[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6508) memberof segmentation fault
Full_Name: Neil Dunbar
Version: 2.4.21
OS: Debian 5, Ubuntu 9.10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (68.142.115.87)
Hi there,
It looks like there's a small bug in memberof.c - it only manifests itself when
"memberof_dangling" is set to "drop". I think that, while the overlay reduces
the a->a_vals and a->a_nvals array by one, to strip out a non-existent DN, it
needs to reduce the a->a_numvals variable as well.
The end result of this is that if one adds a group which has a mix of members
which exist in the DIT, and some which don't, the entry_encode() routing will
segfault. [I can only reproduce the segv in back-bdb and back-hdb. back-ldif
doesn't seem to exhibit this behaviour].
I've uploaded a tiny slapd.conf and test LDIF file (in
ftp://ftp.openldap.org/incoming/memberof-segv-20100407.tar.gz) which is normally
enough to trigger the fault. If one starts up slapd via
slapd -f mof-slapd.conf -h ldap://localhost -d trace
followed by
ldapmodify -x -H ldap://localhost -D cn=admin,dc=test -w adminpw -f
ldif/test-memberof.ldif
one should see an assertion fail in entry_encode() with (i == a->a_numvals)
failing.
The following patch seems to fix it, but I haven't done real regression testing
to see if it rolls other errors. The normal slapd unit tests seem to yield
proper results though.
---8<----8<------
--- memberof.c.orig 2010-04-07 16:49:44.000000000 -0700
+++ memberof.c 2010-04-07 16:49:20.000000000 -0700
@@ -580,6 +580,7 @@
sizeof( struct berval )
* ( j - i ) );
}
i--;
+ a->a_numvals--;
}
}
---8<----8<------
Hope this helps,
Neil