(ITS#4956) slapd cores with a SEGFAULT after a failed proxy authorization - openldap-bugs

11 May 2007


      Full_Name: Paul Turgyan
Version: 2.3.35
OS: linux - 2.6 kernal
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.213.231.201)
slapd cores with a SEGFAULT after a failed proxy authorization,
with a core file like:
(gdb) bt
#0  0xb7c74be5 in *__GI___libc_free (mem=0xab5fc714) at malloc.c:3402
#1  0x0807aa96 in ch_free (ptr=0xab5fc714) at ch_malloc.c:139
#2  0x080a5886 in slap_sasl_authorize (sconn=0xacb03000, context=0xada20428, 
    requested_user=0xacb03910 "pturgyan@UMICH.EDU", rlen=18, 
    auth_identity=0xacb03a11 "pturgyan@UMICH.EDU", alen=18, 
    def_realm=0xacb049e0 "UMICH.EDU", urlen=9, props=0x0) at sasl.c:673
#3  0xb7ea2ba3 in do_authorization (s_conn=0xacb03000) at server.c:1163
#4  0xb7ea2d18 in sasl_server_step (conn=0xacb03000, 
    clientin=0xacb01dae "`?\006\t*\206H\206?\022\001\002\002\002\001\004", 
    clientinlen=0, serverout=0xad61d114, serveroutlen=0x1) at server.c:1420
#5  0x080a6654 in slap_sasl_bind (op=0x830fad0, rs=0xad61d240) at sasl.c:1395
#6  0x0807cdaa in fe_op_bind (op=0x830fad0, rs=0xad61d240) at bind.c:276
#7  0x0807c5b3 in do_bind (op=0x830fad0, rs=0xad61d240) at bind.c:200
#8  0x0806176f in connection_operation (ctx=0x0, arg_v=0x830fad0)
    at connection.c:1133
#9  0x08133e28 in ldap_int_thread_pool_wrapper (xpool=0x81ff4e0) at tpool.c:478
#10 0xb7e83c6b in start_thread (arg=0xad61dbb0) at pthread_create.c:261
#11 0xb7cc9d9e in clone () from /lib/libc.so.6
We are using cyrus-sasl-2.1.21
             heimdahl-0.6.2
During a proxy auth,  c_sasl_dn is set at sasl.c:682.
If the proxy auth fails for some reason,  then c_sasl_dn
is never cleared.  Sometime later, when that connection block is reused for
another sasl bind,  slap_sasl_authorize attempts to free the memory pointed to
by c_sasl_dn.bv_val  at sasl.c:673 and free SEGFAULTs.
This can be duplicated by looping a ldapsearch that does a sasl bind with an
invalid proxy authorization.
You have to loop long enough to force a reuse of a connection struct.
The following patch NULL's out c_sasl_dn at sasl.c:702 when the proxy auth is
disallowed.
*** sasl.c-     Thu Jan 25 07:42:38 2007
--- sasl.c      Fri May 11 13:47:19 2007
***************
*** 699,704 ****
--- 699,705 ----
                        "proxy authorization disallowed (%d)\n",
                        (long) (conn ? conn->c_connid : -1), rc, 0 );
+               BER_BVZERO( &conn->c_sasl_dn );
                sasl_seterror( sconn, 0, "not authorized" );
                ch_free( authzDN.bv_val );
                return SASL_NOAUTHZ;