[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#9123) Unauthenticated remote denial-of-service

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9123) Unauthenticated remote denial-of-service
From: hyc@symas.com
Date: Thu, 28 Nov 2019 15:16:42 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
Stephan Zeisberg wrote:
> Hi Howard =E2=80=94
>=20
> Thanks for the quick reply. Will forward the report upstream to Cyrus S=
ASL.

For reference, this fixes the bug:

vielle:/home/software/cyrus-sasl> git diff
diff --git a/lib/common.c b/lib/common.c
index bc3bf1df..9969d6aa 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,

   if (add=3D=3DNULL) add =3D "(null)";

-  addlen=3Dstrlen(add); /* only compute once */
+  addlen=3Dstrlen(add)+1; /* only compute once */
   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=3DSASL_OK)
     return SASL_NOMEM;



Git history shows this bug has existed since the code was originally writ=
ten in
ommit 061698456069833e244d66ce33c8f82c2cd63ce3
Author: Rob Siemborski <rjs3@andrew.cmu.edu>
Date:   Tue Dec 4 01:59:43 2001 +0000


>=20
> Best
>=20
> =C2=A0=C2=A0=C2=A0 -Stephan
>=20
> On 11/28/19 3:54 PM, Howard Chu wrote:
>> Resending with the non-printable chars omitted:
>>
>> Howard Chu wrote:
>>> Thanks, but your trace clearly shows that this is a fault in Cyrus SA=
SL, you should be reporting
>>> this issue to them.
>>>
>>> valgrind confirms it as well:
>>>
>>> 5ddfddde do_bind: dn () SASL mech <garbage>
>>> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage>
>>> datalen=3D0
>>> =3D=3D11019=3D=3D Thread 3:
>>> =3D=3D11019=3D=3D Invalid write of size 1
>>> =3D=3D11019=3D=3D    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
>>> =3D=3D11019=3D=3D    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D    by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D    by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D    by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D    by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D    by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>> =3D=3D11019=3D=3D    by 0x4EFA322: clone (clone.S:95)
>>> =3D=3D11019=3D=3D  Address 0x62032a8 is 0 bytes after a block of size=
 600 alloc'd
>>> =3D=3D11019=3D=3D    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D    by 0x4B930A4: _buf_alloc (common.c:2186)
>>> =3D=3D11019=3D=3D    by 0x4B93299: _sasl_add_string (common.c:196)
>>> =3D=3D11019=3D=3D    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> =3D=3D11019=3D=3D    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D    by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D    by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D    by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D    by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D    by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>> =3D=3D11019=3D=3D
>>> =3D=3D11019=3D=3D Invalid read of size 1
>>> =3D=3D11019=3D=3D    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-g=
nu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D    by 0x4E53DE4: __vfprintf_internal (vfprintf-inte=
rnal.c:1688)
>>> =3D=3D11019=3D=3D    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:=
114)
>>> =3D=3D11019=3D=3D    by 0x3A1FFA: lutil_debug (debug.c:74)
>>> =3D=3D11019=3D=3D    by 0x266FF3: slap_sasl_log (sasl.c:146)
>>> =3D=3D11019=3D=3D    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
>>> =3D=3D11019=3D=3D    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D    by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D    by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D    by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D    by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D  Address 0x62032a8 is 0 bytes after a block of size=
 600 alloc'd
>>> =3D=3D11019=3D=3D    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D    by 0x4B930A4: _buf_alloc (common.c:2186)
>>> =3D=3D11019=3D=3D    by 0x4B93299: _sasl_add_string (common.c:196)
>>> =3D=3D11019=3D=3D    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> =3D=3D11019=3D=3D    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D    by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D    by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D    by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D    by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D    by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>>
>>>
>>>
>>>
>>
>=20


--=20
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
Prev by Date: Re: (ITS#9123) Unauthenticated remote denial-of-service
Next by Date: Re: (ITS#9123) Unauthenticated remote denial-of-service
Index(es):
- Chronological
- Thread