Bug 458506 - SASL bind can leak credentials in some cases
SASL bind can leak credentials in some cases
Status: CLOSED ERRATA
Product: 389
Classification: Community
Component: Security - SASL (Show other bugs)
1.1.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
comment#1.review+nhosoi
: Security
Depends On:
Blocks: 249650 FDS112 453229 CVE-2008-3283
  Show dependency treegraph
 
Reported: 2008-08-08 19:44 EDT by Rich Megginson
Modified: 2015-01-04 18:33 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-27 16:39:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (1.82 KB, patch)
2008-08-08 19:46 EDT, Rich Megginson
no flags Details | Diff
cvs commit log - DS8.0 (169 bytes, text/plain)
2008-08-12 18:19 EDT, Rich Megginson
no flags Details
cvs commit log - HEAD (163 bytes, text/plain)
2008-08-27 17:07 EDT, Rich Megginson
no flags Details

  None (edit)
Description Rich Megginson 2008-08-08 19:44:13 EDT
There is this call in saslbind.c line 767:
    /* can't do any harm */
    if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null.  This causes a leak of cred->bv_val.
Comment 1 Rich Megginson 2008-08-08 19:46:19 EDT
Created attachment 313856 [details]
diffs

The fix is to make sure cred->bv_val is freed if bv_len is 0.  This should catch all cases where this erroneous assumption is made.
Comment 2 Rich Megginson 2008-08-11 12:35:22 EDT
I'm not exactly sure how to trigger this issue.  Maybe pass a 0 length password e.g. just the \0 character?  That would seem to be the only way to make bv_len 0 but have bv_val allocated, but if bv_len is 0 then bv_val should always be NULL.

The bug could be triggered by anonymous.
The way to mitigate this issue is to disable sasl bind.
Comment 3 Rich Megginson 2008-08-12 18:19:31 EDT
Created attachment 314144 [details]
cvs commit log - DS8.0

Reviewed by: nkinder, nhosoi (Thanks!)
Branch: Directory_Server_8_0
Fix Description: There is this call in saslbind.c line 767:
   /* can't do any harm */
   if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null.  This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0.  This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Comment 5 Jenny Galipeau 2008-08-19 16:24:55 EDT
How can QE verify this?  What to look for in the valgrind output?
Comment 6 Rich Megginson 2008-08-19 16:34:36 EDT
(In reply to comment #5)
> How can QE verify this?  What to look for in the valgrind output?

Look for a memory leak in do_bind().
Comment 7 Jenny Galipeau 2008-08-21 13:45:45 EDT
verified 8.0 RHEL4-32, RHEL4-64, RHEL5-32, RHEL5-64
Comment 10 errata-xmlrpc 2008-08-27 16:39:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0602.html
Comment 11 Rich Megginson 2008-08-27 17:07:23 EDT
Created attachment 315144 [details]
cvs commit log - HEAD

Note You need to log in before you can comment on or make changes to this bug.