rpms/389-ds-base
1
0
Fork 0
mirror of https://git.centos.org/rpms/389-ds-base.git synced 2025-02-24 00:32:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

import 389-ds-base-1.3.7.5-28.el7_5

Browse source
This commit is contained in:
CentOS Sources 2018-09-25 13:32:53 -04:00
parent 967e4beaa5
commit 92192e30ac
7 changed files with 667 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch Normal file
View file

@ -0,0 +1,32 @@
From 911038990df1357f452b0e38309261faf1de898f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 8 Aug 2018 17:19:27 -0400
Subject: [PATCH] Ticket 49893 - disable nunc-stans by default
Description: Until nunc-stans is stablized we need to disable it
https://pagure.io/389-ds-base/issue/49893
Reviewed by: ?
(cherry picked from commit 2f2d3b1d7e7d847de1bb9ddf2f63e71dbc90f710)
---
ldap/servers/slapd/libglobs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 3bd5c1826..f8741028d 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1681,7 +1681,7 @@ FrontendConfig_init(void)
cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE;
cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL);
cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER);
- init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON;
+ init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_OFF;
#if defined(LINUX)
init_malloc_mxfast = cfg->malloc_mxfast = DEFAULT_MALLOC_UNSET;
init_malloc_trim_threshold = cfg->malloc_trim_threshold = DEFAULT_MALLOC_UNSET;
--
2.17.1

137
SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch Normal file
View file

@ -0,0 +1,137 @@
From 1013a1bfe0882d213f48e900ab89e00651188489 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 9 Aug 2018 15:27:59 -0400
Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the
ldap server
Bug Description:
Server side sort with a specified matching rule trigger a crash
Fix Description:
Check if the we are able to index the provided value.
If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR)
https://pagure.io/389-ds-base/issue/49890
Reviewed by: mreynolds
Platforms tested: F27
Flag Day: no
Doc impact: no
(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac)
---
dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++
ldap/servers/slapd/back-ldbm/sort.c | 14 +++++
2 files changed, 73 insertions(+)
create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py
diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py
new file mode 100644
index 000000000..57061222a
--- /dev/null
+++ b/dirsrvtests/tests/suites/syntax/mr_test.py
@@ -0,0 +1,59 @@
+import logging
+import pytest
+import os
+import ldap
+from lib389.dbgen import dbgen
+from lib389._constants import *
+from lib389.topologies import topology_st as topo
+from lib389._controls import SSSRequestControl
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+
+def test_sss_mr(topo):
+ """Test matching rule/server side sort does not crash DS
+
+ :id: 48c73d76-1694-420f-ab55-187135f2d260
+ :setup: Standalone Instance
+ :steps:
+ 1. Add sample entries to the database
+ 2. Perform search using server side control (uid:2.5.13.3)
+ :expectedresults:
+ 1. Success
+ 2. Success
+ """
+
+ log.info("Creating LDIF...")
+ ldif_dir = topo.standalone.get_ldif_dir()
+ ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif')
+ dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX)
+
+ log.info("Importing LDIF...")
+ topo.standalone.stop()
+ assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file)
+ topo.standalone.start()
+
+ log.info('Search using server side sorting using undefined mr in the attr...')
+ sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3'])
+ controls = [sort_ctrl]
+ msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
+ "objectclass=*", serverctrls=controls)
+ try:
+ rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id)
+ except ldap.OPERATIONS_ERROR:
+ pass
+
+ log.info("Test PASSED")
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main(["-s", CURRENT_FILE])
+
diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
index 5b84d87f3..70ac60803 100644
--- a/ldap/servers/slapd/back-ldbm/sort.c
+++ b/ldap/servers/slapd/back-ldbm/sort.c
@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e
/* Now copy it, so the second call doesn't crap on it */
value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/
matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b);
+
+ if ((actual_value_a && !value_a) ||
+ (actual_value_b && !value_b)) {
+ ber_bvecfree(actual_value_a);
+ ber_bvecfree(actual_value_b);
+ CACHE_RETURN(&inst->inst_cache, &a);
+ CACHE_RETURN(&inst->inst_cache, &b);
+ *error = 1;
+ return 0;
+ }
if (actual_value_a)
ber_bvecfree(actual_value_a);
if (actual_value_b)
@@ -717,6 +727,8 @@ recurse:
A[i] >= A[lo] for higuy <= i <= hi */
do {
+ if (error)
+ return LDAP_OPERATIONS_ERROR;
loguy++;
} while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0);
@@ -724,6 +736,8 @@ recurse:
either loguy > hi or A[loguy] > A[lo] */
do {
+ if (error)
+ return LDAP_OPERATIONS_ERROR;
higuy--;
} while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0);
--
2.17.1

