Bug 480704

Summary: Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Product: Red Hat Enterprise MRG Reporter: Ted Ross <tross>
Component: qpid-cppAssignee: Ted Ross <tross>
Status: CLOSED CURRENTRELEASE QA Contact: Frantisek Reznicek <freznice>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: esammons, iboverma, jross, mkudlej
Target Milestone: 1.1.1   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-27 20:03:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ted Ross 2009-01-19 22:42:29 UTC 
Description of problem:

If a client successfully authenticates with a SASL mechanism that has a security layer, and provides no arguments in the "connection.tune-ok" message, the broker uses zero as the max-frame-size.  This causes CyrusSecurityLayer::decode to loop infinitely, hanging the broker and using 100% of a CPU.

Version-Release number of selected component (if applicable):

Version 1.1.1

How reproducible:

100%
Comment 1 Ted Ross 2009-01-21 18:33:08 UTC 
To reproduce:

First, you need to be using Kerberos-5 for authentication.  This involves having a KDC that is configured with a service principal for the qpidd broker (called "qpidd/host.domain@REALM") and a user principal.  You must kinit the user principal.

Use an svn checkout for the Ruby client:

# cd <svn-qpid-checkout>/ruby
# rake build

Here's the test sequence (you will do this multiple times):

# cd <svn-qpid-checkout>/ruby/lib
# irb -r qpid --noinspect -I ../ext/sasl
> s = Qpid::Qmf::Session.new(:manage_connections=>false)
> b = s.add_broker

If this last line returns successfully, the broker is working.  If it hangs, the bug is reproduced.

A modification to the Ruby library is necessary to provoke the bug.  Here's the patch:

Index: lib/qpid/delegates.rb
===================================================================
--- lib/qpid/delegates.rb	(revision 736356)
+++ lib/qpid/delegates.rb	(working copy)
@@ -210,7 +210,7 @@
 
       def connection_tune(ch, tune)
         ch.connection_tune_ok(:channel_max => tune.channel_max,
-                              :max_frame_size => tune.max_frame_size,
+                              :max_frame_size => 0,
                               :heartbeat => 0)
         ch.connection_open()
         @connection.security_layer_tx = @saslConn



Here's the test:

1) Apply the Ruby patch
2) Run the test sequence

If the sequence hangs (and the broker hangs with 100% cpu usage), you have reproduced the bug.
Comment 2 Ted Ross 2009-01-21 18:42:45 UTC 
Fixed upstream at revision 736370.
Comment 5 Martin Kudlej 2009-04-15 12:52:26 UTC 
Tested on Rhel 5.3 (there aren't packages with Kerberos support for Rhel 4.7) i386/x86_64. It works so --> VERIFIED
Comment 6 Justin Ross 2011-06-27 20:03:09 UTC 
Fixed and verified; closing.