Stephan Zeisberg wrote:
Hi Howard =E2=80=94 =20 Thanks for the quick reply. Will forward the report upstream to Cyrus S=
ASL.
For reference, this fixes the bug:
vielle:/home/software/cyrus-sasl> git diff diff --git a/lib/common.c b/lib/common.c index bc3bf1df..9969d6aa 100644 --- a/lib/common.c +++ b/lib/common.c @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
if (add=3D=3DNULL) add =3D "(null)";
- addlen=3Dstrlen(add); /* only compute once */ + addlen=3Dstrlen(add)+1; /* only compute once */ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=3DSASL_OK) return SASL_NOMEM;
Git history shows this bug has existed since the code was originally writ= ten in ommit 061698456069833e244d66ce33c8f82c2cd63ce3 Author: Rob Siemborski rjs3@andrew.cmu.edu Date: Tue Dec 4 01:59:43 2001 +0000
=20 Best =20 =C2=A0=C2=A0=C2=A0 -Stephan =20 On 11/28/19 3:54 PM, Howard Chu wrote:
Resending with the non-printable chars omitted:
Howard Chu wrote:
Thanks, but your trace clearly shows that this is a fault in Cyrus SA=
SL, you should be reporting
this issue to them.
valgrind confirms it as well:
5ddfddde do_bind: dn () SASL mech <garbage> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage> datalen=3D0 =3D=3D11019=3D=3D Thread 3: =3D=3D11019=3D=3D Invalid write of size 1 =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247) =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
=3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
=3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
=3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
=3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95) =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size=
600 alloc'd
=3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
=3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
=3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
=3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
=3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
=3D=3D11019=3D=3D =3D=3D11019=3D=3D Invalid read of size 1 =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-g=
nu/valgrind/vgpreload_memcheck-amd64-linux.so)
=3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-inte=
rnal.c:1688)
=3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:=
114)
=3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74) =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146) =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260) =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
=3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
=3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size=
600 alloc'd
=3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
=3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
=3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
=3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
=3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
=20
--=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/