287
SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch Normal file
View file

@ -0,0 +1,287 @@
From d1c87a502dc969198aa0e6a210e1303ae71bdeae Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 7 Jun 2018 18:35:34 +0200
Subject: [PATCH] Ticket 49742 - Fine grained password policy can impact search
performance
Bug Description:
new_passwdPolicy is called with an entry DN.
In case of fine grain password policy we need to retrieve
the possible password policy (pwdpolicysubentry) that applies to
that entry.
It triggers an internal search to retrieve the entry.
In case of a search operation (add_shadow_ext_password_attrs), the
entry is already in the pblock. So it is useless to do an additional
internal search for it.
Fix Description:
in case of fine grain password policy and a SRCH operation,
if the entry DN matches the entry stored in the pblock (SLAPI_SEARCH_RESULT_ENTRY)
then use that entry instead of doing an internal search
https://pagure.io/389-ds-base/issue/49742
Reviewed by: Mark Reynolds
Platforms tested: F26
Flag Day: no
Doc impact: no
---
dirsrvtests/tests/tickets/ticket48228_test.py | 18 +++----
dirsrvtests/tests/tickets/ticket548_test.py | 18 ++++---
ldap/servers/slapd/pw.c | 48 +++++++++++++++++--
3 files changed, 66 insertions(+), 18 deletions(-)
diff --git a/dirsrvtests/tests/tickets/ticket48228_test.py b/dirsrvtests/tests/tickets/ticket48228_test.py
index 4f4494e0b..1ab741b94 100644
--- a/dirsrvtests/tests/tickets/ticket48228_test.py
+++ b/dirsrvtests/tests/tickets/ticket48228_test.py
@@ -7,6 +7,7 @@
# --- END COPYRIGHT BLOCK ---
#
import logging
+import time
import pytest
from lib389.tasks import *
@@ -33,14 +34,14 @@ def set_global_pwpolicy(topology_st, inhistory):
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
# Enable password policy
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')])
except ldap.LDAPError as e:
log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
assert False
log.info(" Set global password history on\n")
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', b'on')])
except ldap.LDAPError as e:
log.error('Failed to set passwordHistory: error ' + e.message['desc'])
assert False
@@ -48,7 +49,7 @@ def set_global_pwpolicy(topology_st, inhistory):
log.info(" Set global passwords in history\n")
try:
count = "%d" % inhistory
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count.encode())])
except ldap.LDAPError as e:
log.error('Failed to set passwordInHistory: error ' + e.message['desc'])
assert False
@@ -113,9 +114,9 @@ def check_passwd_inhistory(topology_st, user, cpw, passwd):
topology_st.standalone.simple_bind_s(user, cpw)
time.sleep(1)
try:
- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)])
+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd.encode())])
except ldap.LDAPError as e:
- log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc'])
+ log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error {0}'.format(e))
inhistory = 1
time.sleep(1)
return inhistory
@@ -130,7 +131,7 @@ def update_passwd(topology_st, user, passwd, times):
# Now update the value for this iter.
cpw = 'password%d' % i
try:
- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)])
+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw.encode())])
except ldap.LDAPError as e:
log.fatal(
'test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[
@@ -146,7 +147,6 @@ def test_ticket48228_test_global_policy(topology_st):
"""
Check global password policy
"""
-
log.info(' Set inhistory = 6')
set_global_pwpolicy(topology_st, 6)
@@ -201,7 +201,7 @@ def test_ticket48228_test_global_policy(topology_st):
log.info("Global policy was successfully verified.")
-def test_ticket48228_test_subtree_policy(topology_st):
+def text_ticket48228_text_subtree_policy(topology_st):
"""
Check subtree level password policy
"""
@@ -233,7 +233,7 @@ def test_ticket48228_test_subtree_policy(topology_st):
log.info(' Set inhistory = 4')
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
try:
- topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')])
+ topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', b'4')])
except ldap.LDAPError as e:
log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
assert False
diff --git a/dirsrvtests/tests/tickets/ticket548_test.py b/dirsrvtests/tests/tickets/ticket548_test.py
index d354cc802..0d71ab6ca 100644
--- a/dirsrvtests/tests/tickets/ticket548_test.py
+++ b/dirsrvtests/tests/tickets/ticket548_test.py
@@ -42,7 +42,7 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3):
log.info(" +++++ Enable global password policy +++++\n")
# Enable password policy
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')])
except ldap.LDAPError as e:
log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
assert False
@@ -54,28 +54,28 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3):
