[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fw: auxprop bug



This is a copy of my message to cyrus-sasl maillist.

==
> I've noticed this problem first when I tried to use OpenLDAP 2.1.8 with
> Cyrus SASL 2.1.7 (patched for BDB 4.1.24). OpenLDAP failed to
> proxy-authorize user: ldapsearch -U "authuser" -X "u:authzuser" gave out
> rights of "authuser". As I've found out, the bug resides in
> (SASL)/lib/auxprop.c.
>
> Corresponding code in Openldap is in (SASL)/servers/slapd/sasl.c, function
> slap_sasl_canonicalize. As it appears to me, prop_request at line 803
> requests to increase number of allocated values (from 4 to 6 values), then
> ctx->list_end become broken (it must be updated, but it isn't). Next call
to
> prop_set at line 814 corrupts ctx->values[4].
>
> My issue is fixed by changing "#define PROP_DEFAULT 4" line in
> (SASL)/includes/prop.h to "#define PROP_DEFAULT 8". This trick avoids
> runtime prop pool resizing, thus avoidung the bug.
>
> I'm not sure how to fix this bug completely, as I do not understand how
prop
> pool's data is used.
==

My setup is simple: cleartext passwords are in the directory, auxprop
"slapd" is used. "authuser" has needed saslAuthzTo attribute, and there is
"sasl-authz-policy to" line in slapd.conf. Then, problem is that
proxy-authorization do not happen at all, as if it was not requested. I
think this one is security issue. It's not OpenLDAP's fault, but is
potentially dangerous.

flicker