On (02/08/16 18:40), Lukas Slebodnik wrote: >On (02/08/16 15:54), Lukas Slebodnik wrote: >>ehlo, >> >>attached two patches fix a crash in nss responder, >>which was caused by recent Sumit's patches. >> >>The 1st patch cannot be applied to master because >>I plan do do some changes in ldap integration tests in different thread. >>But the patch with test is attached. So there will not be a such regressions >>in future >> >Fabiano asked me to add valgring message from crash to the commit message. >And I found another small valgrind issue in back-end > >Updated patch is attached. > There was a wrong author in the 2nd patch.
LS
>From fecf701a01cb96cf000f2a00d1435ee8e11848b4 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Tue, 2 Aug 2016 15:20:35 +0200 Subject: [PATCH 1/3] SDAP: sanitize member name before using in filter It caused an errors. (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectclass=user)(nameAlias=t(u)ser@ldap)) (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x0080): Error: 5 (Input/output error) --- src/providers/ldap/sdap_async_groups.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 102c1c0384be6da8732d56b7a318ded5a5132360..f19b68b8c403734f88b51a411ba0d009977d3491 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1501,6 +1501,7 @@ sdap_process_missing_member_2307(struct sdap_process_group_state *state, const char *filter; const char *username; const char *user_dn; + char *sanitized_name; size_t count; struct ldb_message **msgs = NULL; static const char *attrs[] = { SYSDB_NAME, NULL }; @@ -1508,8 +1509,16 @@ sdap_process_missing_member_2307(struct sdap_process_group_state *state, tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; + ret = sss_filter_sanitize(tmp_ctx, member_name, &sanitized_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to sanitize the given name:'%s'.\n", member_name); + goto done; + } + /* Check for the alias in the sysdb */ - filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS, member_name); + filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS, + sanitized_name); if (!filter) { ret = ENOMEM; goto done; -- 2.9.2
>From e1118badd8870f0afcdb2b6f59c0a5363ce5a8f1 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 4 Aug 2016 08:50:50 +0200 Subject: [PATCH 2/3] SDAP: sysdb_search_users does not set users_count for failures ==32577== Conditional jump or move depends on uninitialised value(s) ==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556) ==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625) ==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298) ==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130) ==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688) ==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578) ==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353) ==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197) ==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911) ==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114) ==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533) ==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637) ==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140) ==32577== by 0x529DD02: server_loop (server.c:702) ==32577== by 0x110951: main (data_provider_be.c:587) --- src/providers/ldap/sdap_async_groups.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index f19b68b8c403734f88b51a411ba0d009977d3491..72760b75acae4cb6ce15c72f16dae8e859d89847 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1553,7 +1553,7 @@ sdap_process_missing_member_2307(struct sdap_process_group_state *state, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not add group member %s\n", username); } - } else if (ret == ENOENT || count == 0) { + } else if (ret == ENOENT) { /* The entry really does not exist, add a ghost */ DEBUG(SSSDBG_TRACE_FUNC, "Adding a ghost entry\n"); ret = sdap_add_group_member_2307(state->ghost_dns, member_name); -- 2.9.2
>From 8fddfeaf084546faea207539831076cf3addc96c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Tue, 2 Aug 2016 15:20:19 +0200 Subject: [PATCH 3/3] SYSDB: Sanitize dn in sysdb_get_user_members_recursively There was a crash in nss responder when a group contained a user with special charactes which shoudl be sanitized before using in filter. ==31651== Conditional jump or move depends on uninitialised value(s) ==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215) ==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759) ==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375) ==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799) ==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168) ==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382) ==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916) ==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791) ==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314) ==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580) ==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96) ==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) --- src/db/sysdb_ops.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index ed177d1730723a61e01167a75a0baca6d81252f8..342e16fb20e2c418745b137162425509ca1fd0cb 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4722,6 +4722,7 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx, struct ldb_result *res; struct ldb_dn *base_dn; char *filter; + char *sanitized_name; const char *attrs[] = SYSDB_PW_ATTRS; struct ldb_message **msgs; @@ -4737,8 +4738,17 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx, goto done; } + ret = sss_filter_sanitize(tmp_ctx, ldb_dn_get_linearized(group_dn), + &sanitized_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to sanitize the given name:'%s'.\n", + ldb_dn_get_linearized(group_dn)); + goto done; + } + filter = talloc_asprintf(tmp_ctx, "(&("SYSDB_UC")("SYSDB_MEMBEROF"=%s))", - ldb_dn_get_linearized(group_dn)); + sanitized_name); if (filter == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); ret = ENOMEM; -- 2.9.2
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org