rpms/nss_ldap/devel nss_ldap-257-over-recursion.patch,NONE,1.1
Nalin Somabhai Dahyabhai (nalin)
fedora-extras-commits at redhat.com
Thu Sep 20 19:07:39 UTC 2007
Author: nalin
Update of /cvs/pkgs/rpms/nss_ldap/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25093
Added Files:
nss_ldap-257-over-recursion.patch
Log Message:
- attempt to avoid over-recursion from nss_ldap ending up needing to call
itself during initialization, preferable to infinite-recurse-then-crash
nss_ldap-257-over-recursion.patch:
--- NEW FILE nss_ldap-257-over-recursion.patch ---
This isn't particularly elegant or exhaustive, and the maximum recursion depth
is purely an arbitrary value, but keeping a per-thread depth count manages to
avoid infinite recursion crashes which happen when we hit nesting through
nss_ldap->libldap->gethostbyXXX->nss_ldap calls.
diff -ur nss_ldap/configure.in nss_ldap/configure.in
--- nss_ldap/configure.in 2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap/configure.in 2007-09-20 13:43:49.000000000 -0400
@@ -243,6 +243,17 @@
],
AC_MSG_RESULT(no))
+AC_MSG_CHECKING(for thread-local storage)
+AC_TRY_COMPILE([#ifdef HAVE_PTHREAD_H
+ #include <pthread.h>
+ #endif],
+ [static __thread int foo = 1;],
+ [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage.])
+ ],
+ AC_MSG_RESULT(no))
+
AC_MSG_CHECKING(for socklen_t)
AC_TRY_COMPILE([#include <sys/types.h>
#include <sys/socket.h>],
diff -ur nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
--- nss_ldap-257/ldap-nss.c 2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap-257/ldap-nss.c 2007-09-20 14:33:01.000000000 -0400
@@ -119,6 +120,11 @@
NSS_LDAP_DEFINE_LOCK (__lock);
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+static __thread int _nss_ldap_init_recursion_depth;
+static __thread int _nss_ldap_search_recursion_depth;
+#endif
+
/*
* the configuration is read by the first call to do_open().
* Pointers to elements of the list are passed around but should not
@@ -1100,6 +1106,19 @@
NSS_STATUS stat;
int sd=-1;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_init_recursion_depth > 5)
+ {
+ /* the reasoning here is just a guess, but why else? */
+ syslog (LOG_ERR, "nss_ldap: unable to connect to DSA without "
+ "information which may need to be retrieved from the DSA");
+ debug ("<=> do_init: recursed too far, failing");
+ return NSS_NOTFOUND;
+ }
+
+ _nss_ldap_init_recursion_depth++;
+#endif
+
debug ("==> do_init");
if (_nss_ldap_validateconfig (__config) != NSS_SUCCESS)
@@ -1227,6 +1246,9 @@
if (__session.ls_state == LS_CONNECTED_TO_DSA)
{
debug ("<== do_init (cached session)");
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return NSS_SUCCESS;
}
}
@@ -1239,6 +1261,9 @@
if (pthread_once (&__once, do_atfork_setup) != 0)
{
debug ("<== do_init (pthread_once failed)");
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return NSS_UNAVAIL;
}
#elif defined(HAVE_PTHREAD_ATFORK) && ( defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H) )
@@ -1280,6 +1305,9 @@
{
debug ("<== do_init (failed to read config)");
__config = NULL;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return NSS_UNAVAIL;
}
}
@@ -1328,6 +1356,9 @@
&& (rc = ldapssl_client_init (cfg->ldc_sslpath, NULL)) != LDAP_SUCCESS)
{
debug ("<== do_init (ldapssl_client_init failed with rc = %d)", rc);
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return NSS_UNAVAIL;
}
__ssl_initialized = 1;
@@ -1345,6 +1376,9 @@
if (stat != NSS_SUCCESS)
{
debug ("<== do_init (failed to initialize LDAP session)");
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return stat;
}
@@ -1353,6 +1387,9 @@
debug ("<== do_init (initialized session)");
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_init_recursion_depth--;
+#endif
return NSS_SUCCESS;
}
@@ -1660,7 +1697,7 @@
ldap_err2string (rc));
stat = do_map_error (rc);
do_close ();
- debug ("<== do_open (failed to bind to DSA");
+ debug ("<== do_open (failed to bind to DSA)");
}
else
{
@@ -2513,6 +2550,19 @@
NSS_STATUS stat = NSS_UNAVAIL;
int maxtries;
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ if (_nss_ldap_search_recursion_depth > 5)
+ {
+ /* the reasoning here is just a guess, but why else? */
+ syslog (LOG_ERR, "nss_ldap: unable to connect to DSA without "
+ "information which may need to be retrieved from the DSA");
+ debug ("<=> do_with_reconnect: recursed too far, failing");
+ return NSS_NOTFOUND;
+ }
+
+ _nss_ldap_search_recursion_depth++;
+#endif
+
debug ("==> do_with_reconnect");
/* caller must successfully call do_init() first */
@@ -2621,6 +2671,11 @@
}
debug ("<== do_with_reconnect");
+
+#ifdef HAVE_THREAD_LOCAL_STORAGE
+ _nss_ldap_search_recursion_depth--;
+#endif
+
return stat;
}
More information about the fedora-extras-commits
mailing list