Bug 784989 - Re-binding to a failed connection can segfault
Summary: Re-binding to a failed connection can segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Vcelak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-26 20:42 UTC by Rob Crittenden
Modified: 2013-03-04 01:29 UTC (History)
4 users (show)

Fixed In Version: openldap-2.4.24-6.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-18 19:35:04 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Rob Crittenden 2012-01-26 20:42:23 UTC 
Description of problem:

I found a path using python-ldap that can cause a segementation fault. This particular path is rather artificial in nature it should probably still be addressed.

I tested this against an SSL-secured 389-ds server. You'll need a copy of the CA in PEM form.

What you do is make a connection to the non-fqdn of the SSL host. This request will fail but we ignore that and try to bind again anyway and this causes a segfault.

This program:

import ldap
from ldap import sasl
from ldap.ldapobject import SimpleLDAPObject

SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')

def make_conn(url):
    conn = SimpleLDAPObject(url)
    ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca.crt')
    try:
        conn.sasl_interactive_bind_s('', SASL_AUTH)
    except ldap.SERVER_DOWN:
        conn.sasl_interactive_bind_s('', SASL_AUTH)

    conn.unbind_s()

make_conn('ldaps://somewhere:636')

Generates this output:

ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP doberman:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.186.9:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ipa/ca.crt.
TLS: certificate [CN=doberman.example.com,O=EXAMPLE.COM] is valid
TLS certificate verification: subject: CN=doberman.example.com,O=EXAMPLE.COM, issuer: CN=GREYOAK.COM Certificate Authority, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS: hostname (doberman) does not match common name in certificate (doberman.example.com).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
Segmentation fault (core dumped)

And this trace:

#0  0x00007f152b260f3b in ldap_int_sasl_bind (ld=0x17a48b0, dn=
    0x7f1531ad2644 "", mechs=0x16c8b34 "GSSAPI", sctrls=0x0, cctrls=0x0, 
    flags=2, interact=0x7f152b49e7a0, defaults=0x16d7488, result=0x0, rmech=
    0x7fff81faf0f8, msgid=0x7fff81faf10c) at cyrus.c:440
#1  0x00007f152b264657 in ldap_sasl_interactive_bind (ld=0x17a48b0, dn=
    0x7f1531ad2644 "", mechs=0x16c8b34 "GSSAPI", serverControls=0x0, 
    clientControls=0x0, flags=2, interact=0x7f152b49e7a0, defaults=0x16d7488, 
    result=0x0, rmech=0x7fff81faf0f8, msgid=0x7fff81faf10c) at sasl.c:474
#2  0x00007f152b264838 in ldap_sasl_interactive_bind_s (ld=0x17a48b0, dn=
    0x7f1531ad2644 "", mechs=0x16c8b34 "GSSAPI", serverControls=0x0, 
    clientControls=0x0, flags=2, interact=0x7f152b49e7a0, defaults=0x16d7488)
    at sasl.c:511
#3  0x00007f152b49e13d in ?? ()
#4  0x00007f152b49e7a0 in ?? ()
#5  0x00000000016d7488 in ?? ()
#6  0x00000000018b3fd0 in ?? ()
#7  0x0000003866b0f8b9 in _PyObject_GC_Malloc (basicsize=<optimized out>)
    at /usr/src/debug/Python-2.7.1/Modules/gcmodule.c:1445
#8  _PyObject_GC_Malloc (basicsize=<optimized out>)
    at /usr/src/debug/Python-2.7.1/Modules/gcmodule.c:1439
#9  0x0000003866d87900 in _Py_NotImplementedStruct ()
   from /usr/lib64/libpython2.7.so.1.0
#10 0x0000003866d87900 in _Py_NotImplementedStruct ()
   from /usr/lib64/libpython2.7.so.1.0
#11 0x0000000000000000 in ?? ()

Version-Release number of selected component (if applicable):

openldap-2.4.24-5.fc15.x86_64
Comment 1 Jan Synacek 2012-03-14 11:50:13 UTC 
Upstream report filed: http://www.openldap.org/its/index.cgi/Incoming?id=7207
Comment 2 Jan Synacek 2012-03-26 11:44:09 UTC 
Fixed in rawhide:
http://lists.fedoraproject.org/pipermail/scm-commits/2012-March/759866.html
Comment 3 Fedora Update System 2012-03-26 12:07:28 UTC 
openldap-2.4.30-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openldap-2.4.30-2.fc17
Comment 4 Fedora Update System 2012-03-26 12:17:22 UTC 
openldap-2.4.26-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openldap-2.4.26-7.fc16
Comment 5 Fedora Update System 2012-03-26 12:24:57 UTC 
openldap-2.4.24-6.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/openldap-2.4.24-6.fc15
Comment 6 Fedora Update System 2012-03-31 03:17:19 UTC 
Package openldap-2.4.24-6.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.24-6.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-5053/openldap-2.4.24-6.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-04-12 03:31:51 UTC 
openldap-2.4.30-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-04-18 19:24:03 UTC 
openldap-2.4.26-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-04-18 19:35:04 UTC 
openldap-2.4.24-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.