[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap crashes with invalid passwords (ITS#2055)

To: openldap-its@OpenLDAP.org
Subject: Openldap crashes with invalid passwords (ITS#2055)
From: openldap@pylonsoft.ch
Date: Thu, 29 Aug 2002 12:43:12 GMT

Full_Name: Philipp Klaus
Version: 2.0.25
OS: Linux (RH 7.2)
URL: 
Submission from: (NULL) (80.238.193.212)


If the password of a user is badly encoded, the server does not accept the given
credentials returning an error and the NEXT user logging in will make the slapd
segfaulting.
The bad encoding means that a SHA1 Hash is encoded base64 but the padding '='(s)
are not included (example password is 'passWORD'):

{SHA}/VIigoY17Kj2ApfeCmTcpdo1QDE

instead of 

{SHA}/VIigoY17Kj2ApfeCmTcpdo1QDE=

The problem arised on our site because we were using the Perl module
Digest::SHA1 function sha1_base64 to generate our passwords and that one had a
bug that prevented it from adding the padding equal signs (a patch to correct
that was already sent to the maintainer).
Using gdb I tracked the segfault down to occur in the 'free' routine of glibc.
This seems to be called from ber_memfree in liblber.

Prev by Date: Re: Liberal parsing of schema elements (ITS#1996)
Next by Date: Re: Objectclass inheritance mechanism in queries doesn't seem to work (ITS#2053)
Index(es):
- Chronological
- Thread