(ITS#8218) segfault on sasl auth with malformed URI in config - openldap-bugs

19 Aug 2015


      Full_Name: 
Version: 2.4.40-1
OS: debian / UCS 4.1 amd64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.198.197.8)
A malformed URI in the sasl-regexp directive of slapd.conf caused a segfault of
slapd.
"""
sasl-regexp
    uid=(.*),cn=saml,cn=auth
    ldap:///0.0.0.0:7389,389/"dc=dev,dc=local"??sub?uid=$1
"""
The URI starts with 3 slashes after the scheme instead of 2 slashes.
When doing authentication via SASL /usr/sbin/slapd segfaults.
I think it is easy to reproduce. I can provide a core dump if needed.
The backtrace:
Thread 1 (Thread 0x7f933827c700 (LWP 18575)):
#0  *__GI___li_freree (mem=0x20) at malloc.c:3709
#1  0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410,
freeit=1) at ../../../../servers/slapd/ava.c:50
#2  0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450,
freeme=1) at ../../../%./servers/slapd/filter.c:531
#3  0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0,
saslname=saslname@entry=0x7f933827b600,
sasldn=sasldn@entry=0x7f933827b450, flags=flags@entry=2) at
../../../../servers/slapd/saslauthz.c:2018
#4  0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>,
op=0x1aa6ce0, op@entry=0x0, id=id@entry=0x7f933827b610,
user_realm=user_realm@entry=0x0, dn=dn@entry=0x7f933827b600, flags=2) at
../../../../servers/slapd/sasl.c:1884
#5  0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0,
context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13,
flags=<optimized out>, user_realm=0x0, out=0x190b581 "", out_max=1024,
out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656
#6  0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0,
user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3,
oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109
#7  0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0,
user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050)
at ../../lib/canonusr.c:273
#8  0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0,
params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>,
serverout=<optimized out>, serveroutlen=<optimized out>,
oparams=0x190b050) at cy2_saml.c:281
#9  0x00007f93c16be605 in sasl_server_step (serveroutlen=<optimized
out>, serverout=0x7f933827b958, clientinlen=<optimized out>,
clientin=<optimized out>, conn=0x190a7e0) at ../../lib/server.c:1614
#10 sasl_server_ste%2(conn=0x190a7e0, clientin=<optimized out>,
clientinlen=<optimized out>, serverout=0x7f933827b958,
serveroutlen=<optimized out>) at ../../lib/server.c:1585
#11 0x00007f93c16beb44 in sasl_server_start (conn=<optimized out>,
mech=<optimized out>, clientin=0x1a55bea "", clientinlen=<optimized
out>, serverout=serverout@entry=0x7f933827b958,
serveroutlen=serveroutlen@entry=0x7f933827b938) at ../../lib/server.c:1529
#12 0x000000000048020e in slap_sasl_bind (op=op@entry=0x1aa6ce0,
rs=rs@entry=0x7f933827ba60) at ../../../../servers/slapd/sasl.c:1512
#13 0x000000000044e217 in fe_op_bind (op=0x1aa6ce0, rs=0x7f933827ba60)
at ../../../../servers/slapd/bind.c:280
#14 0x000000000044dab1 in do_bind (op=0x1aa6ce0, rs=0x7f933827ba60) at
../../../../servers/slapd/bind.c:205
#15 0x00000000004315d5 in connection_operation
(ctx=ctx@entry=0x7f933827bba0, arg_v=arg_v@entry=0x1aa6ce0) at
../../../../servers/slapd/connection.c:1155
#16 0x00000000004318be in connection_read_thread (ctx=0x7f933827bba0,
argv=<optimized out>) at ../../../../servers/slapd/connection.c:1291
#17 0x00007f93c22e4c33 in ldap_int_thread_pool_wrapper (xpool=0x1447450)
at ../../../../libraries/libldap_r/tpool.c:688
#18 0x00007f93c03c3b50 in start_thread (arg=<optimized out>) at
pthread_create.c:304
#19 0x00007f93c010d70d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#20 0x0000000000000000 in ?? ()
Some more context:
(gdb) f 1
#1  0x000000000044d08e in ava_free (op=0x1aa6ce0, ava=0x1aa8410, freeit=1) at
../../../../servers/slapd/ava.c:50
50              op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx );
(gdb) list
45      {
46      #ifdef LDAP_COMP_MATCH
47              if ( ava->aa_cf && ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op )
48                      nibble_mem_free (
ava->aa_cf->cf_ca->ca_comp_data.cd_mem_op );
49      #endif
50              op->o_tmpfree( ava->aa_value.bv_val, op->o_tmpmemctx );
51              if ( ava->aa_desc->ad_flags & SLAP_DESC_TEMPORARY )
52                      op->o_tmpfree( ava->aa_desc, op->o_tmpmemctx );
53              if ( freeit ) op->o_tmpfree( (char *) ava, op->o_tmpmemctx );
54      }
(gdb) up
#2  0x00000000004354aa in filter_free_x (op=0x1aa6ce0, f=0x1aa8450, freeme=1) at
../../../../servers/slapd/filter.c:531
531                     ava_free( op, f->f_ava, 1 );
(gdb) list
526
527             case LDAP_FILTER_EQUALITY:
528             case LDAP_FILTER_GE:
529             case LDAP_FILTER_LE:
530             case LDAP_FILTER_APPROX:
