Thread: Segfault in LDAPerror() when errnum is out of bounds

Brought to you by: leonard, pviktori, stroeder

This project can now be found here.

python-ldap-dev

Segfault in LDAPerror() when errnum is out of bounds

From: Sean B. <uni...@gm...> - 2009-03-20 19:14:18

Attachments: python-ldap-2.3.1-error.patch ldap-segfault.py

Hi,

When LDAPError receives an errnum from ldap_get_option(l,
LDAP_OPT_ERROR_NUMBER, &errnum) that is out of bounds it causes a segfault.
I have attached a script that triggers it and patch that fixes it.

The test script requires an ldap URI and a BaseDN on the command line.  The
ldap server can be OpenLDAP 2.3 or 2.4 and the BaseDN should be configured
with a syncprov overlay and have syncprov-reloadhint TRUE.  eg:
/tmp/ldap-segfault.py ldap://ldap.example.com dc=example,dc=com

After patching _ldap.so we get a valid Exception:
Traceback (most recent call last):
  File "/tmp/ldap-segfault.py", line 39, in ?
    rtype, rdata, rmsgid, serverctrls = conn.result3(all=1, timeout=60)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 438, in
result3
    rtype, rdata, rmsgid, serverctrls =
self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 97, in
_ldap_call
    result = func(*args,**kwargs)
ldap.LDAPError: {'info': 'sync cookie is stale', 'desc': 'Content Sync
Refresh Required'}

-- 
Thanks,
Sean Burford

Re: Segfault in LDAPerror() when errnum is out of bounds

From: Michael S. <mi...@st...> - 2009-03-20 20:55:34

Sean,

many thanks for digging through this. Does that mean your issues with
syncrepl controls and l_ldap_result3() are fixed?

Any particular reason why you're using python-ldap 2.3.1 which is almost
two years old?

Sean Burford wrote:
> When LDAPError receives an errnum from ldap_get_option(l,
> LDAP_OPT_ERROR_NUMBER, &errnum) that is out of bounds it causes a
> segfault.  I have attached a script that triggers it and patch that
> fixes it.

So after applying your patch I get this generic LDAPError exception
below. This is definitely more robust.

ldap.LDAPError: {'info': 'sync cookie is stale', 'desc': 'Content Sync
Refresh Required'}

Anyway I'd see some benefit adding also the syncrepl error codes to let
the application catch specific exceptions. Unfortunately errobjects in
Modules/errors.c is a simple array. Bumping up LDAP_ERROR_MAX to
LDAP_SYNC_REFRESH_REQUIRED would be pretty naively waste a lot of space.

Ciao, Michael.

Re: Segfault in LDAPerror() when errnum is out of bounds

From: Sean B. <uni...@gm...> - 2009-03-20 21:00:51

Hi,

2009/3/20 Michael Ströder <mi...@st...>

> many thanks for digging through this. Does that mean your issues with
> syncrepl controls and l_ldap_result3() are fixed?

Yeah.  There are still mysteries, but RefreshOnly works well enough for now.

I'm wondering why controls are stripped from search results (it would be
nice to get the control that says whether a syncrepl result is an add/modify
or delete for example).  Is this just a side effect of optimisation of the
usual code path?

Any particular reason why you're using python-ldap 2.3.1 which is almost
> two years old?

It came with my distro.

> Sean Burford wrote:
> > When LDAPError receives an errnum from ldap_get_option(l,
> > LDAP_OPT_ERROR_NUMBER, &errnum) that is out of bounds it causes a
> > segfault.  I have attached a script that triggers it and patch that
> > fixes it.
>
> So after applying your patch I get this generic LDAPError exception
> below. This is definitely more robust.

Glad to help.

-- 
Thanks,
Sean Burford

Re: Segfault in LDAPerror() when errnum is out of bounds

From: Michael S. <mi...@st...> - 2009-03-20 21:25:17

Sean Burford wrote:
> 
> 2009/3/20 Michael Ströder <mi...@st...
> <mailto:mi...@st...>>
> 
>     many thanks for digging through this. Does that mean your issues with
>     syncrepl controls and l_ldap_result3() are fixed?
> 
> Yeah.  There are still mysteries, but RefreshOnly works well enough for now.
> 
> I'm wondering why controls are stripped from search results (it would be
> nice to get the control that says whether a syncrepl result is an
> add/modify or delete for example).  Is this just a side effect of
> optimisation of the usual code path?

I did not write that code. It' still mystery to me especially since I
don't like programming C. Maybe David could enlighten us. When support
for LDAPv3 controls was added I already had some doubts...

>     Any particular reason why you're using python-ldap 2.3.1 which is almost
>     two years old?
> 
> 
> It came with my distro.

Please upgrade, especially when providing patches. There have been
numerous fixes since then:

http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/CHANGES?revision=1.183&view=markup

Your patch and a couple of other minor changes are now in CVS HEAD.
There should be no compability issues between 2.3.1 and a recent
python-ldap release.

Ciao, Michael.

Re: Segfault in LDAPerror() when errnum is out of bounds

From: Sean B. <uni...@gm...> - 2009-03-27 02:32:19

2009/3/20 Michael Ströder <mi...@st...>

> Your patch and a couple of other minor changes are now in CVS HEAD.


errors.c still looks the same, has the patch been submitted?
http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Modules/errors.c?view=markup

-- 
Thanks,
Sean Burford

Re: Segfault in LDAPerror() when errnum is out of bounds

From: Michael S. <mi...@st...> - 2009-03-27 09:42:31

Sean Burford wrote:
> 2009/3/20 Michael Ströder <mi...@st...
> <mailto:mi...@st...>>
> 
>     Your patch and a couple of other minor changes are now in CVS HEAD.
> 
> errors.c still looks the same, has the patch been submitted?

Oops. Yes, forgot to committ it. Done now.

http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Modules/errors.c?r1=1.19&r2=1.20

Ciao, Michael.