log.info(" Set global password Min Age -- %s day\n" % min_)
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', '%s' % min_secs)])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', ('%s' % min_secs).encode())])
except ldap.LDAPError as e:
log.error('Failed to set passwordMinAge: error ' + e.message['desc'])
assert False
log.info(" Set global password Expiration -- on\n")
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', 'on')])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', b'on')])
except ldap.LDAPError as e:
log.error('Failed to set passwordExp: error ' + e.message['desc'])
assert False
log.info(" Set global password Max Age -- %s days\n" % max_)
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', '%s' % max_secs)])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', ('%s' % max_secs).encode())])
except ldap.LDAPError as e:
log.error('Failed to set passwordMaxAge: error ' + e.message['desc'])
assert False
log.info(" Set global password Warning -- %s days\n" % warn)
try:
- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', '%s' % warn_secs)])
+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', ('%s' % warn_secs).encode())])
except ldap.LDAPError as e:
log.error('Failed to set passwordWarning: error ' + e.message['desc'])
assert False
@@ -93,6 +93,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
try:
topology_st.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(),
'cn': 'nsPwPolicyContainer'})))
+ except ldap.ALREADY_EXISTS:
+ pass
except ldap.LDAPError as e:
log.error('Failed to add subtree container: error ' + e.message['desc'])
# assert False
@@ -128,6 +130,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
'cosPriority': '1',
'cn': SUBTREE_COS_TMPLDN,
'pwdpolicysubentry': SUBTREE_PWP})))
+ except ldap.ALREADY_EXISTS:
+ pass
except ldap.LDAPError as e:
log.error('Failed to add COS template: error ' + e.message['desc'])
# assert False
@@ -139,6 +143,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
'cn': SUBTREE_PWPDN,
'costemplatedn': SUBTREE_COS_TMPL,
'cosAttribute': 'pwdpolicysubentry default operational-default'})))
+ except ldap.ALREADY_EXISTS:
+ pass
except ldap.LDAPError as e:
log.error('Failed to add COS def: error ' + e.message['desc'])
# assert False
@@ -150,7 +156,7 @@ def update_passwd(topology_st, user, passwd, newpasswd):
log.info(" Bind as {%s,%s}" % (user, passwd))
topology_st.standalone.simple_bind_s(user, passwd)
try:
- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd)])
+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd.encode())])
except ldap.LDAPError as e:
log.fatal('test_ticket548: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[
'desc'])
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 451be364d..10b8e7254 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1625,6 +1625,10 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
int attr_free_flags = 0;
int rc = 0;
int optype = -1;
+ int free_e = 1; /* reset if e is taken from pb */
+ if (pb) {
+ slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &optype);
+ }
/* If we already allocated a pw policy, return it */
if (pb != NULL) {
@@ -1688,7 +1692,43 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
/* If we're not doing an add, we look for the pwdpolicysubentry
attribute in the target entry itself. */
} else {
- if ((e = get_entry(pb, dn)) != NULL) {
+ if (optype == SLAPI_OPERATION_SEARCH) {
+ Slapi_Entry *pb_e;
+
+ /* During a search the entry should be in the pblock
+ * For safety check entry DN is identical to 'dn'
+ */
+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &pb_e);
+ if (pb_e) {
+ Slapi_DN * sdn;
+ const char *ndn;
+ char *pb_ndn;
+
+ pb_ndn = slapi_entry_get_ndn(pb_e);
+
+ sdn = slapi_sdn_new_dn_byval(dn);
+ ndn = slapi_sdn_get_ndn(sdn);
+
+ if (strcasecmp(pb_ndn, ndn) == 0) {
+ /* We are using the candidate entry that is already loaded in the pblock
+ * Do not trigger an additional internal search
+ * Also we will not need to free the entry that will remain in the pblock
+ */
+ e = pb_e;
+ free_e = 0;
+ } else {
+ e = get_entry(pb, dn);
+ }
+ slapi_sdn_free(&sdn);
+ } else {
+ e = get_entry(pb, dn);
+ }
+ } else {
+ /* For others operations but SEARCH */
+ e = get_entry(pb, dn);
+ }
+
+ if (e) {
Slapi_Attr *attr = NULL;
rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr);
if (attr && (0 == rc)) {
@@ -1718,7 +1758,9 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
}
}
slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
- slapi_entry_free(e);
+ if (free_e) {
+ slapi_entry_free(e);
+ }
if (pw_entry == NULL) {
slapi_log_err(SLAPI_LOG_ERR, "new_passwdPolicy",
@@ -1916,7 +1958,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
slapi_pblock_set_pwdpolicy(pb, pwdpolicy);
}
return pwdpolicy;
- } else if (e) {
+ } else if (free_e) {
slapi_entry_free(e);
}
}
--
2.17.1

