[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8218) segfault on sasl auth with malformed URI in config
Full_Name:
Version: 2.4.40-1
OS: debian / UCS 4.1 amd64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.198.197.8)
A malformed URI in the sasl-regexp directive of slapd.conf caused a segfault of
slapd.
"""
sasl-regexp
uid=(.*),cn=saml,cn=auth
ldap:///0.0.0.0:7389,389/"dc=dev,dc=local"??sub?uid=$1
"""
The URI starts with 3 slashes after the scheme instead of 2 slashes.
When doing authentication via SASL /usr/sbin/slapd segfaults.
I think it is easy to reproduce. I can provide a core dump if needed.
The backtrace:
Thread 1 (Thread 0x7f933827c700 (LWP 18575)):
#0 *__GI___li_freree (mem=0x20) at malloc.c:3709
#1 0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410,
freeit=1) at ../../../../servers/slapd/ava.c:50
#2 0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450,
freeme=1) at ../../../%./servers/slapd/filter.c:531
#3 0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0,
saslname=saslname@entry=0x7f933827b600,
sasldn=sasldn@entry=0x7f933827b450, flags=flags@entry=2) at
../../../../servers/slapd/saslauthz.c:2018
#4 0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>,
op=0x1aa6ce0, op@entry=0x0, id=id@entry=0x7f933827b610,
user_realm=user_realm@entry=0x0, dn=dn@entry=0x7f933827b600, flags=2) at
../../../../servers/slapd/sasl.c:1884
#5 0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0,
context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13,
flags=<optimized out>, user_realm=0x0, out=0x190b581 "", out_max=1024,
out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656
#6 0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0,
user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3,
oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109
#7 0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0,
user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050)
at ../../lib/canonusr.c:273
#8 0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0,
params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>,
serverout=<optimized out>, serveroutlen=<optimized out>,
oparams=0x190b050) at cy2_saml.c:281
#9 0x00007f93c16be605 in sasl_server_step (serveroutlen=<optimized
out>, serverout=0x7f933827b958, clientinlen=<optimized out>,
clientin=<optimized out>, conn=0x190a7e0) at ../../lib/server.c:1614
#10 sasl_server_ste%2(conn=0x190a7e0, clientin=<optimized out>,
clientinlen=<optimized out>, serverout=0x7f933827b958,
serveroutlen=<optimized out>) at ../../lib/server.c:1585
#11 0x00007f93c16beb44 in sasl_server_start (conn=<optimized out>,
mech=<optimized out>, clientin=0x1a55bea "", clientinlen=<optimized
out>, serverout=serverout@entry=0x7f933827b958,
serveroutlen=serveroutlen@entry=0x7f933827b938) at ../../lib/server.c:1529
#12 0x000000000048020e in slap_sasl_bind (op=op@entry=0x1aa6ce0,
rs=rs@entry=0x7f933827ba60) at ../../../../servers/slapd/sasl.c:1512
#13 0x000000000044e217 in fe_op_bind (op=0x1aa6ce0, rs=0x7f933827ba60)
at ../../../../servers/slapd/bind.c:280
#14 0x000000000044dab1 in do_bind (op=0x1aa6ce0, rs=0x7f933827ba60) at
../../../../servers/slapd/bind.c:205
#15 0x00000000004315d5 in connection_operation
(ctx=ctx@entry=0x7f933827bba0, arg_v=arg_v@entry=0x1aa6ce0) at
../../../../servers/slapd/connection.c:1155
#16 0x00000000004318be in connection_read_thread (ctx=0x7f933827bba0,
argv=<optimized out>) at ../../../../servers/slapd/connection.c:1291
#17 0x00007f93c22e4c33 in ldap_int_thread_pool_wrapper (xpool=0x1447450)
at ../../../../libraries/libldap_r/tpool.c:688
#18 0x00007f93c03c3b50 in start_thread (arg=<optimized out>) at
pthread_create.c:304
#19 0x00007f93c010d70d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#20 0x0000000000000000 in ?? ()
Some more context:
(gdb) f 1
#1 0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410, freeit=1) at
../../../../servers/slapd/ava.c:50
50 op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx );
(gdb) list
45 {
46 #ifdef LDAP_COMP_MATCH
47 if ( ava->aa_cf && ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op )
48 nibble_mem_free (
ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op );
