List Info

Thread: (ITS#4956) slapd cores with a SEGFAULT after a failed proxy authorization
(ITS#4956) slapd cores with a SEGFAULT after a failed proxy authorization
country flaguser name
United States		 2007-05-11 13:46:30 
Full_Name: Paul Turgyan
Version: 2.3.35
OS: linux - 2.6 kernal
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.213.231.201)



slapd cores with a SEGFAULT after a failed proxy
authorization,
with a core file like:

(gdb) bt
#0  0xb7c74be5 in *__GI___libc_free (mem=0xab5fc714) at
malloc.c:3402
#1  0x0807aa96 in ch_free (ptr=0xab5fc714) at
ch_malloc.c:139
#2  0x080a5886 in slap_sasl_authorize (sconn=0xacb03000,
context=0xada20428, 
    requested_user=0xacb03910 "pturgyanUMICH.EDU", rlen=18, 
    auth_identity=0xacb03a11 "pturgyanUMICH.EDU", alen=18, 
    def_realm=0xacb049e0 "UMICH.EDU", urlen=9,
props=0x0) at sasl.c:673
#3  0xb7ea2ba3 in do_authorization (s_conn=0xacb03000) at
server.c:1163
#4  0xb7ea2d18 in sasl_server_step (conn=0xacb03000, 
    clientin=0xacb01dae
"`?06t*206H206?22010202020104",

    clientinlen=0, serverout=0xad61d114, serveroutlen=0x1)
at server.c:1420
#5  0x080a6654 in slap_sasl_bind (op=0x830fad0,
rs=0xad61d240) at sasl.c:1395
#6  0x0807cdaa in fe_op_bind (op=0x830fad0, rs=0xad61d240)
at bind.c:276
#7  0x0807c5b3 in do_bind (op=0x830fad0, rs=0xad61d240) at
bind.c:200
#8  0x0806176f in connection_operation (ctx=0x0,
arg_v=0x830fad0)
    at connection.c:1133
#9  0x08133e28 in ldap_int_thread_pool_wrapper
(xpool=0x81ff4e0) at tpool.c:478
#10 0xb7e83c6b in start_thread (arg=0xad61dbb0) at
pthread_create.c:261
#11 0xb7cc9d9e in clone () from /lib/libc.so.6

We are using cyrus-sasl-2.1.21
             heimdahl-0.6.2
             
During a proxy auth,  c_sasl_dn is set at sasl.c:682.
If the proxy auth fails for some reason,  then c_sasl_dn
is never cleared.  Sometime later, when that connection
block is reused for
another sasl bind,  slap_sasl_authorize attempts to free the
memory pointed to
by c_sasl_dn.bv_val  at sasl.c:673 and free SEGFAULTs.

This can be duplicated by looping a ldapsearch that does a
sasl bind with an
invalid proxy authorization.
You have to loop long enough to force a reuse of a
connection struct.


The following patch NULL's out c_sasl_dn at sasl.c:702 when
the proxy auth is
disallowed. 


*** sasl.c-     Thu Jan 25 07:42:38 2007
--- sasl.c      Fri May 11 13:47:19 2007
***************
*** 699,704 ****
--- 699,705 ----
                        "proxy authorization disallowed
(%d)n",
                        (long) (conn ? conn->c_connid :
-1), rc, 0 );
  
+               BER_BVZERO( &conn->c_sasl_dn );
                sasl_seterror( sconn, 0, "not
authorized" );
                ch_free( authzDN.bv_val );
                return SASL_NOAUTHZ;
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )