[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Louis Bouchard]

** Tags removed: sts-sru

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Launchpad Bug Tracker]

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu8.3

---
openldap (2.4.31-1+nmu2ubuntu8.3) trusty; urgency=medium

  * Fix segfault issue in slap_bv2ad (LP: #1593378)
- d/p/its-7941-fix-for-repeated-tags.patch: Cherry picked
patch from upstream VCS.

 -- Eric Desrochers   Fri, 24 Jun 2016
11:05:23 +0200

** Changed in: openldap (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

The following has been brought to my attention by a user :

"I got verification from the system test, the fix solves the ldap issue.
Thank you for the fix"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Robie Basak]

Unsubscribing ~ubuntu-sponsors as it looks like this has already been
uploaded.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Tags removed: sts-sponsor

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Martin Pitt]

Hello Eric, or anyone else affected,

Accepted openldap into trusty-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.3 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: openldap (Ubuntu Trusty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

The user that originally reported the issue on Ubuntu package have tested a 
"Test package". 
The "Test package" I have builded can be found here : ppa:slashd/fix1593378.

Users feedback :

"We tested the hotfix and looks like it works, the sldap on the CIC with
the fix didn`t crash."

Eric


** Description changed:

  [SRU JUSTIFICATION]
  
  [Impact]
  
  The effect of the bug on users is that the program (slapd) terminated
  with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
  using multiple language tags.
  
  GDB output:
  ...
  Core was generated by `/usr/sbin/slapd -h ldap://:389 ldap://:389/ 
ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  ...
  
  (gdb) bt
  #0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1 0x7f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, 
ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at 
../../../../servers/slapd/ad.c:268
  ...
  
  In frame #1 the 'tags' struct is corrupt.
  
  Line #272 checks for duplication and jumps to the done label (line #294)
  when a duplicate is found. The code increases 'ntags' without filling in
  the tags struct with values. In later iterations this could lead to
  copying and using uninitialised memory.
  
  [Test Case]
  
  One way to reproduce the issue :
  
  $ ldapsearch -D
  
"cn=,dc=,dc=,dc="
  -x -W -b
  
"dc=,dc=,dc="
  "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
  
  Explanation :
  
  Reference:
  http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
  
  -D binddn
  Use the Distinguished Name binddn to bind to the LDAP directory.
  For SASL binds, the server is expected to ignore this value.
  
  -x
  Use simple authentication instead of SASL.
  
  -W
  Prompt  for  simple  authentication.   This  is  used instead of
  specifying the password on the command line.
  
  -b searchbase
  Use searchbase as the starting point for the search  instead  of the default.
  
  [Regression Potential]
  
  The patch is already in place in Debian & Wily and late Ubuntu release
  version.
  
+ A hotfix has been tested by the user that originally reported the issue.
+ The hotfix solves the issue.
+ 
  [Other Info]
  
  Upstream OpenLDAP Bug :
  http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
  
  Upstream OpenLDAP Commit  :
  af8f1e0 ITS#7941 fix for repeated tags
  
  Upstream OpenLDAP Commit Web  :
  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
  
  (The commit has been introduced first in upstream branch :
  OPENLDAP_REL_ENG_2_4_40~6)
  
  [Original Description]
  
  Core was generated by `/usr/sbin/slapd -h ldap://:389 ldap://:389/ 
ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  210   ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
  (gdb) bt
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1  0x7f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, 
ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at 
../../../../servers/slapd/ad.c:268
  #2  0x7f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, 
ber=, filt=filt@entry=0x7f672c000af0, 
text=text@entry=0x7f6741e0f980)
  at ../../../../servers/slapd/filter.c:190
  #3  0x7f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at 
../../../../servers/slapd/search.c:127
  #4  0x7f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, 
arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
  #5  0x7f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, 
argv=0x19) at ../../../../servers/slapd/connection.c:1286
  #6  0x7f674a9a7aba in ?? () from 
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
  #7  0x7f67498dc182 in start_thread (arg=0x7f6741e10700) at 
pthread_create.c:312
  #8  0x7f674960947d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using 

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

Here's the debdiff for Trusty which is a cherry picked patch from
upstream VCS.

** Patch added: "lp1593378_trusty.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+attachment/4687422/+files/lp1593378_trusty.debdiff

** Changed in: openldap (Ubuntu Trusty)
   Status: New => In Progress

** Tags added: ubuntu-sponsors

** Tags added: patch sts-sponsor sts-sru

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Description changed:

