[sssd/f20] sssd_be crashes in nested LDAP code in case of ldap error
Lukas Slebodnik
lslebodn at fedoraproject.org
Thu Jan 29 17:43:28 UTC 2015
commit 0886869882c2dc067161d03b4f0b05bf67a66b17
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Thu Jan 29 18:28:18 2015 +0100
sssd_be crashes in nested LDAP code in case of ldap error
- Resolves: rhbz#1126557
0003-Signals-Remove-unused-functions.patch | 103 +++++++++++++++++++++++++
0004-SDAP-return-after-tevent_req_error.patch | 30 +++++++
0005-sudo-return-after-tevent_req_error.patch | 27 +++++++
sssd.spec | 9 ++-
4 files changed, 168 insertions(+), 1 deletions(-)
---
diff --git a/0003-Signals-Remove-unused-functions.patch b/0003-Signals-Remove-unused-functions.patch
new file mode 100644
index 0000000..a7b69a8
--- /dev/null
+++ b/0003-Signals-Remove-unused-functions.patch
@@ -0,0 +1,103 @@
+From fea2d8c6aef70f1ba6f7528c261606eac4fcea1c Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Sat, 9 Nov 2013 15:44:45 -0500
+Subject: [PATCH 3/5] Signals: Remove unused functions
+
+Cleanup unused signal functions
+
+(cherry picked from commit d054a96e102b53a3aab6602f531a0e8d254080ab)
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+---
+ src/util/signal.c | 57 -------------------------------------------------------
+ src/util/util.h | 2 --
+ 2 files changed, 59 deletions(-)
+
+diff --git a/src/util/signal.c b/src/util/signal.c
+index 053457b384a2a0c6a4cdc398fcfc602d63da13c7..bb8f8bef7681c0140671a3076a950a773f991b66 100644
+--- a/src/util/signal.c
++++ b/src/util/signal.c
+@@ -28,45 +28,6 @@
+ * @brief Signal handling
+ */
+
+-/****************************************************************************
+- Catch child exits and reap the child zombie status.
+-****************************************************************************/
+-
+-static void sig_cld(int signum)
+-{
+- while (waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0)
+- ;
+-
+- /*
+- * Turns out it's *really* important not to
+- * restore the signal handler here if we have real POSIX
+- * signal handling. If we do, then we get the signal re-delivered
+- * immediately - hey presto - instant loop ! JRA.
+- */
+-
+-#if !defined(HAVE_SIGACTION)
+- CatchSignal(SIGCLD, sig_cld);
+-#endif
+-}
+-
+-/****************************************************************************
+-catch child exits - leave status;
+-****************************************************************************/
+-
+-static void sig_cld_leave_status(int signum)
+-{
+- /*
+- * Turns out it's *really* important not to
+- * restore the signal handler here if we have real POSIX
+- * signal handling. If we do, then we get the signal re-delivered
+- * immediately - hey presto - instant loop ! JRA.
+- */
+-
+-#if !defined(HAVE_SIGACTION)
+- CatchSignal(SIGCLD, sig_cld_leave_status);
+-#endif
+-}
+-
+ /**
+ Block sigs.
+ **/
+@@ -126,21 +87,3 @@ void (*CatchSignal(int signum,void (*handler)(int )))(int)
+ return signal(signum, handler);
+ #endif
+ }
+-
+-/**
+- Ignore SIGCLD via whatever means is necessary for this OS.
+-**/
+-
+-void CatchChild(void)
+-{
+- CatchSignal(SIGCLD, sig_cld);
+-}
+-
+-/**
+- Catch SIGCLD but leave the child around so it's status can be reaped.
