Bug 597290 - sasl_decode buffer overflow under load
Summary: sasl_decode buffer overflow under load
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: saslwrapper
Version: 6.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Rafael H. Schloming
QA Contact: Eduard Benes
URL:
Whiteboard:
Keywords:
Depends On: 569698
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-28 15:17 UTC by Gordon Sim
Modified: 2014-12-01 23:14 UTC (History)
7 users (show)

(edit)
Clone Of: 569698
(edit)
Last Closed: 2010-11-10 21:33:29 UTC


Attachments (Terms of Use)
proposed reproducer (3.75 KB, application/octet-stream)
2010-07-20 17:40 UTC, Eduard Benes
no flags Details

Description Gordon Sim 2010-05-28 15:17:13 UTC
+++ This bug was initially created as a clone of Bug #569698 +++

Description of problem:

saslwrapper's sasl_decode can fail in the following manner under load

How reproducible:

Seems to be 100% so far.

Steps to Reproduce:

from qpid.messaging import *

c = Connection("localhost", 5672)
s = c.session()

rcvs = []
for i in range(20000):
  rcvs.append(s.receiver("amq.topic/%s" % i))

print "connecting"
c.connect()
print "connected"
  
Actual results:

qpid.messaging.exceptions.ConnectError: Traceback (most recent call last):
  File "/home/rhs/qpid/python/qpid/messaging/driver.py", line 502, in write
    data = self._sasl.decode(data)
  File "/home/rhs/qpid/python/qpid/sasl.py", line 66, in decode
    raise SASLError(self._cli.getError())
SASLError: Error in sasl_decode (-3) SASL(-3): overflowed buffer: input too large for default sasl_decode

Expected results:

script should print connecting, then connected, and exit

--- Additional comment from tross@redhat.com on 2010-05-27 23:38:21 EDT ---

Created an attachment (id=417456)
Proposed fix

Attached is a proposed fix for this bug.  The man page for sasl_decode states that no more than max-buffer-size bytes should be give to sasl_decode at one time.  This patch divides up long strings into strings of at-most max-buffer-size.

--- Additional comment from gsim@redhat.com on 2010-05-28 04:43:48 EDT ---

I verified that the patch fixes the issue as I observed it and committed it to trunk (r949126) and the release repo (fa3441b41b2d437a67ce9071fb70dd1939c1d7f2).

--- Additional comment from gsim@redhat.com on 2010-05-28 04:48:16 EDT ---

Created an attachment (id=417519)
testcase

To reprduce the problem very simply, create a queue named my-queue, fill it up with lots of messages (e.g. 100,000), the run the attached python script. This opens a subscription with unlimited credit causing a flood of messages to be sent which overwhelms the sasl_decode and the script fails with something like:

$ ~/Desktop/qpid_receive_old_unreliable
Traceback (most recent call last):
  File "/home/gordon/Desktop/qpid_receive_old_unreliable", line 57, in <module>
    message = queue.get(timeout=600)
  File "/home/gordon/projects/git-qpid/qpid/qpid/python/qpid/queue.py", line 55, in get
    raise Closed(self.error)
qpid.exceptions.Closed: (None, 'connection aborted')

This is the case whenever the sasl_wrapper support is on the path (if using packages if python-saslwrapper is installed), regardless of whether any sasl layer is actually used.

Comment 1 Gordon Sim 2010-05-28 17:27:20 UTC
Fixed in saslwrapper-0.1.934605-2.el6.

Comment 4 Eduard Benes 2010-07-20 17:40:04 UTC
Created attachment 433226 [details]
proposed reproducer

Updated reproducer based on testcase [1] from original bug report.

[1] https://bugzilla.redhat.com/attachment.cgi?id=417519

Comment 7 releng-rhel@redhat.com 2010-11-10 21:33:29 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.