+ [Impact]
+ 
+ The effect of the bug on users is that the program (slapd) terminated
+ with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
+ using multiple language tags.
+ 
+ 
+ GDB output:
+ ...
+ Core was generated by `/usr/sbin/slapd -h ldap://:389 ldap://:389/ 
ldapi:/// -g o'.
+ Program terminated with signal SIGSEGV, Segmentation fault.
+ ...
+ 
+ (gdb) bt
+ #0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
+ #1 0x7f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, 
ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at 
../../../../servers/slapd/ad.c:268 
+ ...
+ 
+ In frame #1 the 'tags' struct is corrupt.
+ 
+ Line #272 checks for duplication and jumps to the done label (line #294)
+ when a duplicate is found. The code increases 'ntags' without filling in
+ the tags struct with values. In later iterations this could lead to
+ copying and using uninitialised memory.
+ 
+ [Test Case]
+ 
+ One way to reproduce the issue :
+ 
+ $ ldapsearch -D
+ 
"cn=,dc=,dc=,dc="
+ -x -W -b
+ 
"dc=,dc=,dc="
+ "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
+ encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
+ encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn
+ ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
+ ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
+ ;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de
+ ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
+ ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
+ ;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
+ encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
+ encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
+ 
+ Explanation :
+ 
+ Reference: 
+ http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
+ 
+ -D binddn
+ Use the Distinguished Name binddn to bind to the LDAP directory.
+ For SASL binds, the server is expected to ignore this value.
+ 
+ -x  
+ Use simple authentication instead of SASL.
+ 
+ -W
+ Prompt  for  simple  authentication.   This  is  used instead of
+ specifying the password on the command line.
+ 
+ -b searchbase
+ Use searchbase as the starting point for the search  instead  of the default.
+ 
+ 
+ [Regression Potential] 
+ 
+ The patch is already in place in Debian & Wily and late Ubuntu release
+ version.
+ 
+ [Other Info]
+ 
+ Upstream OpenLDAP Bug : 
+ http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
+ 
+ Upstream OpenLDAP Commit  : 
+ af8f1e0 ITS#7941 fix for repeated tags 
+ 
+ Upstream OpenLDAP Commit Web  : 
+ http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
+ 
+ (The commit has been introduced first in upstream branch :
+ OPENLDAP_REL_ENG_2_4_40~6)
+ 
+ [Original Description]
+ 
  Core was generated by `/usr/sbin/slapd -h ldap://:389 ldap://:389/ 
ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  210   ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
  (gdb) bt
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1  0x7f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, 
ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at 
../../../../servers/slapd/ad.c:268
  #2  0x7f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, 
ber=, filt=filt@entry=0x7f672c000af0, 
text=text@entry=0x7f6741e0f980)
- at ../../../../servers/slapd/filter.c:190
+ at ../../../../servers/slapd/filter.c:190
  #3  0x7f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at 
../../../../servers/slapd/search.c:127
  #4  0x7f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, 
arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
  #5  0x7f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, 
argv=0x19) at ../../../../servers/slapd/connection.c:1286
  #6  0x7f674a9a7aba in ?? () from 
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
  #7  0x7f67498dc182 in start_thread (arg=0x7f6741e10700) at 
pthread_create.c:312
  #8  0x7f674960947d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

** Description changed:

+ [SRU JUSTIFICATION]
+ 
  [Impact]
  
  The effect of the bug on users is that the program (slapd) terminated
  with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
  using multiple language tags.
- 
  
  GDB output:
  ...
  Core was generated by `/usr/sbin/slapd -h ldap://:389 ldap://:389/ 
ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  ...
  
  (gdb) bt
  #0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
- #1 0x7f674ae8cab2 in 

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Changed in: openldap (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Changed in: openldap (Ubuntu Trusty)
 Assignee: (unassigned) => Eric Desrochers (slashd)

** Tags added: sts

** Changed in: openldap (Ubuntu Trusty)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Robie Basak]

** Also affects: openldap (Ubuntu Trusty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

In frame #1

(gdb) p tags
$2 = {{bv_len = 7, 
bv_val = 0x7f672c104866 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c10486e 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c10488a 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c104880 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c10489c 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c1048a4 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c1048c0 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c1048b6 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 2, bv_val = 0x7f6741e0df70 "240.0.0.2"}, {bv_len = 7, 
bv_val = 0x7f672c1048d2 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c1048da 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c1048f6 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c1048ec 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c104908 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c104910 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 0, bv_val = 0x0}, {bv_len = 7, 
bv_val = 0x7f672c10492c 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c104922 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 140081463615264, bv_val = 0x7f67495df48b <__GI_getaddrinfo+1915> 
"H\213\205\300\376\377\377H\205\300\017\204\216\001"}, {bv_len = 7, 
bv_val = 0x7f672c10493e 
"lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...},
 {bv_len = 9, 
bv_val = 0x7f672c104946 
"lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...},
 {bv_len = 140081589971545, bv_val = 0x7f67495594ea 
<_IO_vfprintf_internal+2042> 

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Changed in: openldap (Ubuntu)
 Assignee: (unassigned) => Eric Desrochers (slashd)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

line #272 checks for duplication and jumps to the done label (line #294)
when a duplicate is found.

The code increases 'ntags' without filling in the tags struct with values. 
In later iterations this could lead to copying and using uninitialised memory.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

** Changed in: openldap (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

[Eric Desrochers]

I think this upstream commit could be a possible candidate to fix that
issue :

commit 0659ef45d486b5daaafc020cb67b561a8029036d
Author: Howard Chu 
Date:   Thu Sep 18 00:33:33 2014 +0100

ITS#7941 fix for repeated tags

Make sure ntags isn't incremented if we're skippnig the tag

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index 78a8b15..246b900 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -271,6 +271,7 @@ int slap_bv2ad(
 
if( rc == 0 && (unsigned)optlen == 
tags[i].bv_len ) {
/* duplicate (ignore) */
+   ntags--;
goto done;
 
} else if ( rc > 0 ||

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs