597290 – sasl_decode buffer overflow under load

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 597290 - sasl_decode buffer overflow under load

Summary: sasl_decode buffer overflow under load

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	saslwrapper
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Rafael H. Schloming
QA Contact:	Eduard Benes
Docs Contact:
URL:
Whiteboard:
Depends On:	569698
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-28 15:17 UTC by Gordon Sim
Modified:	2014-12-01 23:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:	saslwrapper-0.1.934605-2.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	569698
Environment:
Last Closed:	2010-11-10 21:33:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
proposed reproducer (3.75 KB, application/octet-stream) 2010-07-20 17:40 UTC, Eduard Benes	no flags	Details
View All

Description Gordon Sim 2010-05-28 15:17:13 UTC

+++ This bug was initially created as a clone of Bug #569698 +++

Description of problem:

saslwrapper's sasl_decode can fail in the following manner under load

How reproducible:

Seems to be 100% so far.

Steps to Reproduce:

from qpid.messaging import *

c = Connection("localhost", 5672)
s = c.session()

rcvs = []
for i in range(20000):
  rcvs.append(s.receiver("amq.topic/%s" % i))

print "connecting"
c.connect()
print "connected"
  
Actual results:

qpid.messaging.exceptions.ConnectError: Traceback (most recent call last):
  File "/home/rhs/qpid/python/qpid/messaging/driver.py", line 502, in write
    data = self._sasl.decode(data)
  File "/home/rhs/qpid/python/qpid/sasl.py", line 66, in decode
    raise SASLError(self._cli.getError())
SASLError: Error in sasl_decode (-3) SASL(-3): overflowed buffer: input too large for default sasl_decode

Expected results:

script should print connecting, then connected, and exit

--- Additional comment from tross on 2010-05-27 23:38:21 EDT ---

Created an attachment (id=417456)
Proposed fix

Attached is a proposed fix for this bug.  The man page for sasl_decode states that no more than max-buffer-size bytes should be give to sasl_decode at one time.  This patch divides up long strings into strings of at-most max-buffer-size.

--- Additional comment from gsim on 2010-05-28 04:43:48 EDT ---

I verified that the patch fixes the issue as I observed it and committed it to trunk (r949126) and the release repo (fa3441b41b2d437a67ce9071fb70dd1939c1d7f2).

--- Additional comment from gsim on 2010-05-28 04:48:16 EDT ---

Created an attachment (id=417519)
testcase

To reprduce the problem very simply, create a queue named my-queue, fill it up with lots of messages (e.g. 100,000), the run the attached python script. This opens a subscription with unlimited credit causing a flood of messages to be sent which overwhelms the sasl_decode and the script fails with something like:

$ ~/Desktop/qpid_receive_old_unreliable
Traceback (most recent call last):
  File "/home/gordon/Desktop/qpid_receive_old_unreliable", line 57, in <module>
    message = queue.get(timeout=600)
  File "/home/gordon/projects/git-qpid/qpid/qpid/python/qpid/queue.py", line 55, in get
    raise Closed(self.error)
qpid.exceptions.Closed: (None, 'connection aborted')

This is the case whenever the sasl_wrapper support is on the path (if using packages if python-saslwrapper is installed), regardless of whether any sasl layer is actually used.

Comment 1 Gordon Sim 2010-05-28 17:27:20 UTC

Fixed in saslwrapper-0.1.934605-2.el6.

Comment 4 Eduard Benes 2010-07-20 17:40:04 UTC

Created attachment 433226 [details]
proposed reproducer

Updated reproducer based on testcase [1] from original bug report.

[1] https://bugzilla.redhat.com/attachment.cgi?id=417519

Comment 7 releng-rhel@redhat.com 2010-11-10 21:33:29 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.