Bug 438533 - patch for hang in "saslauthd -a rimap"
patch for hang in "saslauthd -a rimap"
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
5.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Brian Brock
http://archives.free.net.ph/message/2...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-21 10:37 EDT by Gaurav Chaturvedi
Modified: 2009-09-02 06:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 06:12:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for auth_rimap.c, versions 2.1.19, 2.1.20, and 2.1.22 (750 bytes, patch)
2008-03-21 10:37 EDT, Gaurav Chaturvedi
no flags Details | Diff

  None (edit)
Description Gaurav Chaturvedi 2008-03-21 10:37:54 EDT
I am forwarding this patch from Bob, Who wrote the following patch

I am also pasting his mail in which he describes what exactly is it for.
==========================================================================
Hello,

I was finding that saslauthd (using rimap) would occasionally hang and
consume all available CPU time. After considerable investigation (and
after capturing lots of network traffic), I found that this occurred
when a user had a double quote (") character in their password. Further
testing with testsaslauthd revealed the same behavior. This problem
would occur any time the user name or password had any double quote
characters. This can lead to a remote DoS as neither the user name nor
the password need to be valid they just need to contain a (").

I found the source of the issue in saslauthd/auth_rimap.c. It appears
that the code is searching for the (") character and upon finding it,
gets stuck in a loop. I also found errors in the use of the memset()
function later in the same file. This problem appears to effect all
recent version of cyrus-sasl. I can confirm that I have found the
problem in 2.1.19, 2.1.20, and 2.1.22 on both Linux and OpenBSD.

To assist others, I have attached the patch that I created.
Unfortunately, I don't know what the official mechanism is for
submitting patches. I hope that this would be the appropriate place to
start.

Regards,

-Bob 
=====================================================
--- cyrus-sasl-2.1.22/saslauthd/auth_rimap.c Thu Apr 6 15:19:54 2006
+++ cyrus-sasl-2.1.22-1/saslauthd/auth_rimap.c Fri Dec 28 03:06:18 2007
@@ -162,6 +162,7 @@
num_quotes = 0;
p1 = s;
while ((p1 = strchr(p1, '"')) != NULL) {
+ p1++;
num_quotes++;
}

@@ -438,7 +439,7 @@
syslog(LOG_WARNING, "auth_rimap: writev: %m");
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);
(void)close(s);
return strdup(RESP_IERROR);
@@ -447,7 +448,7 @@
/* don't need these any longer */
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);

/* read and parse the LOGIN response */
Comment 1 Gaurav Chaturvedi 2008-03-21 10:37:54 EDT
Created attachment 298791 [details]
Patch for auth_rimap.c, versions 2.1.19, 2.1.20, and 2.1.22
Comment 2 Gaurav Chaturvedi 2008-03-21 10:38:49 EDT
[Link] http://archives.free.net.ph/message/20080103.180459.41a31541.en.html
Comment 8 errata-xmlrpc 2009-09-02 06:12:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1330.html

Note You need to log in before you can comment on or make changes to this bug.