[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8568) slapd SASL EXTERNAL bind getprop SSF bug; can provoke SEGFAULT



Full_Name: Bill Clay
Version: 2.4.44
OS: Debian/GNU Linux 7.8 (Wheezy)
URL: 
Submission from: (NULL) (79.12.44.250)


In sasl.c 2.4.44 slap_sasl_bind() the target variable for "sasl_getprop( ctx,
SASL_SSF_EXTERNAL, (void *)&ssf );" is declared "sasl_ssf_t ssf" but
sasl_getprop() needs "sasl_ssf_t *ssf".  This also necessitates adjustment of
the last argument of the corresponding sasl_setprop() later in the same proc.

In certain circumstances (e.g., two successive localhost EXTERNAL binds with on
the same LDAP connection on a Debian Linux amd64 system), this provokes a fatal
slapd SIGSEGV at sasl.c:1504 due to pointer ctx corruption (low-order 4 bytes of
ctx overwritten by the high-order 4 bytes of
&op->o_hdr->oh_conn->c_sasl_authctx.external.ssf):

(gdb) bt
#0  sasl_getprop (conn=0x7f1f00007f1f, propnum=propnum@entry=102, 
    pvalue=pvalue@entry=0x7f1faed42948) at ../../lib/common.c:1042
#1  0x000000000047105c in slap_sasl_bind (op=op@entry=0x7f1fa0002930,
rs=rs@entry=0x7f1faed42a60)
    at sasl.c:1504
#2  0x000000000043ecf7 in fe_op_bind (op=0x7f1fa0002930, rs=0x7f1faed42a60) at
bind.c:280
#3  0x000000000043e591 in do_bind (op=0x7f1fa0002930, rs=0x7f1faed42a60) at
bind.c:205
#4  0x0000000000422145 in connection_operation (ctx=ctx@entry=0x7f1faed42b90, 
    arg_v=arg_v@entry=0x7f1fa0002930) at connection.c:1158
#5  0x000000000042242e in connection_read_thread (ctx=0x7f1faed42b90,
argv=<optimized out>)
    at connection.c:1294
#6  0x00000000004dc978 in ldap_int_thread_pool_wrapper (xpool=0x124a010) at
tpool.c:696
#7  0x00007f1f5c3030a4 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#8  0x00007f1ff22f862d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb)

Usually, there is no obvious impact; I have not been able to provoke the SIGSEGV
except with localhost LDAP connections.

The following patch seems to correct this issue. I have tested it only on a
Debian Linux amd64 system, OpenLDAP 2.4.44 build from source, running with Cyrus
SASL 2.1.25 as distributed in Debian Wheezy.

bill@fuji:/usr/local/src/openldap-2.4.44/servers/slapd$ diff sasl.c.orig sasl.c
1501c1501
< 			sasl_ssf_t ssf = 0;
---
> 			sasl_ssf_t *ssf = NULL;
1514c1514
< 				sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf );
---
> 				sasl_setprop( ctx, SASL_SSF_EXTERNAL, ssf );
bill@fuji:/usr/local/src/openldap-2.4.44/servers/slapd$