Bug 179137 (CVE-2006-0452)

Summary: CVE-2006-0452 recursion causes OOM with bad DN in dn2ancestor
Product: [Other] Security Response Reporter: Rich Megginson <rmeggins>
Component: vulnerabilityAssignee: Rich Megginson <rmeggins>
Status: CLOSED NEXTRELEASE QA Contact: Orla Hegarty <ohegarty>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ohegarty, security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-26 20:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 159328, 182367, 182630, 183369    
Attachments:
Description Flags
files for fix
none
diffs for fix none

Description Rich Megginson 2006-01-27 17:01:36 UTC 
If you perform a ModDN operation with a DN consisting of nothing but 100,000 ','
characters (a very badly formed DN, to be sure), the dn2ancestor code will
happily traverse back through the entire DN one comma at a time looking for an
existing parent of the entry using dn2entry.  What's worse, it uses recursion to
do so (dn2ancestor -> dn2ancestor_or_entry -> dn2ancestor -> etc.), chewing up
CPU and finally all of the RAM causing an OOM exit.
Comment 1 Rich Megginson 2006-01-27 17:24:50 UTC 
Created attachment 123785 [details]
files for fix
Comment 2 Rich Megginson 2006-01-27 17:25:10 UTC 
Created attachment 123786 [details]
diffs for fix
Comment 3 Mark J. Cox 2006-02-14 10:36:32 UTC 
Note of CVE name:

        CVE-2006-0452: A carefully crafted malformed DN will cause the
        server to recurse until it runs out of memory and exits
Comment 4 Rich Megginson 2006-02-23 20:43:30 UTC 
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123785
Branch: HEAD
Fix Description: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179137#c0
The fix looks scary, but I thought it would be best to get rid of 
recursion entirely (ugh - recursion in a multi threaded server - this 
isn't lisp . . .).  Along with eliminating recursion, I created a new 
function called slapi_dn_find_parent that just returns a pointer to the 
beginning of the parent of the given dn, rather than returning a copy 
(as in slapi_dn_parent), to eliminate malloc/free in cases where it is 
unnecessary such as iterating through the parents in an DN.  The new 
function is basically just the guts of slapi_dn_parent with one twist, 
specifically to address the bug in question - it skips through 
consecutive runs of DN separator characters.  We should probably have a 
function like const char *slapi_dn_is_valid(const char *) that returns 
NULL if the given DN is valid or returns a pointer to the first invalid 
character if not.  We could probably save a lot of time in processing 
bad or malicious client requests.

Anyway, back to dn2ancestor.  The given ancestordn must contain the 
_unnormalized_ parent DN, since some clients get irritated when they get 
back an DN in a different form than given.  However, we need to have a 
normalized DN to pass to dn2entry, and we cannot use a single Slapi_DN 
that has both a dn and a ndn that are passed in byval (unless we add a 
new API or skip the API altogether), so the variable ancestorndn holds 
the normalized DN.  Using the original pointer to the given sdn also 
allows us to avoid malloc/free entirely.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: We need a test case that calls moddn and 
modify operations with really bad DNs, consisting of nothing but 
thousands of ',', '+', and '=' chars.

Checking in ldapserver/ldap/servers/slapd/dn.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/dn.c,v  <--  dn.c
new revision: 1.8; previous revision: 1.7
done
Checking in ldapserver/ldap/servers/slapd/slapi-plugin.h;
/cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v  <--  slapi-plugin.h
new revision: 1.9; previous revision: 1.8
done
Checking in ldapserver/ldap/servers/slapd/back-ldbm/dn2entry.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dn2entry.c,v  <--  dn2entry.c
new revision: 1.5; previous revision: 1.4
done
Comment 6 To Ngan 2006-03-15 23:16:50 UTC 
Verified DS 6.21 SP3 20060310.1
Comment 9 Orla Hegarty 2006-05-26 17:49:53 UTC 
Somehow the errata system did not automatically close these bugs even though DS
SP 2 is shipped and available live on RHN
Comment 10 Orla Hegarty 2006-05-26 17:53:25 UTC 
trying to manually close
Comment 11 Orla Hegarty 2006-05-26 20:14:46 UTC 
trying again