ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags #4797

progier389 · 2021-06-09T18:43:28Z

Issue Description
fix about 4764 issue revealed this issue

break is missing in slapi_pblock_set function between
case SLAPI_CONN_CLIENTNETADDR_ACLIP and
case SLAPI_CONN_IS_REPLICATION_SESSION

Although usually undetected this issue may generates unexpected behavior (operation may be seen as replicated while it should not) because of that for some people, fix 4764 (which is correct) may lead to crash

Package Version and Platform:

Platform: any
Package and version: latest [e.g. 389-ds-base-1.4.4.4-20200721git5d41dc5a4.fc32.x86_64]
Browser [e.g. chrome, safari]

Steps to Reproduce
Steps to reproduce the behavior:

Set up a master instance
Initialize database from ldif in
tc.zip
Run perl SimpleBindSeveralOps.perl -h localhost -p -D uid=foo,ou=people,dc=example,dc=com -w foo -b dc=example,dc=com -s sub uid=demo_user
Run again the perl command (it fails because server crashed after 3)

Note: for writing a nice test in pytest:
The perl just bind that perform a search then modify the found entry description
(The search trigger the aci evaluation and mark the connection as replicated then the modify is seen as a replicated operation
and since the csn is missing it ended to untested error handling which leads to a crash)
Note: I suspect we may hit the same issue without 4764 issue fix (but we should probably do several modify operation in the same connection )

tbordaz · 2021-06-10T07:32:58Z

@aivanov389 , @progier389 (very) nice finding !!!
The fix for ticket #3764 was broken with a missing break in a switch.

This current ticket applies to all the versions where #3764 was committed. Then milestone is 1.3.10.

…ssion connection flags Bug description: The fix for ticket 389ds#3764 was broken with a missing break in a switch. The consequence is that while setting the client IP address in the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP), the connection is erroneously set as replication connection. This can lead to crash or failure of testcase test_access_from_certain_network_only_ip. This bug was quite hidden until the fix for 389ds#4764 is showing it more frequently Fix description: Add the missing break relates: 389ds#4797 Reviewed by: Mark Reynolds Platforms tested: F33

tbordaz · 2021-06-10T13:01:26Z

Fix verified. Had to install perl-LDAP and update SimpleBindSeveralOps (use ldap rather that ldaps (line66) and supplier port)

…ssion connection flags (#4799) Bug description: The fix for ticket #3764 was broken with a missing break in a switch. The consequence is that while setting the client IP address in the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP), the connection is erroneously set as replication connection. This can lead to crash or failure of testcase test_access_from_certain_network_only_ip. This bug was quite hidden until the fix for #4764 is showing it more frequently Fix description: Add the missing break relates: #4797 Reviewed by: Mark Reynolds Platforms tested: F33

tbordaz · 2021-06-10T13:05:53Z

@progier389, sorry for having "stolen" that ticket after you did all the hard work. I had to fix it rapidly for a release.

…ssion connection flags (#4799) Bug description: The fix for ticket #3764 was broken with a missing break in a switch. The consequence is that while setting the client IP address in the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP), the connection is erroneously set as replication connection. This can lead to crash or failure of testcase test_access_from_certain_network_only_ip. This bug was quite hidden until the fix for #4764 is showing it more frequently Fix description: Add the missing break relates: #4797 Reviewed by: Mark Reynolds Platforms tested: F33

tbordaz · 2021-06-10T13:13:14Z

2437047..551b5a9 master
f31010e..02ca55d 389-ds-base-1.4.4
506dce2..05c07a6 389-ds-base-1.4.3
f3fc9ef..a7b67cf 389-ds-base-1.3.10

…ssion connection flags (#4799) Bug description: The fix for ticket #3764 was broken with a missing break in a switch. The consequence is that while setting the client IP address in the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP), the connection is erroneously set as replication connection. This can lead to crash or failure of testcase test_access_from_certain_network_only_ip. This bug was quite hidden until the fix for #4764 is showing it more frequently Fix description: Add the missing break relates: #4797 Reviewed by: Mark Reynolds Platforms tested: F33

progier389 added needs triage The issue will be triaged during scrum bug Something isn't working easy fix Fix is easy priority_high need urgent fix / highly valuable / easy to fix labels Jun 9, 2021

tbordaz added Need BZ The ticket needs to be cloned to a BZ and removed needs triage The issue will be triaged during scrum labels Jun 10, 2021

tbordaz added this to the 1.3.10 milestone Jun 10, 2021

tbordaz added In JIRA ticket is in JIRA and removed Need BZ The ticket needs to be cloned to a BZ labels Jun 10, 2021

tbordaz mentioned this issue Jun 10, 2021

Issue 4797 - ACL IP ADDRESS evaluation may corrupt c_isreplication_se… #4799

Merged

tbordaz closed this as completed Jun 10, 2021

tbordaz assigned progier389 Jun 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags #4797

ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags #4797

progier389 commented Jun 9, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021

ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags #4797

ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags #4797

Comments

progier389 commented Jun 9, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021

tbordaz commented Jun 10, 2021