8092 – slapd crash with sasl auxprop and empty suffix

Issue 8092 - slapd crash with sasl auxprop and empty suffix

Summary: slapd crash with sasl auxprop and empty suffix

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-26 04:51 UTC by Ryan Tandy
Modified:	2015-07-02 17:50 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Ryan Tandy 2015-03-26 04:51:44 UTC

Full_Name: Ryan Tandy
Version: master, 2.4
OS: Debian
URL: 
Submission from: (NULL) (24.68.37.4)


Based on a Debian bug report: https://bugs.debian.org/781162

./configure --enable-spasswd

cat > slapd.conf << EOF
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
database mdb
directory .
suffix ""
EOF

slapadd -f slapd.conf << EOF
dn: dc=com
objectClass: domain

dn: dc=example,dc=com
objectClass: domain

dn: uid=test,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
userPassword: {SASL}test@EXAMPLE.COM

EOF

ldapwhoami -x -D uid=test,dc=example,dc=com
Enter LDAP Password:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffeebab700 (LWP 28815)]
__strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0  __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1  0x0000000000441689 in select_backend (dn=0x7fffeebaa1a8, noSubs=1) at
backend.c:704
#2  0x000000000049c7c2 in slap_auxprop_lookup (glob_context=0x0,
sparams=0x7fffe0001cd0, flags=0,
    user=0x7fffe0001861 "test@EXAMPLE.COM", ulen=16) at sasl.c:370
#3  0x00007ffff7bc463b in _sasl_auxprop_lookup (sparams=0x7fffe0001cd0,
flags=flags@entry=0,
    user=0x7fffe0001861 "test@EXAMPLE.COM", ulen=16) at ../../lib/auxprop.c:959
#4  0x00007ffff7bc5467 in _sasl_auxprop_lookup_user_props
(oparams=0x7fffe0001330, flags=3, conn=0x7fffe0000ac0)
    at ../../lib/canonusr.c:220
#5  _sasl_canon_user_lookup (conn=conn@entry=0x7fffe0000ac0,
user=user@entry=0x7fffe0001460 "test@EXAMPLE.COM",
    ulen=ulen@entry=0, flags=flags@entry=3,
oparams=oparams@entry=0x7fffe0001330) at ../../lib/canonusr.c:281
#6  0x00007ffff7bc5d39 in auxprop_verify_password (conn=0x7fffe0000ac0,
userstr=0x7fffe0001460 "test@EXAMPLE.COM",
    passwd=0x7fffe0002696 "asdf", service=<optimized out>, user_realm=<optimized
out>) at ../../lib/checkpw.c:159
#7  0x00007ffff7bcee78 in _sasl_checkpass (conn=conn@entry=0x7fffe0000ac0,
user=0x7fffe0001460 "test@EXAMPLE.COM",
    userlen=userlen@entry=16, pass=pass@entry=0x7fffe0002696 "asdf",
passlen=passlen@entry=4)
    at ../../lib/server.c:1922
#8  0x00007ffff7bd1e50 in sasl_checkpass (conn=0x7fffe0000ac0, user=<optimized
out>, userlen=16,
    pas3D0x0x7fffe0002696 "asdf", passlen=4) at ../../lib/server.c:1989
#9  0x000000000049e4db in chk_sasl (sc=0x8cac98, passwd=0x7fffeebaa8a0,
cred=0x7fffe0002700, text=0x7fffeebaaae0)
    at sasl.c:990
#10 0x0000000000535278 in lutil_passwd (passwd=0x7fffe0003188,
cred=0x7fffe0002700, schemes=0x0, text=0x7fffeebaaae0)
    at passwd.c:327
#11 0x0000000000474aa6 in slap_passwd_check (op=0x7fffe00026b0,
e=0x7fffe0002f28, a=0x7fffe0002fa8,
    cred=0x7fffe0002700, text=0x7fffeebaaae0) at passwd.c:529
#12 0x00000000005088e7 in mdb_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
bind.c:120
#13 0x00000000004584f6 in fe_op_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
bind.c:383
#14 0x0000000000457bb4 in do_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
bind.c:205
#15 0x000000000042f68a in connection_operation (ctx=0x7fffeebaabf0,
arg_v=0x7fffe00026b0) at connection.c:1134
#16 0x000000000042fc3a in connection_read_thread (ctx=0x7fffeebaabf0, argv=0xc)
at connection.c:1280
#17 0x00000000005401bf in ldap_int_thread_pool_wrapper (xpool=0x8b83c0) at
tpool.c:958
#18 0x00007ffff74750a4 in start_thread (arg=0x7fffeebab700) at
pthread_create.c:309
#19 0x00007ffff71aa04d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

I don't know how auxprop is intended to be configured; I'm going to follow up on
that when I have time. This is just about a segv that happens when
pwcheck_method is auxprop (the default) and the suffix is the empty string.

