Bug 438533

Summary: patch for hang in "saslauthd -a rimap"
Product: Red Hat Enterprise Linux 5 Reporter: Gaurav Chaturvedi <gaurav.p.chaturvedi>
Component: cyrus-saslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: low    
Version: 5.0CC: ohudlick, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://archives.free.net.ph/message/20080103.180459.41a31541.en.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 10:12:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for auth_rimap.c, versions 2.1.19, 2.1.20, and 2.1.22 none

Description Gaurav Chaturvedi 2008-03-21 14:37:54 UTC 
I am forwarding this patch from Bob, Who wrote the following patch

I am also pasting his mail in which he describes what exactly is it for.
==========================================================================
Hello,

I was finding that saslauthd (using rimap) would occasionally hang and
consume all available CPU time. After considerable investigation (and
after capturing lots of network traffic), I found that this occurred
when a user had a double quote (") character in their password. Further
testing with testsaslauthd revealed the same behavior. This problem
would occur any time the user name or password had any double quote
characters. This can lead to a remote DoS as neither the user name nor
the password need to be valid they just need to contain a (").

I found the source of the issue in saslauthd/auth_rimap.c. It appears
that the code is searching for the (") character and upon finding it,
gets stuck in a loop. I also found errors in the use of the memset()
function later in the same file. This problem appears to effect all
recent version of cyrus-sasl. I can confirm that I have found the
problem in 2.1.19, 2.1.20, and 2.1.22 on both Linux and OpenBSD.

To assist others, I have attached the patch that I created.
Unfortunately, I don't know what the official mechanism is for
submitting patches. I hope that this would be the appropriate place to
start.

Regards,

-Bob 
=====================================================
--- cyrus-sasl-2.1.22/saslauthd/auth_rimap.c Thu Apr 6 15:19:54 2006
+++ cyrus-sasl-2.1.22-1/saslauthd/auth_rimap.c Fri Dec 28 03:06:18 2007
@@ -162,6 +162,7 @@
num_quotes = 0;
p1 = s;
while ((p1 = strchr(p1, '"')) != NULL) {
+ p1++;
num_quotes++;
}

@@ -438,7 +439,7 @@
syslog(LOG_WARNING, "auth_rimap: writev: %m");
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);
(void)close(s);
return strdup(RESP_IERROR);
@@ -447,7 +448,7 @@
/* don't need these any longer */
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);

/* read and parse the LOGIN response */
Comment 1 Gaurav Chaturvedi 2008-03-21 14:37:54 UTC 
Created attachment 298791 [details]
Patch for auth_rimap.c, versions 2.1.19, 2.1.20, and 2.1.22
Comment 2 Gaurav Chaturvedi 2008-03-21 14:38:49 UTC 
[Link] http://archives.free.net.ph/message/20080103.180459.41a31541.en.html
Comment 8 errata-xmlrpc 2009-09-02 10:12:48 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1330.html