85
SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch Normal file
View file

@ -0,0 +1,85 @@
From 9d2aa18fb5c48a11300d2309df89213bbdb614e1 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 23 Aug 2018 13:43:36 -0400
Subject: [PATCH 1/2] Bug 1623247 - Crash in vslapd_log_emergency_error
Description: We were not locking the error log fd before closing and reopening
the log file. This could cause a crash when multiple threads are
trying to log tothe errors log.
---
ldap/servers/slapd/log.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index 998efaef3..90ce6ac0a 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -2231,11 +2231,11 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
if (logging_hr_timestamps_enabled == 1) {
struct timespec tsnow;
if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) {
- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s", msg);
+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s\n", msg);
return;
}
if (format_localTime_hr_log(tsnow.tv_sec, tsnow.tv_nsec, sizeof(tbuf), tbuf, &size) != 0) {
- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
return;
}
} else {
@@ -2243,14 +2243,14 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
time_t tnl;
tnl = slapi_current_utc_time();
if (format_localTime_log(tnl, sizeof(tbuf), tbuf, &size) != 0) {
- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
return;
}
#ifdef HAVE_CLOCK_GETTIME
}
#endif
- PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s", tbuf, msg);
+ PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s\n", tbuf, msg);
size = strlen(buffer);
if (!locked) {
@@ -2531,7 +2531,7 @@ vslapd_log_access(char *fmt, va_list ap)
if (SLAPI_LOG_BUFSIZ - blen < vlen) {
/* We won't be able to fit the message in! Uh-oh! */
- /* Should we actually just do the snprintf, and warn that message was trunced? */
+ /* Should we actually just do the snprintf, and warn that message was truncated? */
log__error_emergency("Insufficent buffer capacity to fit timestamp and message!", 1, 0);
return -1;
}
@@ -4447,6 +4447,13 @@ log__error_emergency(const char *errstr, int reopen, int locked)
if (!reopen) {
return;
}
+ if (!locked) {
+ /*
+ * Take the lock because we are closing and reopening the error log (fd),
+ * and we don't want any other threads trying to use this fd
+ */
+ LOG_ERROR_LOCK_WRITE();
+ }
if (NULL != loginfo.log_error_fdes) {
LOG_CLOSE(loginfo.log_error_fdes);
}
@@ -4455,7 +4462,10 @@ log__error_emergency(const char *errstr, int reopen, int locked)
PRErrorCode prerr = PR_GetError();
syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
} else {
- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
+ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */);
+ }
+ if (!locked) {
+ LOG_ERROR_UNLOCK_WRITE();
}
return;
}
--
2.17.1

