210120 – PAM passthru plugin causes directory server to crash

Bug 210120 - PAM passthru plugin causes directory server to crash

Summary: PAM passthru plugin causes directory server to crash

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Server - Plugins
Sub Component:
Version:	1.0.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fds103trackingbug
TreeView+	depends on / blocked

Reported:	2006-10-10 06:24 UTC by Miika Pekkarinen
Modified:	2015-12-07 17:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-12-07 17:07:18 UTC
Embargoed:

Attachments	(Terms of Use)
Simple patch to fix the issue (502 bytes, patch) 2006-10-10 06:24 UTC, Miika Pekkarinen	no flags	Details \| Diff
new diffs (1.57 KB, patch) 2006-10-10 15:30 UTC, Rich Megginson	no flags	Details \| Diff
Show Obsolete (1) View All

Description Miika Pekkarinen 2006-10-10 06:24:53 UTC

Description of problem:

Providing an incorrect authentication parameters for LDAP bind operation 
causes pam_passthru-plugin to pass a NULL pointer string to the system PAM 
authentication modules which will crash.

How reproducible:

Behaviour should be reproduceable with all versions.


Steps to Reproduce:
1. Make sure kerberos is used for PAM authentication
2. Enable pam_passthru -plugin
3. ldapsearch -x -D 'asdasdadf' -w asdasfas
4. Directory server crashes
  
Actual results:

Server is running fine and working correctly with a valid query like:
ldapsearch -x -b 'dc=valid,dc=data -D 'uid=user,ou=People,dc=valid,dc=data' -w 
blah123

But providing incorrect bind data crashes server immediately:
[root@auth0 fedora-ds]# ldapsearch -x -b 'dc=valid,dc=data -D 'blah123' -w 
blah123
ldap_bind: Can't contact LDAP server (-1)


Additional info:

A patch to fix this problem is provided as attachment. The fix was to prevent 
str being NULL.

Comment 1 Miika Pekkarinen 2006-10-10 06:24:53 UTC

Created attachment 138116 [details]
Simple patch to fix the issue

Comment 2 Rich Megginson 2006-10-10 13:56:18 UTC

Thanks!

In order to accept your patch into the codebase, we need to have a signed
Contributor License Agreement from you - see
http://directory.fedora.redhat.com/wiki/Contributing for more details.  We are
just about to release Fedora DS 1.0.3 and we would really like to get this bug
fix in, so please send in the CLA as soon as possible.  And thanks again.

Comment 3 Rich Megginson 2006-10-10 15:30:21 UTC

Created attachment 138150 [details]
new diffs

The previous patch would fix the problem, but I think it is better to just skip
the pam processing if there is a problem with the given bind dn.

Comment 4 Noriko Hosoi 2006-10-10 16:07:29 UTC

Looks good to me.

Comment 5 Rich Megginson 2006-10-10 16:32:49 UTC

Reviewed by: nhosoi (Thanks!)
Files: pam_ptimpl.c
Branch: HEAD
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid
DN (at least not one that ldap_explode_dn can parse), we should just skip the
PAM processing and just report a reasonable error to the client.  Similarly, if
the map method says to lookup the pam ID from the bind DN entry, and the entry
cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no

Checking in pam_ptimpl.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c,v  <-- 
pam_ptimpl.c
new revision: 1.9; previous revision: 1.8
done

Comment 6 Michael Gregg 2007-11-21 19:22:01 UTC

 
I'm punting this because the pam_pasthrough plugin is not shipped with redhat-ds.

Comment 9 Amita Sharma 2011-06-20 06:56:58 UTC

PAM passthrough startup Tests  PASS   : 100% (13/13)
PAM passthrough run Tests  PASS       : 100% (9/9)
PAM passthrough cleanup Tests  PASS   : 100% (5/5)

hence marking Verified -sanity only.

Note You need to log in before you can comment on or make changes to this bug.