Bug 480704 - Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Summary: Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: Development
Hardware: All
OS: Linux
high
high
Target Milestone: 1.1.1
: ---
Assignee: Ted Ross
QA Contact: Frantisek Reznicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-19 22:42 UTC by Ted Ross
Modified: 2015-11-16 00:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-27 20:03:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Ted Ross 2009-01-19 22:42:29 UTC
Description of problem:

If a client successfully authenticates with a SASL mechanism that has a security layer, and provides no arguments in the "connection.tune-ok" message, the broker uses zero as the max-frame-size.  This causes CyrusSecurityLayer::decode to loop infinitely, hanging the broker and using 100% of a CPU.

Version-Release number of selected component (if applicable):

Version 1.1.1

How reproducible:

100%

Comment 1 Ted Ross 2009-01-21 18:33:08 UTC
To reproduce:

First, you need to be using Kerberos-5 for authentication.  This involves having a KDC that is configured with a service principal for the qpidd broker (called "qpidd/host.domain@REALM") and a user principal.  You must kinit the user principal.

Use an svn checkout for the Ruby client:

# cd <svn-qpid-checkout>/ruby
# rake build

Here's the test sequence (you will do this multiple times):

# cd <svn-qpid-checkout>/ruby/lib
# irb -r qpid --noinspect -I ../ext/sasl
> s = Qpid::Qmf::Session.new(:manage_connections=>false)
> b = s.add_broker

If this last line returns successfully, the broker is working.  If it hangs, the bug is reproduced.

A modification to the Ruby library is necessary to provoke the bug.  Here's the patch:

Index: lib/qpid/delegates.rb
===================================================================
--- lib/qpid/delegates.rb	(revision 736356)
+++ lib/qpid/delegates.rb	(working copy)
@@ -210,7 +210,7 @@
 
       def connection_tune(ch, tune)
         ch.connection_tune_ok(:channel_max => tune.channel_max,
-                              :max_frame_size => tune.max_frame_size,
+                              :max_frame_size => 0,
                               :heartbeat => 0)
         ch.connection_open()
         @connection.security_layer_tx = @saslConn



Here's the test:

1) Apply the Ruby patch
2) Run the test sequence

If the sequence hangs (and the broker hangs with 100% cpu usage), you have reproduced the bug.

Comment 2 Ted Ross 2009-01-21 18:42:45 UTC
Fixed upstream at revision 736370.

Comment 5 Martin Kudlej 2009-04-15 12:52:26 UTC
Tested on Rhel 5.3 (there aren't packages with Kerberos support for Rhel 4.7) i386/x86_64. It works so --> VERIFIED

Comment 6 Justin Ross 2011-06-27 20:03:09 UTC
Fixed and verified; closing.


Note You need to log in before you can comment on or make changes to this bug.