Bug 480704 - Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
All Linux
high Severity high
: 1.1.1
: ---
Assigned To: Ted Ross
Frantisek Reznicek
Depends On:
  Show dependency treegraph
Reported: 2009-01-19 17:42 EST by Ted Ross
Modified: 2015-11-15 19:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-06-27 16:03:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ted Ross 2009-01-19 17:42:29 EST
Description of problem:

If a client successfully authenticates with a SASL mechanism that has a security layer, and provides no arguments in the "connection.tune-ok" message, the broker uses zero as the max-frame-size.  This causes CyrusSecurityLayer::decode to loop infinitely, hanging the broker and using 100% of a CPU.

Version-Release number of selected component (if applicable):

Version 1.1.1

How reproducible:

Comment 1 Ted Ross 2009-01-21 13:33:08 EST
To reproduce:

First, you need to be using Kerberos-5 for authentication.  This involves having a KDC that is configured with a service principal for the qpidd broker (called "qpidd/host.domain@REALM") and a user principal.  You must kinit the user principal.

Use an svn checkout for the Ruby client:

# cd <svn-qpid-checkout>/ruby
# rake build

Here's the test sequence (you will do this multiple times):

# cd <svn-qpid-checkout>/ruby/lib
# irb -r qpid --noinspect -I ../ext/sasl
> s = Qpid::Qmf::Session.new(:manage_connections=>false)
> b = s.add_broker

If this last line returns successfully, the broker is working.  If it hangs, the bug is reproduced.

A modification to the Ruby library is necessary to provoke the bug.  Here's the patch:

Index: lib/qpid/delegates.rb
--- lib/qpid/delegates.rb	(revision 736356)
+++ lib/qpid/delegates.rb	(working copy)
@@ -210,7 +210,7 @@
       def connection_tune(ch, tune)
         ch.connection_tune_ok(:channel_max => tune.channel_max,
-                              :max_frame_size => tune.max_frame_size,
+                              :max_frame_size => 0,
                               :heartbeat => 0)
         @connection.security_layer_tx = @saslConn

Here's the test:

1) Apply the Ruby patch
2) Run the test sequence

If the sequence hangs (and the broker hangs with 100% cpu usage), you have reproduced the bug.
Comment 2 Ted Ross 2009-01-21 13:42:45 EST
Fixed upstream at revision 736370.
Comment 5 Martin Kudlej 2009-04-15 08:52:26 EDT
Tested on Rhel 5.3 (there aren't packages with Kerberos support for Rhel 4.7) i386/x86_64. It works so --> VERIFIED
Comment 6 Justin Ross 2011-06-27 16:03:09 EDT
Fixed and verified; closing.

Note You need to log in before you can comment on or make changes to this bug.