Bug 597290

Summary: sasl_decode buffer overflow under load
Product: Red Hat Enterprise Linux 6 Reporter: Gordon Sim <gsim>
Component: saslwrapperAssignee: Rafael H. Schloming <rafaels>
Status: CLOSED CURRENTRELEASE QA Contact: Eduard Benes <ebenes>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: ebenes, gsim, jneedle, jross, rafaels, syeghiay, tross
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: saslwrapper-0.1.934605-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 569698 Environment:
Last Closed: 2010-11-10 21:33:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 569698    
Bug Blocks:    
Attachments:
Description Flags
proposed reproducer none

Description Gordon Sim 2010-05-28 15:17:13 UTC 
+++ This bug was initially created as a clone of Bug #569698 +++

Description of problem:

saslwrapper's sasl_decode can fail in the following manner under load

How reproducible:

Seems to be 100% so far.

Steps to Reproduce:

from qpid.messaging import *

c = Connection("localhost", 5672)
s = c.session()

rcvs = []
for i in range(20000):
  rcvs.append(s.receiver("amq.topic/%s" % i))

print "connecting"
c.connect()
print "connected"
  
Actual results:

qpid.messaging.exceptions.ConnectError: Traceback (most recent call last):
  File "/home/rhs/qpid/python/qpid/messaging/driver.py", line 502, in write
    data = self._sasl.decode(data)
  File "/home/rhs/qpid/python/qpid/sasl.py", line 66, in decode
    raise SASLError(self._cli.getError())
SASLError: Error in sasl_decode (-3) SASL(-3): overflowed buffer: input too large for default sasl_decode

Expected results:

script should print connecting, then connected, and exit

--- Additional comment from tross on 2010-05-27 23:38:21 EDT ---

Created an attachment (id=417456)
Proposed fix

Attached is a proposed fix for this bug.  The man page for sasl_decode states that no more than max-buffer-size bytes should be give to sasl_decode at one time.  This patch divides up long strings into strings of at-most max-buffer-size.

--- Additional comment from gsim on 2010-05-28 04:43:48 EDT ---

I verified that the patch fixes the issue as I observed it and committed it to trunk (r949126) and the release repo (fa3441b41b2d437a67ce9071fb70dd1939c1d7f2).

--- Additional comment from gsim on 2010-05-28 04:48:16 EDT ---

Created an attachment (id=417519)
testcase

To reprduce the problem very simply, create a queue named my-queue, fill it up with lots of messages (e.g. 100,000), the run the attached python script. This opens a subscription with unlimited credit causing a flood of messages to be sent which overwhelms the sasl_decode and the script fails with something like:

$ ~/Desktop/qpid_receive_old_unreliable
Traceback (most recent call last):
  File "/home/gordon/Desktop/qpid_receive_old_unreliable", line 57, in <module>
    message = queue.get(timeout=600)
  File "/home/gordon/projects/git-qpid/qpid/qpid/python/qpid/queue.py", line 55, in get
    raise Closed(self.error)
qpid.exceptions.Closed: (None, 'connection aborted')

This is the case whenever the sasl_wrapper support is on the path (if using packages if python-saslwrapper is installed), regardless of whether any sasl layer is actually used.
Comment 1 Gordon Sim 2010-05-28 17:27:20 UTC 
Fixed in saslwrapper-0.1.934605-2.el6.
Comment 4 Eduard Benes 2010-07-20 17:40:04 UTC 
Created attachment 433226 [details]
proposed reproducer

Updated reproducer based on testcase [1] from original bug report.

[1] https://bugzilla.redhat.com/attachment.cgi?id=417519
Comment 7 releng-rhel@redhat.com 2010-11-10 21:33:29 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.