From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
I set Apache up to use mod_auth_ldap to authenticate against an Active Directory server, and mod_auth_pgsql to authenticate against a local user/group database. Each module functioned correctly when used exclusively. But when both were enabled, and I authenticated against mod_auth_pgsql successfully, mod_auth_ldap caused the httpd child process to segfault.

Use of gdb revealed that mod_auth_ldap was attempting, in the mod_auth_ldap_auth_checker function (httpd-2.0.52/modules/experimental/mod_auth_ldap.c:405) to consult a mod_auth_ldap_request_t *req (assigned at line 408) which is normally put in place by mod_auth_ldap_check_user_id. 

But in the case where mod_auth_pgsql was the module which successfully authenticated me, that structure was not created by mod_auth_ldap_check_user_id, and the req pointer in mod_auth_ldap_auth_checker was NULL.

Attached is a patch which causes mod_auth_ldap to decline authorization if the authentication structure is unassigned (req is NULL). The behavioral impact of this patch should be small, because if a user is not in the LDAP directory, the odds are that that user cannot be in a group in the LDAP directory. This is certainly true for Active Directory.

The security impact of this bug is low but non-negligible: it does not result in unauthorized access, but could be used to mount a DoS attack against the web server.

Version-Release number of selected component (if applicable):
httpd-2.0.52-9.ent

How reproducible:
Always

Steps to Reproduce:
1. Configure Apache to authenticate using mod_auth_pgsql (loaded first, non-authoritative) and mod_auth_ldap (loaded after mod_auth_pgsql, authoritative or non-authoritative). Point mod_auth_ldap at an AD server and mod_auth_pgsql at a database.
2. Configure Apache to limit access to a directory using Require group and an AD group (Require group CN=foo,OU=bar,OU=baz,DC=bletch,DC=com).
3. Use a web browser to access a page in the access-limited directory. Authenticate using the user added to the database, not a valid AD user.
  

Actual Results:  Client side:
(Firefox) The contents of the browser's content pane does not change.
(IE) An error page is displayed.

Server side:
A message is produced in the error_log about an httpd child process receiving a SIGSEGV.

Expected Results:  Client side:
The browser displays the page.

Server side:
Nothing is produced in the error_log.

Additional info:

The patch:

diff -ruN httpd-2.0.52/modules/experimental/mod_auth_ldap.c httpd-2.0.52-patch/modules/experimental/mod_auth_ldap.c
--- httpd-2.0.52/modules/experimental/mod_auth_ldap.c   2004-05-21 18:39:41.000000000 -0500
+++ httpd-2.0.52-patch/modules/experimental/mod_auth_ldap.c     2005-05-12 10:22:14.144815969 -0500
@@ -431,6 +431,15 @@
         return DECLINED;
     }

+       if (!req) {
+               /* Some other module did the check_user_id step and now we're getting
+                * called on the auth_checker step. req contains nothing and if we
+                * try to access it we'll segfault. Run away! Run away!
+                * [Jared L. Jennings, 12 May 2005]
+                */
+               return DECLINED;
+       }
+
     if (sec->host) {
         ldc = util_ldap_connection_find(r, sec->host, sec->port,
                                        sec->binddn, sec->bindpw, sec->deref,