+-**/
+-
+-void CatchChildLeaveStatus(void)
+-{
+- CatchSignal(SIGCLD, sig_cld_leave_status);
+-}
+diff --git a/src/util/util.h b/src/util/util.h
+index 7a668465e9226652fdc2a3ee71fd2ed2d1a989b3..b0a7692b5c84f58061e0df334c5f7c6de6324ced 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -227,8 +227,6 @@ void sig_term(int sig);
+ #include <signal.h>
+ void BlockSignals(bool block, int signum);
+ void (*CatchSignal(int signum,void (*handler)(int )))(int);
+-void CatchChild(void);
+-void CatchChildLeaveStatus(void);
+
+ /* from memory.c */
+ typedef int (void_destructor_fn_t)(void *);
+--
+2.1.0
+
diff --git a/0004-SDAP-return-after-tevent_req_error.patch b/0004-SDAP-return-after-tevent_req_error.patch
new file mode 100644
index 0000000..6b674a6
--- /dev/null
+++ b/0004-SDAP-return-after-tevent_req_error.patch
@@ -0,0 +1,30 @@
+From ceed6381189cc102dc0d1b253369344839312ec0 Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl at redhat.com>
+Date: Thu, 26 Jun 2014 16:42:53 +0100
+Subject: [PATCH 4/5] SDAP: return after tevent_req_error
+
+Don't call tevent_req_done after tevent_req_error (for the same request).
+
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/providers/ldap/sdap_async_nested_groups.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
+index 065eb1218534229f0c6d0c0ba08feba59f61603c..a8f8f412619167448dcb4c9cb6731c3833560c1e 100644
+--- a/src/providers/ldap/sdap_async_nested_groups.c
++++ b/src/providers/ldap/sdap_async_nested_groups.c
+@@ -1388,8 +1388,9 @@ static void sdap_nested_group_single_done(struct tevent_req *subreq)
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Error processing nested groups "
+- "[%d]: %s", ret, strerror(ret));
++ "[%d]: %s\n.", ret, strerror(ret));
+ tevent_req_error(req, ret);
++ return;
+ }
+
+ tevent_req_done(req);
+--
+2.1.0
+
diff --git a/0005-sudo-return-after-tevent_req_error.patch b/0005-sudo-return-after-tevent_req_error.patch
new file mode 100644
index 0000000..2d065ae
--- /dev/null
+++ b/0005-sudo-return-after-tevent_req_error.patch
@@ -0,0 +1,27 @@
+From 9620767b6f2ee282ce78f14e1c7315814230973b Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl at redhat.com>
+Date: Thu, 26 Jun 2014 16:21:16 +0100
+Subject: [PATCH 5/5] sudo: return after tevent_req_error
+
+Don't call tevent_req_done after tevent_req_error (for the same request).
+
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/responder/sudo/sudosrv_query.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/responder/sudo/sudosrv_query.c b/src/responder/sudo/sudosrv_query.c
+index 632afa712c9c08af7ed253f77705e35f49b6b039..4d19514cd63f432d7cee2bbfbece237fb56c5dec 100644
+--- a/src/responder/sudo/sudosrv_query.c
++++ b/src/responder/sudo/sudosrv_query.c
+@@ -364,6 +364,7 @@ static void sudosrv_parse_query_done(struct tevent_req *subreq)
+ talloc_free(subreq);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
++ return;
+ }
+
+ tevent_req_done(req);
+--
+2.1.0
+
diff --git a/sssd.spec b/sssd.spec
index 809ce86..4bfd49c 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -14,7 +14,7 @@
Name: sssd
Version: 1.11.7
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -25,6 +25,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-sysdb_get_user_attr-use-fqn-for-subdomain-users.patch
Patch0002: 0002-PAC-krb5_pac_verify-failures-should-not-be-fatal.patch
+Patch0003: 0003-Signals-Remove-unused-functions.patch
+Patch0004: 0004-SDAP-return-after-tevent_req_error.patch
+Patch0006: 0005-sudo-return-after-tevent_req_error.patch
Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch
### Dependencies ###
@@ -753,6 +756,10 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Thu Jan 29 2015 Lukas Slebodnik <lslebodn at redhat.com> - 1.11.1-5
+- sssd_be crashes in nested LDAP code in case of ldap error
+- Resolves: rhbz#1126557
+
* Thu Dec 11 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.7-4
- Backport an upstream patch to ignore PAC verification failures
More information about the scm-commits
mailing list