[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5298) multi-step SASL binds are unsafe

To: openldap-its@OpenLDAP.org
Subject: (ITS#5298) multi-step SASL binds are unsafe
From: hyc@OpenLDAP.org
Date: Sat, 22 Dec 2007 23:20:23 GMT

Full_Name: Howard Chu
Version: HEAD
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.91.220.157)
Submitted by: hyc


While testing the fix for ITS#5259 I realized that the SASL DN is being
allocated on the Operation's slab, but may be referenced by a different
Operation if a Bind requires multiple steps. 

For OTP there are 2 operations - the identities are canonicalized and saved in
step 1, when the challenge is generated for the client, and then the OTP is sent
and validated in a subsequent operation.

(DIGEST-MD5 also occurs in 2 steps, but no usernames are provided in step 1, all
canonicalization and validation occurs in step 2 so it's all within a single
operation.)

To avoid this problem, the DNs probably should be dup'd using the SASL
allocator, so they can be cleaned up automatically when SASL completes.

Prev by Date: Re: (ITS#5259) SIGSEGV in slap_auxprop_store during SASL/OTP bind
Next by Date: Re: (ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition
Index(es):
- Chronological
- Thread