OpenLDAP Lets Remote Authenticated Users Crash the slapd Daemon With Specially Crafted Modify Operations
|
|
SecurityTracker Alert ID: 1019480
|
|
SecurityTracker URL: http://securitytracker.com/id?1019480
|
|
CVE Reference: CVE-2007-6698
(Links to External Site)
|
Date: Feb 22 2008
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.3.35 and prior versions
|
Description: A vulnerability was reported in OpenLDAP. A remote authenticated user can cause denial of service conditions.
A remote authenticated user can send a specially crafted modify operation with the NOOP control set to critical to cause the target
slapd service to crash.
Jonathan Clarke reported this vulnerability.
[Editor's note: This vulnerability was originally reported
in April 2007.]
|
Impact: A remote authenticated user can cause denial of service conditions on the target system.
|
Solution: The vendor has issued a fixed version (2.3.36).
|
Vendor URL: www.openldap.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: jclarke@linagora.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 11 Apr 2007 15:28:28 GMT
From: jclarke@linagora.com
Subject: (ITS#4925) Modify operation with NOOP control on a BDB backend causes slapd to crash
|
Full_Name: Jonathan Clarke
Version: 2.3.35
OS: Linux (ubuntu)
URL:
Submission from: (NULL) (213.41.243.192)
When trying a modify operation (such as changing or adding a value of an
attribute) with the NOOP control (set to critical) on an entry stored in a BDB
backend, slapd crashes, with the following error:
*** glibc detected *** ./servers/slapd/slapd: munmap_chunk(): invalid pointer:
0x0821e235 ***
======= Backtrace: =========
[...]
======= Memory map: ========
[...]
Abandon (core dumped)
This only happens for operations that should succeed (ie, should return the NOOP
error code LDAP_X_NO_OPERATION). Operations which fail for other reasons
(refused by ACLs, schema error, etc) do not make slapd crash.
I have tested this on versions 2.3.32, 2.3.34, 2.3.35 and HEAD (as of today).
The crash only happens with the BDB backend (I tested slapd with a ldap backend
which only made the remote slapd with a BDB backend crash, not the one with the
ldap backend).
After some investigation, I found that this crash results from a call to
attrs_free() in servers/slapd/back-bdb/modify.c, after the "return_results"
label. This seems to be a double free() problem.
The following patch solved the problem for me on versions 2.3.32, 2.3.34, 2.3.35
and HEAD (as of today). With this patch, NOOP behaves as expected. The patch
simply adds 2 lines copied from the error handling "if" higher up in the same
function (bdb_modify).
---------------------BEGIN PATCH---------------------
--- modify.c.~1.124.2.16.~ 2007-01-02 22:44:00.000000000 +0100
+++ modify.c 2007-04-11 14:44:56.000000000 +0200
@@ -538,6 +538,8 @@
} else {
rs->sr_err = LDAP_X_NO_OPERATION;
ltid = NULL;
+ /* Only free attrs if they were dup'd. */
+ if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs =
NULL;
goto return_results;
}
} else {
----------------------END PATCH----------------------
(sorry not to put this patch on an FTP site, but ftp.openldap.org complains with
452 Error writing file: No space left on device.)
I, Jonathan Clarke, hereby place the preceding modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
|
|