49 #endif
50 op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx );
51 if ( ava->aa_desc->ad_flags & SLAP_DESC_TEMPORARY )
52 op->o_tmpfree( ava->aa_desc, op->o_tmpmemctx );
53 if ( freeit ) op->o_tmpfree( (char *) ava, op->o_tmpmemctx );
54 }
(gdb) up
#2 0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450, freeme=1) at
../../../../servers/slapd/filter.c:531
531 ava_free( op, f->f_ava, 1 );
(gdb) list
526
527 case LDAP_FILTER_EQUALITY:
528 case LDAP_FILTER_GE:
529 case LDAP_FILTER_LE:
530 case LDAP_FILTER_APPROX:
531 ava_free( op, f->f_ava, 1 );
532 break;
533
534 case LDAP_FILTER_SUBSTRINGS:
535 if ( f->f_sub_initial.bv_val != NULL ) {
(gdb) up
#3 0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0,
saslname=saslname@entry=0x7f933827b600, sasldn=sasldn@entry=0x7f933827b450,
flags=flags@entry=2) at ../../../../servers/slapd/saslauthz.c:2018
2018 filter_free_x( opx, op.ors_filter, 1 );
(gdb) list
1313 }
2014 if( !BER_BVISNULL( &op.o_req_ndn ) ) {
2015 slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
2016 }
2017 if( op.ors_filter ) {
2018 filter_free_x( opx, op.ors_filter! 1 );
2019 }
2020 if( !BER_BVISNULL( &op.ors_filterstr ) ) {
2021 ch_free( op.ors_filterstr.bv_val );
2022 }
(gdb) up
(gdb) up
#4 0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>, op=0x1aa6ce0,
op@entry=0x0, id=id@entry=0x7f933827b610, user_realm=user_realm@entry=0x0,
dn=dn@entry=0x7f933827b600, flags=2) at ../../../../servers/slapd/sasl.c:1884
1884 slap_sasl2dn( op, dn, &dn2, flags );
(gdb) list
1879 }
1880 *dn = dn2;
1881 }
1882
1883 /* Run thru regexp */
1884 slap_sasl2dn( op, dn, &dn2, flags );
1885 if( !BER_BVISNULL( &dn2 ) ) {
1886 slap_sl_free( dn->bv_val, op->o_tmpmemctx );
1887 *dn = dn2;
1888 Debug( LDAP_DEBUG_TRACE,
(gdb) up
#5 0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0,
context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13,
flags=<optimized out>,seser_realm=0x0, out=0x190b581 "", out_max=1024,
out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656
656 rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm,
&dn,
(gdb) list
651 if ( !rc ) goto nene;
652 }
653
654 bvin.bv_val = (char *)in;
655 bvin.bv_len = inlen;
656 rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm,
&dn,
657 (flags & SASL_CU_AUTHID) ? SLAP_GETDN_AUTIDID :
SLAP_GETDN_AUTHZID );
658 if ( rc != LDAP_SUCCESS ) {
659 sasl_seterror( sconn, 0, ldap_err2string( rc ) );
660 return SASL_NOAUTHZ;
(gdb) up
#6 0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0,
user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3,
oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109
109 ../../lib/canonusr.c: Datei oder Verzeichnis nicht gefunden.
(gdb) list
104 result = _sasl_getcallback(conn,
105 SASL_CB_CANON_USER,
106 (sasl_callback_ft *)&cuser_cb,
107 &context);
108 if(result == SASL_OK && cuser_cb) {
109 result = cuser_cb(conn,
110 context,
111 user,
112 ulen,
113 flags,
114 (conn->type == SASL_CONN_SERVER ?
115 sconn->user_realm :
116 NULL),
117 user_buf,
118 CANON_BUF_SIZE,
119 lenp);
(gdb) up
#7 0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0,
user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050) at
../../lib/canonusr.c:273
271 int result;
272
273 result = _sasl_canon_user (conn,
274 user,
275 ulen,
276 flags,
277 oparams);
(gdb) up
#8 0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0,
params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>,
serverout=<optimized out>, serveroutlen=<optimized out>, oparams=0x190b050) at
cy2_saml.c:281
281 if ((error = params->canon_user(params->utils->conn,
userid, 0,
(gdb) list
276 goto out;
277 if ((error = params->canon_user(params->utils->conn,
userid, 0,
278 SASL_CU_AUTHID, oparams)) != SASL_OK)
279 goto out;
280 } else {
281 if ((error = params->canon_user(params->utils->conn,
userid, 0,
282 SASL_CU_AUTHID|SASL_CU_AUTHZID, oparams)) !=
SASL_OK)
283 goto out;
284 }
285
Memory information:
In frame1 ava->bv_val is not "Administrator" (the user I authenticated with) but
the bv_len is 13.
(gdb) print *ava
$13 = {aa_desc = 0x1444650, aa_value = {bv_len = 13, bv_val = 0x20 <Address 0x20
out of bounds>}}