Bugzilla Bug 127214

*  sys-libs/glibc
      Latest version available: 2.3.5-r2
      Latest version installed: 2.3.5-r2

*  sys-auth/nss_ldap
      Latest version available: 239-r1
      Latest version installed: 239-r1

*  net-nds/openldap
      Latest version available: 2.2.28-r3
      Latest version installed: 2.2.28-r3


I have a ldap group (usuarios) with 753 members, and while i trying to get
member list with 'getent group usuarios' it return:

fernando ~ # getent group usuarios
*** glibc detected *** double free or corruption (out): 0x08055ad0 ***
Aborted

Then i write a simple C code test using getgrnam_r and alloc static memory it
work fine:

fernando C # ./pega_gid usuarios

The group name is: usuarios
The gid        is: 1000
Group Member 1 is: USUARIO1
Group Member 2 is: USUARIO2
Group Member 3 is: USUARIO3
Group Member 4 is: USUARIO4
Group Member 5 is: USUARIO5
Group Member 6 is: USUARIO6
Group Member 7 is: USUARIO7
Group Member 8 is: USUARIO8
Group Member 9 is: USUARIO9
Group Member 10 is: USUARIO10
...
Group Member 750 is: USUARIO750
Group Member 751 is: USUARIO751
Group Member 752 is: USUARIO752
Group Member 753 is: USUARIO753

Is this a glibc allocation memory problem?

 fernando ~ # emerge --info

Portage 2.1_pre5-r4 (default-linux/x86/2006.0, gcc-3.4.5-vanilla,
glibc-2.3.5-r2, 2.6.15-suspend2-r6 i686)
=================================================================
System uname: 2.6.15-suspend2-r6 i686 Intel(R) Pentium(R) M processor 1.60GHz
Gentoo Base System version 1.6.14
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.3 [enabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
http://pandemonium.tiscali.de/pub/gentoo/ "
LANG="pt_BR"
LC_ALL="C"
LINGUAS="pt_BR en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X Xaw3d a52 aac aalib accessibility acl acpi aim alsa apache2 apm
audiofile avi bash-completion bcmath berkdb bidi bitmap-fonts bluetooth bonobo
bzip2 calendar caps cdinstall cdparanoia cdr clamav cli crypt cscope ctype cups
curlwrappers dba dbm dga dio directfb doc dri dts dv dvb dvd dvdr dvdread eds
emacs emboss encode esd evo examples exif expat fam fastbuild fbcon fdftk
ffmpeg fftw flac flash flatfile foomaticdb force-cgi-redirect fortran freetds
ftp gcj gd gdbm gif glut gmp gnome gnustep gnutls gphoto2 gpm gstreamer gtk
gtk2 gtkhtml guile hardened howl iconv icq idn ieee1394 imagemagick imap imlib
iodbc ipv6 jabber jack java javascript jikes jpeg jpeg2k junit kde
kdeenablefinal kdexdeltas kerberos krb4 ladcca lapack lcms ldap leim lesstif
libcaca libedit libg++ libgda libwww lm_sensors lua mad maildir mailwrapper
matrox mbox mcal memlimit mhash mikmod mime ming mmap mmx mng mono motif
mozilla mp3 mpeg mpi msession msn mule mysqli nas ncurses neXt netboot nls nocd
nptl nsplugin odbc ogg oggvorbis openal opengl osc oscar oss pam pcmcia pcntl
pcre pda pdf pdflib perl plotutils png portaudio posix profile python qt
quicktime radius readline real recode ruby samba sasl scanner sdl session
sharedmem simplexml skey slang slp smartcard sndfile snmp soap sockets socks5
source sox speel speex spell spl sqlite sqlite3 sse sse2 ssl svg svga symlink
sysvipc szip tcltk tcpd test tetex theora threads tidy tiff tokenizer truetype
truetype-fonts type1-fonts udev unicode usb vcd videos vorbis wifi win32codecs
wmf wxwindows xface xine xinerama xml xml2 xmlrpc xmms xosd xpm xprint xsl xv
xvid yahoo zlib elibc_glibc input_devices_keyboard input_devices_mouse
input_devices_evdev kernel_linux linguas_pt_BR linguas_en userland_GNU
video_cards_i810 video_cards_i830 video_cards_i915"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LDFLAGS