Comment 1 Howard Chu 2015-04-01 20:18:05 UTC

ryan@nardis.ca wrote:
> Full_Name: Ryan Tandy
> Version: master, 2.4
> OS: Debian
> URL:
> Submission from: (NULL) (24.68.37.4)
>
>
> Based on a Debian bug report: https://bugs.debian.org/781162
>
> ./configure --enable-spasswd
>
> cat > slapd.conf << EOF
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> database mdb
> directory .
> suffix ""
> EOF
>
> slapadd -f slapd.conf << EOF
> dn: dc=com
> objectClass: domain
>
> dn: dc=example,dc=com
> objectClass: domain
>
> dn: uid=test,dc=example,dc=com
> objectClass: account
> objectClass: simpleSecurityObject
> userPassword: {SASL}test@EXAMPLE.COM
>
> EOF
>
> ldapwhoami -x -D uid=test,dc=example,dc=com
> Enter LDAP Password:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffeebab700 (LWP 28815)]
> __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
> 210	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
> (gdb) bt
> #0  __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
> #1  0x0000000000441689 in select_backend (dn=0x7fffeebaa1a8, noSubs=1) at
> backend.c:704
> #2  0x000000000049c7c2 in slap_auxprop_lookup (glob_context=0x0,
> sparams=0x7fffe0001cd0, flags=0,
>      user=0x7fffe0001861 "test@EXAMPLE.COM", ulen=16) at sasl.c:370
> #3  0x00007ffff7bc463b in _sasl_auxprop_lookup (sparams=0x7fffe0001cd0,
> flags=flags@entry=0,
>      user=0x7fffe0001861 "test@EXAMPLE.COM", ulen=16) at ../../lib/auxprop.c:959
> #4  0x00007ffff7bc5467 in _sasl_auxprop_lookup_user_props
> (oparams=0x7fffe0001330, flags=3, conn=0x7fffe0000ac0)
>      at ../../lib/canonusr.c:220
> #5  _sasl_canon_user_lookup (conn=conn@entry=0x7fffe0000ac0,
> user=user@entry=0x7fffe0001460 "test@EXAMPLE.COM",
>      ulen=ulen@entry=0, flags=flags@entry=3,
> oparams=oparams@entry=0x7fffe0001330) at ../../lib/canonusr.c:281
> #6  0x00007ffff7bc5d39 in auxprop_verify_password (conn=0x7fffe0000ac0,
> userstr=0x7fffe0001460 "test@EXAMPLE.COM",
>      passwd=0x7fffe0002696 "asdf", service=<optimized out>, user_realm=<optimized
> out>) at ../../lib/checkpw.c:159
> #7  0x00007ffff7bcee78 in _sasl_checkpass (conn=conn@entry=0x7fffe0000ac0,
> user=0x7fffe0001460 "test@EXAMPLE.COM",
>      userlen=userlen@entry=16, pass=pass@entry=0x7fffe0002696 "asdf",
> passlen=passlen@entry=4)
>      at ../../lib/server.c:1922
> #8  0x00007ffff7bd1e50 in sasl_checkpass (conn=0x7fffe0000ac0, user=<optimized
> out>, userlen=16,
>      pas3D0x0x7fffe0002696 "asdf", passlen=4) at ../../lib/server.c:1989
> #9  0x000000000049e4db in chk_sasl (sc=0x8cac98, passwd=0x7fffeebaa8a0,
> cred=0x7fffe0002700, text=0x7fffeebaaae0)
>      at sasl.c:990
> #10 0x0000000000535278 in lutil_passwd (passwd=0x7fffe0003188,
> cred=0x7fffe0002700, schemes=0x0, text=0x7fffeebaaae0)
>      at passwd.c:327
> #11 0x0000000000474aa6 in slap_passwd_check (op=0x7fffe00026b0,
> e=0x7fffe0002f28, a=0x7fffe0002fa8,
>      cred=0x7fffe0002700, text=0x7fffeebaaae0) at passwd.c:529
> #12 0x00000000005088e7 in mdb_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
> bind.c:120
> #13 0x00000000004584f6 in fe_op_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
> bind.c:383
> #14 0x0000000000457bb4 in do_bind (op=0x7fffe00026b0, rs=0x7fffeebaaac0) at
> bind.c:205
> #15 0x000000000042f68a in connection_operation (ctx=0x7fffeebaabf0,
> arg_v=0x7fffe00026b0) at connection.c:1134
> #16 0x000000000042fc3a in connection_read_thread (ctx=0x7fffeebaabf0, argv=0xc)
> at connection.c:1280
> #17 0x00000000005401bf in ldap_int_thread_pool_wrapper (xpool=0x8b83c0) at
> tpool.c:958
> #18 0x00007ffff74750a4 in start_thread (arg=0x7fffeebab700) at
> pthread_create.c:309
> #19 0x00007ffff71aa04d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
> I don't know how auxprop is intended to be configured; I'm going to follow up on
> that when I have time. This is just about a segv that happens when
> pwcheck_method is auxprop (the default) and the suffix is the empty string.

Fundamentally this is a configuration error; you should not use SPASSWD with slapd's auxprop. I.e., slapd's auxprop is only intended for use when slapd handles all SASL authentication itself. Using SPASSWD means you're forwarding all SASL authentication to whatever external SASL mechanisms you have configured. In this particular case, slapd has forwarded the authentication request out to libsasl as you requested, and libsasl is forwarding it back into slapd's auxprop but without providing the context that slapd expects.

Fixed now in master.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Howard Chu 2015-04-03 19:22:30 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 Quanah Gibson-Mount 2015-06-18 21:27:12 UTC

changed notes
changed state Test to Release

Comment 4 OpenLDAP project 2015-07-02 17:50:14 UTC

fixed in master
fixed in RE25
fixed in RE24

Comment 5 Quanah Gibson-Mount 2015-07-02 17:50:14 UTC

changed notes
changed state Release to Closed