[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: crash: cyrus-imapd -> sasl -> pam -> pam_ldap ->libldap-2.x -> sasl

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: crash: cyrus-imapd -> sasl -> pam -> pam_ldap ->libldap-2.x -> sasl
From: Julio Sánchez Fernández <j_sanchez@stl.es>
Date: Tue, 28 Nov 2000 18:32:17 +0100
Cc: openldap-devel@OpenLDAP.org
Organization: Poca
References: <5.0.0.25.0.20001128084418.00a5f4f0@router.boolean.net>

"Kurt D. Zeilenga" wrote:

> Besides the quick (rm sasl_set_alloc call) hack you and others
> have suggested, I would suggest moving SASL's PAM code into
> pwcheckd.  This would isolate the SASL caller from the SASL
> password check mechanism.

Oh, yes.  That would help a lot.  But may be not enough.

What worries me is that, apparently, any program that uses libsasl
on its own and libldap might trigger this.  Because it might
end up allocating memory with ber_memalloc and freeing it with
something else.  Or the other way around.  And that may break.

For instance, sasl_decode returns memory allocated by the library
(presumably using whatever was set by sasl_set_alloc) and the caller
is responsible for freeing it. So it should know how to do that.

And we are playing dirty tricks behind the caller's back. Seems fragile.
For instance, sendmail calls both libsasl and libldap.  It may work now
and start failing at anytime. 

Julio

Follow-Ups:
- Re: crash: cyrus-imapd -> sasl -> pam -> pam_ldap ->libldap-2.x -> sasl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: crash: cyrus-imapd -> sasl -> pam -> pam_ldap ->libldap-2.x -> sasl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: crash: cyrus-imapd -> sasl -> pam -> pam_ldap -> libldap-2.x -> sasl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Adding TLS /SSL to slapd - problem
Next by Date: Re: Adding TLS /SSL to slapd - problem
Index(es):
- Chronological
- Thread