Bug 438533
| Summary: | patch for hang in "saslauthd -a rimap" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Gaurav Chaturvedi <gaurav.p.chaturvedi> | ||||
| Component: | cyrus-sasl | Assignee: | Tomas Mraz <tmraz> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 5.0 | CC: | ohudlick, sgrubb | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://archives.free.net.ph/message/20080103.180459.41a31541.en.html | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-09-02 10:12:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 298791 [details]
Patch for auth_rimap.c, versions 2.1.19, 2.1.20, and 2.1.22
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1330.html |
I am forwarding this patch from Bob, Who wrote the following patch I am also pasting his mail in which he describes what exactly is it for. ========================================================================== Hello, I was finding that saslauthd (using rimap) would occasionally hang and consume all available CPU time. After considerable investigation (and after capturing lots of network traffic), I found that this occurred when a user had a double quote (") character in their password. Further testing with testsaslauthd revealed the same behavior. This problem would occur any time the user name or password had any double quote characters. This can lead to a remote DoS as neither the user name nor the password need to be valid they just need to contain a ("). I found the source of the issue in saslauthd/auth_rimap.c. It appears that the code is searching for the (") character and upon finding it, gets stuck in a loop. I also found errors in the use of the memset() function later in the same file. This problem appears to effect all recent version of cyrus-sasl. I can confirm that I have found the problem in 2.1.19, 2.1.20, and 2.1.22 on both Linux and OpenBSD. To assist others, I have attached the patch that I created. Unfortunately, I don't know what the official mechanism is for submitting patches. I hope that this would be the appropriate place to start. Regards, -Bob ===================================================== --- cyrus-sasl-2.1.22/saslauthd/auth_rimap.c Thu Apr 6 15:19:54 2006 +++ cyrus-sasl-2.1.22-1/saslauthd/auth_rimap.c Fri Dec 28 03:06:18 2007 @@ -162,6 +162,7 @@ num_quotes = 0; p1 = s; while ((p1 = strchr(p1, '"')) != NULL) { + p1++; num_quotes++; } @@ -438,7 +439,7 @@ syslog(LOG_WARNING, "auth_rimap: writev: %m"); memset(qlogin, 0, strlen(qlogin)); free(qlogin); - memset(qpass, 0, strlen(qlogin)); + memset(qpass, 0, strlen(qpass)); free(qpass); (void)close(s); return strdup(RESP_IERROR); @@ -447,7 +448,7 @@ /* don't need these any longer */ memset(qlogin, 0, strlen(qlogin)); free(qlogin); - memset(qpass, 0, strlen(qlogin)); + memset(qpass, 0, strlen(qpass)); free(qpass); /* read and parse the LOGIN response */