[389-devel] Please review (additional fix): [389 Project] #48188: segfault in ns-slapd due to accessing Slapi_DN freed in pre bind plug-in

Noriko Hosoi <nhosoi@xxxxxxxxxx> · Fri, 18 Sep 2015 15:24:27 -0700

https://fedorahosted.org/389/ticket/48188

https://fedorahosted.org/389/attachment/ticket/48188/0001-Ticket-48188-segfault-in-ns-slapd-due-to-accessing-S.2.patch
git patch file (master) -- Additional fixes based upon the comments by 
Rich in comment 24

    Description: Additional fixes based upon the comments by 
rmeggins@xxxxxxxxxx
    (Thank you, Rich!!).
https://fedorahosted.org/389/ticket/48188?replyto=24#comment:24
    1. Implemented the case 2)
       If the plugin changes the SLAPI_BIND_TARGET_SDN *value*,
       we need to select a different backend. It is possible
       (but not very useful) for the plugin to change the pointer,
       but use the same value.
    2. Added an api slapi_be_select_exact which returns NULL if
       no matching backend.

On 09/18/2015 11:48 AM, 389 Project wrote:
#48188: segfault in ns-slapd due to accessing Slapi_DN freed in pre bind plug-in
-------------------------------------------------+-------------------------
         Reporter:  wetpaste                      |          Owner:  nhosoi
             Type:  defect                        |         Status:
         Priority:  major                         |  accepted
        Component:  Directory Server              |      Milestone:  1.3.4.5
       Resolution:                                |        Version:  1.3.3
       Blocked By:                                |       Keywords:
           Review:  review?                       |  segfault crash
Red Hat Bugzilla:                                |       Blocking:
   [https://bugzilla.redhat.com/show_bug.cgi?id=1264224|  Ticket origin:
   1264224]                                       |  Community
-------------------------------------------------+-------------------------

Comment (by rmeggins):

  There are two issues

  1) If the plugin changes the SLAPI_BIND_TARGET_SDN *pointer*, we need to
  use it instead of the current `sdn` and `dn`.  For this, it is sufficient
  to do `pb_sdn != sdn`.

  2) If the plugin changes the SLAPI_BIND_TARGET_SDN *value*, we need to
  select a different backend.  It is possible (but not very useful) for the
  plugin to change the pointer, but use the same value.

  I'm also not sure if it is sufficient to call `be =
  slapi_be_select(sdn);`.  The bind code sets the be like this:
  {{{
      /* We could be serving multiple database backends.  Select the
  appropriate one */
      if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) !=
  LDAP_SUCCESS) {
          send_nobackend_ldap_result( pb );
          be = NULL;
          goto free_and_return;
      }
  }}}
  Do we need to have similar logic in order to change the backend?  What if
  the plugin selects a non-existent backend that causes `be ==
  defbackend_get_backend()`?

  We also need to set the new backend in the pblock: `slapi_pblock_set( pb,
  SLAPI_BACKEND, be );`

--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel