[email protected] wrote: > Full_Name: Jouko Orava > Version: 2.4.28, 2.4.33 > OS: Debian/Ubuntu > URL: > Submission from: (NULL) (82.181.197.37) > > > If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes in > ldap_start_tls_s() due to a double free. See > https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353 > for my original bug submission, including a suggested patch, > https://launchpadlibrarian.net/129174364/openldap-ciphersuite.patch > and a simple example ldapsearch-like program that can be used to test the > issue.
This is now fixed in git master. > > This bug is not critical, since using a valid GnuTLS cipher suite does work, > for > example "NORMAL" or "SECURE256". However, trying to use anything more specific > is exceedingly difficult -- basically trial and error, due to applications > crashing in libldap with an invalid one. > > The two other TLS implementations in OpenLDAP are not affected by this bug. > > The double free occurs in > openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the > ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path. Because > the cipher suite string was unacceptable to GnuTLS, the context is either > released by GnuTLS or never properly initialized. The error_exit: path tries > to > release that context, and causes the C library to abort the program as it > detects a double free. > > Simply commenting the ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the > error_exit: path in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx() > masks the issue, but is obviously incorrect (as it affects the two other TLS > implementations too). > > My suggested patch is to use the configured cipher suite string when creating > the new TLS context, instead of "NORMAL" as is currently done, in > openldap/libraries/libldap/tls_g.c:tlsg_ctx_new(). If there is a problem with > the cipher suite priority string, the initial context is torn down, and caught > earlier in openldap/libraries/libldap/tls2.c, avoiding the crash. (However, > the > cipher suite string will be parsed twice.) > > There seem to be numerous unhandled bug reports in various distributions and > applications, including > http://www.openldap.org/its/index.cgi/Incoming?id=6939#themesg > which are quite tricky to investigate, as the actual bug occurs deep in > libldap. > Only user checks with a patched libldap will prove whether these are actually > caused by this bug or not. It is very easy to assume it is an application bug, > due to the symptoms and pretty limited circumstances. > > Recap: libldap + GnuTLS, application using ldap_start_tls, and any cipher > suite > string not acceptable to GnuTLS will cause libldap to crash due to a double > free. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
