Full_Name: Version: 2.4.40-1 OS: debian / UCS 4.1 amd64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.198.197.8) A malformed URI in the sasl-regexp directive of slapd.conf caused a segfault of slapd. """ sasl-regexp uid=(.*),cn=saml,cn=auth ldap:///0.0.0.0:7389,389/"dc=dev,dc=local"??sub?uid=$1 """ The URI starts with 3 slashes after the scheme instead of 2 slashes. When doing authentication via SASL /usr/sbin/slapd segfaults. I think it is easy to reproduce. I can provide a core dump if needed. The backtrace: Thread 1 (Thread 0x7f933827c700 (LWP 18575)): #0 *__GI___li_freree (mem=0x20) at malloc.c:3709 #1 0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410, freeit=1) at ../../../../servers/slapd/ava.c:50 #2 0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450, freeme=1) at ../../../%./servers/slapd/filter.c:531 #3 0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0, saslname=saslname@entry=0x7f933827b600, sasldn=sasldn@entry=0x7f933827b450, flags=flags@entry=2) at ../../../../servers/slapd/saslauthz.c:2018 #4 0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>, op=0x1aa6ce0, op@entry=0x0, id=id@entry=0x7f933827b610, user_realm=user_realm@entry=0x0, dn=dn@entry=0x7f933827b600, flags=2) at ../../../../servers/slapd/sasl.c:1884 #5 0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0, context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13, flags=<optimized out>, user_realm=0x0, out=0x190b581 "", out_max=1024, out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656 #6 0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0, user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3, oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109 #7 0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0, user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050) at ../../lib/canonusr.c:273 #8 0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0, params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>, serverout=<optimized out>, serveroutlen=<optimized out>, oparams=0x190b050) at cy2_saml.c:281 #9 0x00007f93c16be605 in sasl_server_step (serveroutlen=<optimized out>, serverout=0x7f933827b958, clientinlen=<optimized out>, clientin=<optimized out>, conn=0x190a7e0) at ../../lib/server.c:1614 #10 sasl_server_ste%2(conn=0x190a7e0, clientin=<optimized out>, clientinlen=<optimized out>, serverout=0x7f933827b958, serveroutlen=<optimized out>) at ../../lib/server.c:1585 #11 0x00007f93c16beb44 in sasl_server_start (conn=<optimized out>, mech=<optimized out>, clientin=0x1a55bea "", clientinlen=<optimized out>, serverout=serverout@entry=0x7f933827b958, serveroutlen=serveroutlen@entry=0x7f933827b938) at ../../lib/server.c:1529 #12 0x000000000048020e in slap_sasl_bind (op=op@entry=0x1aa6ce0, rs=rs@entry=0x7f933827ba60) at ../../../../servers/slapd/sasl.c:1512 #13 0x000000000044e217 in fe_op_bind (op=0x1aa6ce0, rs=0x7f933827ba60) at ../../../../servers/slapd/bind.c:280 #14 0x000000000044dab1 in do_bind (op=0x1aa6ce0, rs=0x7f933827ba60) at ../../../../servers/slapd/bind.c:205 #15 0x00000000004315d5 in connection_operation (ctx=ctx@entry=0x7f933827bba0, arg_v=arg_v@entry=0x1aa6ce0) at ../../../../servers/slapd/connection.c:1155 #16 0x00000000004318be in connection_read_thread (ctx=0x7f933827bba0, argv=<optimized out>) at ../../../../servers/slapd/connection.c:1291 #17 0x00007f93c22e4c33 in ldap_int_thread_pool_wrapper (xpool=0x1447450) at ../../../../libraries/libldap_r/tpool.c:688 #18 0x00007f93c03c3b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #19 0x00007f93c010d70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #20 0x0000000000000000 in ?? () Some more context: (gdb) f 1 #1 0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410, freeit=1) at ../../../../servers/slapd/ava.c:50 50 op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx ); (gdb) list 45 { 46 #ifdef LDAP_COMP_MATCH 47 if ( ava->aa_cf && ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op ) 48 nibble_mem_free ( ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op ); 49 #endif 50 op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx ); 51 if ( ava->aa_desc->ad_flags & SLAP_DESC_TEMPORARY ) 52 op->o_tmpfree( ava->aa_desc, op->o_tmpmemctx ); 53 if ( freeit ) op->o_tmpfree( (char *) ava, op->o_tmpmemctx ); 54 } (gdb) up #2 0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450, freeme=1) at ../../../../servers/slapd/filter.c:531 531 ava_free( op, f->f_ava, 1 ); (gdb) list 526 527 case LDAP_FILTER_EQUALITY: 528 case LDAP_FILTER_GE: 529 case LDAP_FILTER_LE: 530 case LDAP_FILTER_APPROX: 531 ava_free( op, f->f_ava, 1 ); 532 break; 533 534 case LDAP_FILTER_SUBSTRINGS: 535 if ( f->f_sub_initial.bv_val != NULL ) { (gdb) up #3 0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0, saslname=saslname@entry=0x7f933827b600, sasldn=sasldn@entry=0x7f933827b450, flags=flags@entry=2) at ../../../../servers/slapd/saslauthz.c:2018 2018 filter_free_x( opx, op.ors_filter, 1 ); (gdb) list 1313 } 2014 if( !BER_BVISNULL( &op.o_req_ndn ) ) { 2015 slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); 2016 } 2017 if( op.ors_filter ) { 2018 filter_free_x( opx, op.ors_filter! 1 ); 2019 } 2020 if( !BER_BVISNULL( &op.ors_filterstr ) ) { 2021 ch_free( op.ors_filterstr.bv_val ); 2022 } (gdb) up (gdb) up #4 0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>, op=0x1aa6ce0, op@entry=0x0, id=id@entry=0x7f933827b610, user_realm=user_realm@entry=0x0, dn=dn@entry=0x7f933827b600, flags=2) at ../../../../servers/slapd/sasl.c:1884 1884 slap_sasl2dn( op, dn, &dn2, flags ); (gdb) list 1879 } 1880 *dn = dn2; 1881 } 1882 1883 /* Run thru regexp */ 1884 slap_sasl2dn( op, dn, &dn2, flags ); 1885 if( !BER_BVISNULL( &dn2 ) ) { 1886 slap_sl_free( dn->bv_val, op->o_tmpmemctx ); 1887 *dn = dn2; 1888 Debug( LDAP_DEBUG_TRACE, (gdb) up #5 0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0, context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13, flags=<optimized out>,seser_realm=0x0, out=0x190b581 "", out_max=1024, out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656 656 rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm, &dn, (gdb) list 651 if ( !rc ) goto nene; 652 } 653 654 bvin.bv_val = (char *)in; 655 bvin.bv_len = inlen; 656 rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm, &dn, 657 (flags & SASL_CU_AUTHID) ? SLAP_GETDN_AUTIDID : SLAP_GETDN_AUTHZID ); 658 if ( rc != LDAP_SUCCESS ) { 659 sasl_seterror( sconn, 0, ldap_err2string( rc ) ); 660 return SASL_NOAUTHZ; (gdb) up #6 0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0, user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3, oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109 109 ../../lib/canonusr.c: Datei oder Verzeichnis nicht gefunden. (gdb) list 104 result = _sasl_getcallback(conn, 105 SASL_CB_CANON_USER, 106 (sasl_callback_ft *)&cuser_cb, 107 &context); 108 if(result == SASL_OK && cuser_cb) { 109 result = cuser_cb(conn, 110 context, 111 user, 112 ulen, 113 flags, 114 (conn->type == SASL_CONN_SERVER ? 115 sconn->user_realm : 116 NULL), 117 user_buf, 118 CANON_BUF_SIZE, 119 lenp); (gdb) up #7 0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0, user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050) at ../../lib/canonusr.c:273 271 int result; 272 273 result = _sasl_canon_user (conn, 274 user, 275 ulen, 276 flags, 277 oparams); (gdb) up #8 0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0, params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>, serverout=<optimized out>, serveroutlen=<optimized out>, oparams=0x190b050) at cy2_saml.c:281 281 if ((error = params->canon_user(params->utils->conn, userid, 0, (gdb) list 276 goto out; 277 if ((error = params->canon_user(params->utils->conn, userid, 0, 278 SASL_CU_AUTHID, oparams)) != SASL_OK) 279 goto out; 280 } else { 281 if ((error = params->canon_user(params->utils->conn, userid, 0, 282 SASL_CU_AUTHID|SASL_CU_AUTHZID, oparams)) != SASL_OK) 283 goto out; 284 } 285 Memory information: In frame1 ava->bv_val is not "Administrator" (the user I authenticated with) but the bv_len is 13. (gdb) print *ava $13 = {aa_desc = 0x1444650, aa_value = {bv_len = 13, bv_val = 0x20 <Address 0x20 out of bounds>}}
changed notes changed state Open to Test moved from Incoming to Software Bugs
best@univention.de wrote: > Full_Name: > Version: 2.4.40-1 > OS: debian / UCS 4.1 amd64 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (82.198.197.8) > > > A malformed URI in the sasl-regexp directive of slapd.conf caused a segfault of > slapd. > > """ > sasl-regexp > uid=(.*),cn=saml,cn=auth > ldap:///0.0.0.0:7389,389/"dc=dev,dc=local"??sub?uid=$1 > """ > The URI starts with 3 slashes after the scheme instead of 2 slashes. > > When doing authentication via SASL /usr/sbin/slapd segfaults. Thanks for the report, fixed in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24 (2.4.43)
changed notes changed state Release to Closed