Full_Name: Bill Clay Version: 2.4.44 OS: Debian/GNU Linux 7.8 (Wheezy) URL: Submission from: (NULL) (79.12.44.250)
In sasl.c 2.4.44 slap_sasl_bind() the target variable for "sasl_getprop( ctx, SASL_SSF_EXTERNAL, (void *)&ssf );" is declared "sasl_ssf_t ssf" but sasl_getprop() needs "sasl_ssf_t *ssf". This also necessitates adjustment of the last argument of the corresponding sasl_setprop() later in the same proc.
In certain circumstances (e.g., two successive localhost EXTERNAL binds with on the same LDAP connection on a Debian Linux amd64 system), this provokes a fatal slapd SIGSEGV at sasl.c:1504 due to pointer ctx corruption (low-order 4 bytes of ctx overwritten by the high-order 4 bytes of &op->o_hdr->oh_conn->c_sasl_authctx.external.ssf):
(gdb) bt #0 sasl_getprop (conn=0x7f1f00007f1f, propnum=propnum@entry=102, pvalue=pvalue@entry=0x7f1faed42948) at ../../lib/common.c:1042 #1 0x000000000047105c in slap_sasl_bind (op=op@entry=0x7f1fa0002930, rs=rs@entry=0x7f1faed42a60) at sasl.c:1504 #2 0x000000000043ecf7 in fe_op_bind (op=0x7f1fa0002930, rs=0x7f1faed42a60) at bind.c:280 #3 0x000000000043e591 in do_bind (op=0x7f1fa0002930, rs=0x7f1faed42a60) at bind.c:205 #4 0x0000000000422145 in connection_operation (ctx=ctx@entry=0x7f1faed42b90, arg_v=arg_v@entry=0x7f1fa0002930) at connection.c:1158 #5 0x000000000042242e in connection_read_thread (ctx=0x7f1faed42b90, argv=<optimized out>) at connection.c:1294 #6 0x00000000004dc978 in ldap_int_thread_pool_wrapper (xpool=0x124a010) at tpool.c:696 #7 0x00007f1f5c3030a4 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #8 0x00007f1ff22f862d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 (gdb)
Usually, there is no obvious impact; I have not been able to provoke the SIGSEGV except with localhost LDAP connections.
The following patch seems to correct this issue. I have tested it only on a Debian Linux amd64 system, OpenLDAP 2.4.44 build from source, running with Cyrus SASL 2.1.25 as distributed in Debian Wheezy.
bill@fuji:/usr/local/src/openldap-2.4.44/servers/slapd$ diff sasl.c.orig sasl.c 1501c1501 < sasl_ssf_t ssf = 0; ---
sasl_ssf_t *ssf = NULL;
1514c1514 < sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf ); ---
sasl_setprop( ctx, SASL_SSF_EXTERNAL, ssf );
bill@fuji:/usr/local/src/openldap-2.4.44/servers/slapd$
-
william.b.clay@acm.org