Bug 597290 - sasl_decode buffer overflow under load
sasl_decode buffer overflow under load
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: saslwrapper (Show other bugs)
6.0
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Rafael H. Schloming
Eduard Benes
:
Depends On: 569698
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-28 11:17 EDT by Gordon Sim
Modified: 2014-12-01 18:14 EST (History)
7 users (show)

See Also:
Fixed In Version: saslwrapper-0.1.934605-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 569698
Environment:
Last Closed: 2010-11-10 16:33:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed reproducer (3.75 KB, application/octet-stream)
2010-07-20 13:40 EDT, Eduard Benes
no flags Details

  None (edit)
Description Gordon Sim 2010-05-28 11:17:13 EDT
+++ This bug was initially created as a clone of Bug #569698 +++

Description of problem:

saslwrapper's sasl_decode can fail in the following manner under load

How reproducible:

Seems to be 100% so far.

Steps to Reproduce:

from qpid.messaging import *

c = Connection("localhost", 5672)
s = c.session()

rcvs = []
for i in range(20000):
  rcvs.append(s.receiver("amq.topic/%s" % i))

print "connecting"
c.connect()
print "connected"
  
Actual results:

qpid.messaging.exceptions.ConnectError: Traceback (most recent call last):
  File "/home/rhs/qpid/python/qpid/messaging/driver.py", line 502, in write
    data = self._sasl.decode(data)
  File "/home/rhs/qpid/python/qpid/sasl.py", line 66, in decode
    raise SASLError(self._cli.getError())
SASLError: Error in sasl_decode (-3) SASL(-3): overflowed buffer: input too large for default sasl_decode

Expected results:

script should print connecting, then connected, and exit

--- Additional comment from tross@redhat.com on 2010-05-27 23:38:21 EDT ---

Created an attachment (id=417456)
Proposed fix

Attached is a proposed fix for this bug.  The man page for sasl_decode states that no more than max-buffer-size bytes should be give to sasl_decode at one time.  This patch divides up long strings into strings of at-most max-buffer-size.

--- Additional comment from gsim@redhat.com on 2010-05-28 04:43:48 EDT ---

I verified that the patch fixes the issue as I observed it and committed it to trunk (r949126) and the release repo (fa3441b41b2d437a67ce9071fb70dd1939c1d7f2).

--- Additional comment from gsim@redhat.com on 2010-05-28 04:48:16 EDT ---

Created an attachment (id=417519)
testcase

To reprduce the problem very simply, create a queue named my-queue, fill it up with lots of messages (e.g. 100,000), the run the attached python script. This opens a subscription with unlimited credit causing a flood of messages to be sent which overwhelms the sasl_decode and the script fails with something like:

$ ~/Desktop/qpid_receive_old_unreliable
Traceback (most recent call last):
  File "/home/gordon/Desktop/qpid_receive_old_unreliable", line 57, in <module>
    message = queue.get(timeout=600)
  File "/home/gordon/projects/git-qpid/qpid/qpid/python/qpid/queue.py", line 55, in get
    raise Closed(self.error)
qpid.exceptions.Closed: (None, 'connection aborted')

This is the case whenever the sasl_wrapper support is on the path (if using packages if python-saslwrapper is installed), regardless of whether any sasl layer is actually used.
Comment 1 Gordon Sim 2010-05-28 13:27:20 EDT
Fixed in saslwrapper-0.1.934605-2.el6.
Comment 4 Eduard Benes 2010-07-20 13:40:04 EDT
Created attachment 433226 [details]
proposed reproducer

Updated reproducer based on testcase [1] from original bug report.

[1] https://bugzilla.redhat.com/attachment.cgi?id=417519
Comment 7 releng-rhel@redhat.com 2010-11-10 16:33:29 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.