimized out>,
ap=<value optimized out>) at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:396
#2 dosprintf (ss=0x478056d0, fmt=<value optimized out>, ap=<value optimized out>)
at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:980
#3 0x00007ffff5e36e64 in PR_vsnprintf (out=<value optimized out>,
outlen=<value optimized out>, fmt=0xffffffff <Address 0xffffffff out of bounds>,
ap=0x7) at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:1184
#4 0x00007ffff5e37103 in PR_snprintf (out=0x9 <Address 0x9 out of bounds>, outlen=115,
fmt=0x47805748 "\t") at ../../.././mozilla/nsprpub/pr/src/io/prprf.c:1164
#5 0x00007fffef1d5305 in _entryrdn_new_rdn_elem (be=<value optimized out>,
id=<value optimized out>, srdn=<value optimized out>, length=<value optimized out>)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:1358
#6 0x00007fffef1d5984 in _entryrdn_index_read (be=0x8626f0, cursor=0x9004d0,
srdn=0x478079b0, elem=0x478079f0, parentelem=0x0, childelems=0x0, db_txn=0x0)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:2622
#7 0x00007fffef1d7acc in entryrdn_index_read (be=0x8626f0, sdn=<value optimized out>,
id=0x47807a7c, txn=<value optimized out>)
at ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c:368
#8 0x00007fffef1b16c9 in dn2entry (be=0x8626f0, sdn=0x47807ac0, txn=0x47807d30,
err=0x47807afc) at ldap/servers/slapd/back-ldbm/dn2entry.c:80
#9 0x00007fffef1b1885 in get_copy_of_entry (pb=0xb62cc0, addr=0x47807cd0,
txn=0x47807d30, plock_parameter=61, must_exist=1)
at ldap/servers/slapd/back-ldbm/dn2entry.c:261
--- Additional comment from rmeggins on 2011-07-11 12:34:30 EDT ---
Created attachment 512258[details]
0001-Bug-720059-RDN-with-can-cause-crashes-or-missing-ent.patch
--- Additional comment from rmeggins on 2011-07-11 12:44:50 EDT ---
To ssh://git.fedorahosted.org/git/389/ds.git
d2960e2..0263e0b master -> master
commit 0263e0bffdfcb9cf59b7c6ba29f060987d06449a
Author: Rich Megginson <rmeggins>
Date: Mon Jul 11 10:08:56 2011 -0600
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The code was using PR_snprintf to copy the RDN to the
buffer used to store the value in the entryrdn index. If there was
a % in the value, the PR_snprintf was interpreting the next char as a
formatting directive. But since we don't pass any varargs arguments,
the formatting directive was using random garbage on the stack, which
can lead to crashes or missing entries or other undefined behavior.
The fix is to use PL_strncpyz which will just copy the string up to
the correct buffer size and will make sure the string is properly
null terminated.
You can use a simple C program to illustrate this problem:
int
main(int argc, char *argv[])
{
char buf[10];
argv++;
for (; *argv; ++argv) {
PR_snprintf(buf, sizeof(buf), *argv);
printf("buf is [%s]\n", buf);
}
return 0;
}
gcc -o testit testit.c -lnspr4
Then pass in values like %d %100s %100.100s and so on. You will either
get crashes or random output.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHEA-2011-1711.html