Bug 480704
Summary: | Denial of service - Infinite loop in SASL security layer with max-frame-size = 0 | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Ted Ross <tross> |
Component: | qpid-cpp | Assignee: | Ted Ross <tross> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Frantisek Reznicek <freznice> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | Development | CC: | esammons, iboverma, jross, mkudlej |
Target Milestone: | 1.1.1 | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-06-27 20:03:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ted Ross
2009-01-19 22:42:29 UTC
To reproduce:
First, you need to be using Kerberos-5 for authentication. This involves having a KDC that is configured with a service principal for the qpidd broker (called "qpidd/host.domain@REALM") and a user principal. You must kinit the user principal.
Use an svn checkout for the Ruby client:
# cd <svn-qpid-checkout>/ruby
# rake build
Here's the test sequence (you will do this multiple times):
# cd <svn-qpid-checkout>/ruby/lib
# irb -r qpid --noinspect -I ../ext/sasl
> s = Qpid::Qmf::Session.new(:manage_connections=>false)
> b = s.add_broker
If this last line returns successfully, the broker is working. If it hangs, the bug is reproduced.
A modification to the Ruby library is necessary to provoke the bug. Here's the patch:
Index: lib/qpid/delegates.rb
===================================================================
--- lib/qpid/delegates.rb (revision 736356)
+++ lib/qpid/delegates.rb (working copy)
@@ -210,7 +210,7 @@
def connection_tune(ch, tune)
ch.connection_tune_ok(:channel_max => tune.channel_max,
- :max_frame_size => tune.max_frame_size,
+ :max_frame_size => 0,
:heartbeat => 0)
ch.connection_open()
@connection.security_layer_tx = @saslConn
Here's the test:
1) Apply the Ruby patch
2) Run the test sequence
If the sequence hangs (and the broker hangs with 100% cpu usage), you have reproduced the bug.
Fixed upstream at revision 736370. Tested on Rhel 5.3 (there aren't packages with Kerberos support for Rhel 4.7) i386/x86_64. It works so --> VERIFIED Fixed and verified; closing. |