|
 |
3fe9c0 |
From c92cbe6a93a7933abc59b2fe4bf96a32aff2c6d8 Mon Sep 17 00:00:00 2001
|
|
|
3fe9c0 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
3fe9c0 |
Date: Tue, 9 Feb 2016 16:12:07 -0800
|
|
|
3fe9c0 |
Subject: [PATCH 84/86] Ticket #48536 - Crash in slapi_get_object_extension
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
Description: The crashed was caused by the combination of psearch and
|
|
|
3fe9c0 |
updating one of these group values: groupOfNames, groupOfUniqueNames,
|
|
|
3fe9c0 |
groupOfCertificates, groupOfURL.
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
In the psearch, it creates aclpb in the acl plug-in and sets the original
|
|
|
3fe9c0 |
pblock address in the aclpb. Then, psearch creates a copy of the pblock and
|
|
|
3fe9c0 |
sets it in the psearch structure. Now, the pblock address in aclpb and the
|
|
|
3fe9c0 |
pblock address in the psearch structure do not match. The original pblock
|
|
|
3fe9c0 |
itself is freed and the pblock area which address is stored in aclpb is not
|
|
|
3fe9c0 |
guaranteed what is in it.
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
If nothing occurs, the freed pblock in aclpb is not accessed. But once one
|
|
|
3fe9c0 |
of the group values is updated, the acl plug-in signature is updated and it
|
|
|
3fe9c0 |
triggers to get aclpb from the pblock.
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
The acl_get_aclpb call accesses the freed pblock (e.g., NULL op) and it
|
|
|
3fe9c0 |
crashes the server.
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
This patch checks the current pblock address and the pblock address in aclpb.
|
|
|
3fe9c0 |
If they don't match, the address in aclpb is reassigned to the current pblock
|
|
|
3fe9c0 |
address.
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
https://fedorahosted.org/389/ticket/48536
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
Reviewed by mreynolds@redhat.com (Thank you, Mark!!)
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
(cherry picked from commit 091a5f5daf3fa378f029e293c5358ae9be9f548e)
|
|
|
3fe9c0 |
(cherry picked from commit 8a83a93977f13db36e42798a5eed041c1b3868a9)
|
|
|
3fe9c0 |
---
|
|
|
3fe9c0 |
ldap/servers/plugins/acl/acl.c | 14 ++++++++++++++
|
|
|
3fe9c0 |
1 file changed, 14 insertions(+)
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
|
|
|
3fe9c0 |
index 678a999..d56bed6 100644
|
|
|
3fe9c0 |
--- a/ldap/servers/plugins/acl/acl.c
|
|
|
3fe9c0 |
+++ b/ldap/servers/plugins/acl/acl.c
|
|
|
3fe9c0 |
@@ -317,6 +317,13 @@ acl_access_allowed(
|
|
|
3fe9c0 |
goto cleanup_and_ret;
|
|
|
3fe9c0 |
}
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
+ if (pb != aclpb->aclpb_pblock) {
|
|
|
3fe9c0 |
+ slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
|
|
|
3fe9c0 |
+ "acl_access_allowed: Resetting aclpb_pblock 0x%x to pblock addr 0x%x\n",
|
|
|
3fe9c0 |
+ aclpb->aclpb_pblock, pb);
|
|
|
3fe9c0 |
+ aclpb->aclpb_pblock = pb;
|
|
|
3fe9c0 |
+ }
|
|
|
3fe9c0 |
+
|
|
|
3fe9c0 |
if ( !aclpb->aclpb_curr_entry_sdn ) {
|
|
|
3fe9c0 |
slapi_log_error ( SLAPI_LOG_FATAL, plugin_name, "NULL aclpb_curr_entry_sdn \n" );
|
|
|
3fe9c0 |
ret_val = LDAP_OPERATIONS_ERROR;
|
|
|
3fe9c0 |
@@ -932,6 +939,13 @@ acl_read_access_allowed_on_entry (
|
|
|
3fe9c0 |
tnf_string,end,"aclpb error");
|
|
|
3fe9c0 |
return LDAP_OPERATIONS_ERROR;
|
|
|
3fe9c0 |
}
|
|
|
3fe9c0 |
+
|
|
|
3fe9c0 |
+ if (pb != aclpb->aclpb_pblock) {
|
|
|
3fe9c0 |
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
|
|
|
3fe9c0 |
+ "acl_read_access_allowed_on_entry: Resetting aclpb_pblock 0x%x to pblock addr 0x%x\n",
|
|
|
3fe9c0 |
+ aclpb->aclpb_pblock, pb);
|
|
|
3fe9c0 |
+ aclpb->aclpb_pblock = pb;
|
|
|
3fe9c0 |
+ }
|
|
|
3fe9c0 |
|
|
|
3fe9c0 |
/*
|
|
|
3fe9c0 |
* Am I a anonymous dude ? then we can use our anonympous profile
|
|
|
3fe9c0 |
--
|
|
|
3fe9c0 |
2.4.3
|
|
|
3fe9c0 |
|