531                     ava_free( op, f->f_ava, 1 );
532                     break;
533
534             case LDAP_FILTER_SUBSTRINGS:
535                     if ( f->f_sub_initial.bv_val != NULL ) {
(gdb) up
#3  0x00000000004798a3 in slap_sasl2dn (opx=opx@entry=0x1aa6ce0,
saslname=saslname@entry=0x7f933827b600, sasldn=sasldn@entry=0x7f933827b450,
flags=flags@entry=2) at ../../../../servers/slapd/saslauthz.c:2018
2018                    filter_free_x( opx, op.ors_filter, 1 );
(gdb) list
1313            }
2014            if( !BER_BVISNULL( &op.o_req_ndn ) ) {
2015                    slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
2016            }
2017            if( op.ors_filter ) {
2018                    filter_free_x( opx, op.ors_filter! 1 );
2019            }
2020            if( !BER_BVISNULL( &op.ors_filterstr ) ) {
2021                    ch_free( op.ors_filterstr.bv_val );
2022            }
(gdb) up
(gdb) up
#4  0x0000000000480c0f in slap_sasl_getdn (conn=<optimized out>, op=0x1aa6ce0,
op@entry=0x0, id=id@entry=0x7f933827b610, user_realm=user_realm@entry=0x0,
dn=dn@entry=0x7f933827b600, flags=2) at ../../../../servers/slapd/sasl.c:1884
1884            slap_sasl2dn( op, dn, &dn2, flags );
(gdb) list
1879                    }
1880                    *dn = dn2;
1881            }
1882
1883            /* Run thru regexp */
1884            slap_sasl2dn( op, dn, &dn2, flags );
1885            if( !BER_BVISNULL( &dn2 ) ) {
1886                    slap_sl_free( dn->bv_val, op->o_tmpmemctx );
1887                    *dn = dn2;
1888                    Debug( LDAP_DEBUG_TRACE,
(gdb) up
#5  0x00000000004811a1 in slap_sasl_canonicalize (sconn=0x190a7e0,
context=<optimized out>, in=0x1a864b0 "Administrator", inlen=13,
flags=<optimized out>,seser_realm=0x0, out=0x190b581 "", out_max=1024,
out_len=0x190b06c) at ../../../../servers/slapd/sasl.c:656
656             rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm,
&dn,
(gdb) list
651                     if ( !rc ) goto nene;
652             }
653
654             bvin.bv_val = (char *)in;
655             bvin.bv_len = inlen;
656             rc = slap_sasl_getdn( conn, NULL, &bvin, (char *)user_realm,
&dn,
657                     (flags & SASL_CU_AUTHID) ? SLAP_GETDN_AUTIDID :
SLAP_GETDN_AUTHZID );
658             if ( rc != LDAP_SUCCESS ) {
659                     sasl_seterror( sconn, 0, ldap_err2string( rc ) );
660                     return SASL_NOAUTHZ;
(gdb) up
#6  0x00007f93c16b2558 in _sasl_canon_user (conn=conn@entry=0x190a7e0,
user=0x1a864b0 "Administrator", ulen=13, flags=flags@entry=3,
oparams=oparams@entry=0x190b050) at ../../lib/canonusr.c:109
109     ../../lib/canonusr.c: Datei oder Verzeichnis nicht gefunden.
(gdb) list
104     result = _sasl_getcallback(conn,
105                                SASL_CB_CANON_USER,
106                                (sasl_callback_ft *)&cuser_cb,
107                                &context);
108     if(result == SASL_OK && cuser_cb) {
109         result = cuser_cb(conn,
110                           context,
111                           user,
112                           ulen,
113                           flags,
114                           (conn->type == SASL_CONN_SERVER ?
115                                 sconn->user_realm :
116                                 NULL),
117                           user_buf,
118                           CANON_BUF_SIZE,
119                           lenp);
(gdb) up
#7  0x00007f93c16b2870 in _sasl_canon_user_lookup (conn=0x190a7e0,
user=<optimized out>, ulen=<optimized out>, flags=3, oparams=0x190b050) at
../../lib/canonusr.c:273
271     int result;
272 
273     result = _sasl_canon_user (conn,
274                                user,
275                                ulen,
276                                flags,
277                                oparams);
(gdb) up
#8  0x00007f93bd46b936 in saml_server_mech_step (conn_context=0x1a2e8e0,
params=0x190b9f0, clientin=0x1a55bea "", clientinlen=<optimized out>,
serverout=<optimized out>, serveroutlen=<optimized out>, oparams=0x190b050) at
cy2_saml.c:281
281                     if ((error = params->canon_user(params->utils->conn,
userid, 0,
(gdb) list
276                             goto out;
277                     if ((error = params->canon_user(params->utils->conn,
userid, 0,
278                         SASL_CU_AUTHID, oparams)) != SASL_OK) 
279                             goto out;
280             } else {
281                     if ((error = params->canon_user(params->utils->conn,
userid, 0,
282                         SASL_CU_AUTHID|SASL_CU_AUTHZID, oparams)) !=
SASL_OK) 
283                             goto out;
284             }
285
Memory information:
In frame1 ava->bv_val is not "Administrator" (the user I authenticated with) but
the bv_len is 13.
(gdb) print *ava
$13 = {aa_desc = 0x1444650, aa_value = {bv_len = 13, bv_val = 0x20 <Address 0x20
out of bounds>}}