My code test:

fernando C # cat pega_gid.c
#include <sys/types.h>
#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>

int main(int argc, char *argv[]){
  short int lp;
  struct group grp;
  struct group * grpptr = &grp;
  struct group * tempGrpPtr;
  char grpbuffer[20000];
  int  grplinelen = sizeof(grpbuffer);

  if (argc != 2){
        printf("Use: %s groupname.\n", argv[0]);
        exit(1);
  }

  if ((getgrnam_r(argv[1],grpptr,grpbuffer,grplinelen,&tempGrpPtr))!=0)
     perror("getgrgid_r() error.");
  else
  {
     printf("\nThe group name is: %s\n", grp.gr_name);
     printf("The gid        is: %u\n", grp.gr_gid);
     for (lp = 1; NULL != *(grp.gr_mem); lp++, (grp.gr_mem)++)
        printf("Group Member %d is: %s\n", lp, *(grp.gr_mem));
  }
  return 0;
}


I have openldap, nss_ldap and nscd working fine.

i'd try a newer version of nss_ldap and/or glibc

My gdb output.



(gdb) file /usr/bin/getent
Reading symbols from /usr/bin/getent...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r group
Starting program: /usr/bin/getent group
(no debugging symbols found)
(no debugging symbols found)
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:515:
Administrators:x:544:
Account Operators:x:548:
Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
*** glibc detected *** corrupted double-linked list: 0x0805ae48 ***

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7ed0271 in raise () from /lib/tls/libc.so.6
#2  0xb7ed1a09 in abort () from /lib/tls/libc.so.6
#3  0xb7f03f0a in __fsetlocking () from /lib/tls/libc.so.6
#4  0xb7f09e27 in malloc_usable_size () from /lib/tls/libc.so.6
#5  0xb7f09fab in malloc_usable_size () from /lib/tls/libc.so.6
#6  0xb7f0a5a1 in malloc_trim () from /lib/tls/libc.so.6
#7  0xb7f0a8bb in free () from /lib/tls/libc.so.6
#8  0xb7d681f6 in _nss_ldap_getpwent_r () from /usr/lib/libnss_ldap.so.2
#9  0xbfdf4d5c in ?? ()
#10 0xbfdf4d60 in ?? ()
#11 0xbfdf4e9c in ?? ()
#12 0xbfdf4ea0 in ?? ()
#13 0xbfdf4d64 in ?? ()
#14 0xbfdf4d68 in ?? ()
#15 0xb7febce9 in do_lookup_x (undef_name=Cannot access memory at address 0x2e1
) at do-lookup.h:96
Previous frame inner to this frame (corrupt stack?)

I look in ldap-pwd.c

#ifdef HAVE_NSS_H
NSS_STATUS
_nss_ldap_getpwnam_r (const char *name,
                      struct passwd * result,
                      char *buffer, size_t buflen, int *errnop)
{
  LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
               LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
}


look LDAP_NSS_BUFLEN_DEFAULT 0

Why 0? Infinite?


In ldap-nss.h


#if defined(HAVE_NSSWITCH_H) || defined(HAVE_IRS_H)
#define LDAP_NSS_MAXNETGR_DEPTH  16     /* maximum depth of netgroup nesting
for innetgr() */
#endif /* HAVE_NSSWITCH_H */

#define LDAP_NSS_MAXGR_DEPTH     16     /* maximum depth of group nesting for
getgrent()/initgroups() */

#if LDAP_NSS_NGROUPS > 64
#define LDAP_NSS_BUFLEN_GROUP   (NSS_BUFSIZ + (LDAP_NSS_NGROUPS * (sizeof (char
*) + LOGNAME_MAX)))
#else
#define LDAP_NSS_BUFLEN_GROUP   NSS_BUFSIZ
#endif /* LDAP_NSS_NGROUPS > 64 */

#define LDAP_NSS_BUFLEN_DEFAULT 0

#ifdef HAVE_USERSEC_H
#define LDAP_NSS_MAXUESS_ATTRS  8       /* maximum number of attributes in a
getentry call */
#endif /* HAVE_USERSEC_H */

#ifdef PAGE_RESULTS
#define LDAP_PAGESIZE 1000
#endif /* PAGE_RESULTS */

In do-lookup.h line 96


          if (sym != ref && strcmp (strtab + sym->st_name, undef_name))
            /* Not the symbol we are looking for.  */
            continue;

please test the nss_ldap-250 that I just commited to ~arch. Upstream has
changed some of the group stuff.

No response from user. Please reopen if this is still an issue with 250-r1.