Red Hat Bugzilla – Bug 480704
Denial of service - Infinite loop in SASL security layer with max-frame-size = 0
Last modified: 2015-11-15 19:06:32 EST
Description of problem:
If a client successfully authenticates with a SASL mechanism that has a security layer, and provides no arguments in the "connection.tune-ok" message, the broker uses zero as the max-frame-size. This causes CyrusSecurityLayer::decode to loop infinitely, hanging the broker and using 100% of a CPU.
Version-Release number of selected component (if applicable):
First, you need to be using Kerberos-5 for authentication. This involves having a KDC that is configured with a service principal for the qpidd broker (called "qpidd/host.domain@REALM") and a user principal. You must kinit the user principal.
Use an svn checkout for the Ruby client:
# cd <svn-qpid-checkout>/ruby
# rake build
Here's the test sequence (you will do this multiple times):
# cd <svn-qpid-checkout>/ruby/lib
# irb -r qpid --noinspect -I ../ext/sasl
> s = Qpid::Qmf::Session.new(:manage_connections=>false)
> b = s.add_broker
If this last line returns successfully, the broker is working. If it hangs, the bug is reproduced.
A modification to the Ruby library is necessary to provoke the bug. Here's the patch:
--- lib/qpid/delegates.rb (revision 736356)
+++ lib/qpid/delegates.rb (working copy)
@@ -210,7 +210,7 @@
def connection_tune(ch, tune)
ch.connection_tune_ok(:channel_max => tune.channel_max,
- :max_frame_size => tune.max_frame_size,
+ :max_frame_size => 0,
:heartbeat => 0)
@connection.security_layer_tx = @saslConn
Here's the test:
1) Apply the Ruby patch
2) Run the test sequence
If the sequence hangs (and the broker hangs with 100% cpu usage), you have reproduced the bug.
Fixed upstream at revision 736370.
Tested on Rhel 5.3 (there aren't packages with Kerberos support for Rhel 4.7) i386/x86_64. It works so --> VERIFIED
Fixed and verified; closing.