[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5154) Sequential binds to back-meta cause assertion failiure
mhardin@symas.com wrote:
> Full_Name: Matthew Hardin
> Version: 2.3.38
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (12.168.121.2)
>
>
> Multiple binds on the same connection where at least one bind ends up being
> passed through to a target and where the credentials for that bind are incorrect
> will cause back-meta to throw an assertion failure during a subsequent bind. In
> this situation back-meta prints the message "slapd: bind.c:229: meta_back_bind:
> Assertion `tmpmc == mc' failed".
>
> Analysis:
> In bind.c there is no cleanup of the metaconn structure after a failed bind to a
> target database. This is ordinarily not a problem, as most applications perform
> an unbind immediately after a failed bind and so fail to trigger this bug.
> However, applications such as pam_ldap will perform several binds to as many as
> two different identities on the same connection, and the credentials for one of
> those identities are routinely incorrect. This bug causes the metaconn structure
> from the failed bind to be left in the mi_conninfo.lai_tree avl tree and then
> found during the re-insertion of a metaconn structure from a subsequent bind
> (approx between lines 209-258 in bind.c), causing the assertion failure and
> killing slapd in the process.
>
> Note: This bug can be exploited as a DOS attack, as the behavior is relatively
> easy to reproduce on an unpatched system with a short perl script.
>
>
> Proposed Fix:
> The simplest and best fix appears to be to mark the metaconn struct from the
> failed bind as tainted. This causes the struct to be deleted in the call to
> meta_back_release_conn around line 281.
>
> The patch is as follows:
>
> bind.c
> ***************
> *** 189,194 ****
> --- 189,198 ----
>
> if ( lerr != LDAP_SUCCESS ) {
> rc = rs->sr_err = lerr;
> + /* Mark the meta_conn struct as tainted so
> + * it'll be freed by meta_conn_back_destroy below */
> + LDAP_BACK_CONN_TAINTED_SET( mc );
> +
> /* FIXME: in some cases (e.g. unavailable)
> * do not assume it's not candidate; rather
> * mark this as an error to be eventually
I think the "real" fix should be different: binds should always receive
a fresh connection from meta_back_getconn(), which shouldn't be put
into the cache at all. meta_back_bind() should cache them only in case
of success, otherwise they should be destroyed. This would allow to
remove the need to set a BINDING flag to guarantee connections used for
bind are not shared.
In the meanwhile, the solution you propose should be just fine, as it
fills the hole occurring when a bind fails.
I'll work at that ASAP.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------