Bug 210120 - PAM passthru plugin causes directory server to crash
Summary: PAM passthru plugin causes directory server to crash
Alias: None
Product: 389
Classification: Retired
Component: Server - Plugins
Version: 1.0.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
Depends On:
Blocks: fds103trackingbug
TreeView+ depends on / blocked
Reported: 2006-10-10 06:24 UTC by Miika Pekkarinen
Modified: 2015-12-07 17:07 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2015-12-07 17:07:18 UTC

Attachments (Terms of Use)
Simple patch to fix the issue (502 bytes, patch)
2006-10-10 06:24 UTC, Miika Pekkarinen
no flags Details | Diff
new diffs (1.57 KB, patch)
2006-10-10 15:30 UTC, Rich Megginson
no flags Details | Diff

Description Miika Pekkarinen 2006-10-10 06:24:53 UTC
Description of problem:

Providing an incorrect authentication parameters for LDAP bind operation 
causes pam_passthru-plugin to pass a NULL pointer string to the system PAM 
authentication modules which will crash.

How reproducible:

Behaviour should be reproduceable with all versions.

Steps to Reproduce:
1. Make sure kerberos is used for PAM authentication
2. Enable pam_passthru -plugin
3. ldapsearch -x -D 'asdasdadf' -w asdasfas
4. Directory server crashes
Actual results:

Server is running fine and working correctly with a valid query like:
ldapsearch -x -b 'dc=valid,dc=data -D 'uid=user,ou=People,dc=valid,dc=data' -w 

But providing incorrect bind data crashes server immediately:
[root@auth0 fedora-ds]# ldapsearch -x -b 'dc=valid,dc=data -D 'blah123' -w 
ldap_bind: Can't contact LDAP server (-1)

Additional info:

A patch to fix this problem is provided as attachment. The fix was to prevent 
str being NULL.

Comment 1 Miika Pekkarinen 2006-10-10 06:24:53 UTC
Created attachment 138116 [details]
Simple patch to fix the issue

Comment 2 Rich Megginson 2006-10-10 13:56:18 UTC

In order to accept your patch into the codebase, we need to have a signed
Contributor License Agreement from you - see
http://directory.fedora.redhat.com/wiki/Contributing for more details.  We are
just about to release Fedora DS 1.0.3 and we would really like to get this bug
fix in, so please send in the CLA as soon as possible.  And thanks again.

Comment 3 Rich Megginson 2006-10-10 15:30:21 UTC
Created attachment 138150 [details]
new diffs

The previous patch would fix the problem, but I think it is better to just skip
the pam processing if there is a problem with the given bind dn.

Comment 4 Noriko Hosoi 2006-10-10 16:07:29 UTC
Looks good to me.

Comment 5 Rich Megginson 2006-10-10 16:32:49 UTC
Reviewed by: nhosoi (Thanks!)
Files: pam_ptimpl.c
Branch: HEAD
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid
DN (at least not one that ldap_explode_dn can parse), we should just skip the
PAM processing and just report a reasonable error to the client.  Similarly, if
the map method says to lookup the pam ID from the bind DN entry, and the entry
cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no

Checking in pam_ptimpl.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c,v  <-- 
new revision: 1.9; previous revision: 1.8

Comment 6 Michael Gregg 2007-11-21 19:22:01 UTC
I'm punting this because the pam_pasthrough plugin is not shipped with redhat-ds.

Comment 9 Amita Sharma 2011-06-20 06:56:58 UTC
PAM passthrough startup Tests  PASS   : 100% (13/13)
PAM passthrough run Tests  PASS       : 100% (9/9)
PAM passthrough cleanup Tests  PASS   : 100% (5/5)

hence marking Verified -sanity only.

Note You need to log in before you can comment on or make changes to this bug.