65
SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch Normal file
View file

@ -0,0 +1,65 @@
From 2136ba8dd18e72bfbe037517c10187bfe695628f Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 24 May 2018 15:36:34 +0200
Subject: [PATCH] Ticket 49768 - Under network intensive load persistent search
can erronously decrease connection refcnt
Bug Description:
If a connection enters in turbo mode (because of high traffic) or
a worker reads several requests in the read buffer (more_data), the thread
keeps processing connection.
In that condition it should not decrease the refcnt.
In case the operation is a persistent search, it decreases systematically
the refcnt.
So refcnt can become lower than the actual number of threads active on the connection.
Most of the time it can create messages like
Attempt to release connection that is not acquired
In some rare case, if the a connection is out of the active list but a remaining thread
tries to remove it again it can lead to a crash
Fix Description:
The fix consist, when processing a PS, to decrease the refcnt at the condition
the connection is not in turbo mode or in more_data.
https://pagure.io/389-ds-base/issue/49768
Reviewed by: Mark Reynolds
Platforms tested: F26
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/connection.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index c54e7c26c..1dbb49f06 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -1811,9 +1811,17 @@ connection_threadmain()
slapi_counter_increment(ops_completed);
/* If this op isn't a persistent search, remove it */
if (op->o_flags & OP_FLAG_PS) {
- PR_EnterMonitor(conn->c_mutex);
- connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
- PR_ExitMonitor(conn->c_mutex);
+ /* Release the connection (i.e. decrease refcnt) at the condition
+ * this thread will not loop on it.
+ * If we are in turbo mode (dedicated to that connection) or
+ * more_data (continue reading buffered req) this thread
+ * continues to hold the connection
+ */
+ if (!thread_turbo_flag && !more_data) {
+ PR_EnterMonitor(conn->c_mutex);
+ connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
+ PR_ExitMonitor(conn->c_mutex);
+ }
/* ps_add makes a shallow copy of the pb - so we
* can't free it or init it here - just set operation to NULL.
* ps_send_results will call connection_remove_operation_ext to free it
--
2.17.1

39
SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch Normal file
View file

@ -0,0 +1,39 @@
From 1bb5fd7fac9c5b93d3dfb8b8a2a648e238a158bc Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 30 Aug 2018 14:28:10 -0400
Subject: [PATCH] Ticket 49932 - Crash in delete_passwdPolicy when persistent
search connections are terminated unexpectedly
Bug Description: We clone a pblock in a psearch search, and under certain
error conditions this pblock is freed, but it frees the
password policy struct which can lead to a double free
when the original pblock is destroyed.
Fix Description: During the cloning, set the pwppolicy struct to NULL
so the clone allocates its own policy if needed
https://pagure.io/389-ds-base/issue/49932
Reviewed by: ?
(cherry picked from commit 78fc627accacfa4061ce48977e22301f81ea8d73)
---
ldap/servers/slapd/pblock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 4514c3ce6..bc18a7b18 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -322,6 +322,8 @@ slapi_pblock_clone(Slapi_PBlock *pb)
if (pb->pb_intop != NULL) {
_pblock_assert_pb_intop(new_pb);
*(new_pb->pb_intop) = *(pb->pb_intop);
+ /* set pwdpolicy to NULL so this clone allocates its own policy */
+ new_pb->pb_intop->pwdpolicy = NULL;
}
if (pb->pb_intplugin != NULL) {
_pblock_assert_pb_intplugin(new_pb);
--
2.17.1

23
SPECS/389-ds-base.spec
View file

@ -39,7 +39,7 @@
Summary: 389 Directory Server (%{variant})
Name: 389-ds-base
Version: 1.3.7.5
Release: %{?relprefix}25%{?prerel}%{?dist}
Release: %{?relprefix}28%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@ -239,6 +239,12 @@ Patch89: 0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch
Patch90: 0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch
Patch91: 0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch
Patch92: 0092-Ticket-49765-compiler-warning.patch
Patch93: 0093-Ticket-49893-disable-nunc-stans-by-default.patch
Patch94: 0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
Patch95: 0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch
Patch96: 0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch
Patch97: 0097-Ticket-49768-Under-network-intensive-load-persistent.patch
Patch98: 0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@ -593,6 +599,21 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
* Thu Sep 13 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-28
- Bump version to 1.3.7.5-28
- Resolves: Bug 1628676 - 389-ds-base: race condition on reference counter leads to DoS using persistent search
- Resolves: Bug 1628677 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly
* Wed Aug 29 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-27
- Bump version to 1.3.7.5-27
- Resolves: Bug 1623247 - Crash in vslapd_log_emergency_error
* Tue Aug 14 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-26
- Bump version to 1.3.7.5-26
- Resolves: Bug 1615924 - Fine grained password policy can impact search performance
- Resolves: Bug 1614836 - Disable nunc-stans by default
- Resolves: Bug 1614861 - ldapsearch with server side sort crashes the ldap server
* Tue Jul 3 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-25
- Bump version to 1.3.7.5-25
- Resolves: Bug 1597530 - Async operations can hang when the server is running nunc-stans