On a beta system:
$ dmesg |head -n2
OpenBSD 5.1-beta (GENERIC.MP) #178: Thu Feb 2 02:44:59 MST 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
I have openldap clients segfault on me using GSSAPI, e.g.:
$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: re...@test.lan
SASL SSF: 56
SASL data security layer installed.
Segmentation fault (core dumped)
$ gdb ldapwhoami
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd5.1"...(no debugging symbols
found)
(gdb) run
Starting program: /usr/local/bin/ldapwhoami
(no debugging symbols found)
SASL/GSSAPI authentication started
SASL username: re...@test.lan
SASL SSF: 56
SASL data security layer installed.
Program received signal SIGSEGV, Segmentation fault.
0x093b099e in sasl_gss_encode () from /usr/local/lib/sasl2/libgssapiv2.so.2.22
(gdb) bt
#0 0x093b099e in sasl_gss_encode ()
from /usr/local/lib/sasl2/libgssapiv2.so.2.22
#1 0x06ff1311 in _sasl_encodev () from /usr/local/lib/libsasl2.so.2.23
#2 0x06ff1832 in sasl_encodev () from /usr/local/lib/libsasl2.so.2.23
#3 0x06ff19fa in sasl_encode () from /usr/local/lib/libsasl2.so.2.23
#4 0x1c023d9a in ?? ()
#5 0x7edf74d0 in ?? ()
#6 0x7edf2020 in ?? ()
#7 0x00000020 in ?? ()
#8 0x7edf3944 in ?? ()
#9 0xcfbe83ac in ?? ()
#10 0x00000061 in ?? ()
#11 0x000001ff in ?? ()
#12 0x2a826c98 in ?? () from /usr/lib/libc.so.62.0
#13 0x00000000 in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
From reading http://www.spinics.net/lists/cyrus-sasl/msg02004.html, I
understand the issue probably is a pointer being assigned to a buffer, that
buffer potentially being a NULL pointer, or getting reallocated, invalidating
the pointer. Dereferencing the pointer after that (hopefully) segfaults.
Since it makes sense to me, I tried the suggestion from that message
(assigning the pointer after the potential reallocation) and it seems to
solve the problem.
What I did:
modify the plugins/gssapi.c file and use 'make update-patches' to create the
file patches/patch-plugins_gssapi_c:
$OpenBSD$
--- plugins/gssapi.c.orig Mon Feb 6 09:30:58 2012
+++ plugins/gssapi.c Mon Feb 6 09:31:47 2012
@@ -370,7 +370,7 @@ sasl_gss_encode(void *context, const struct iovec *inv
}
if (output_token->value && output) {
- unsigned char * p = (unsigned char *) text->encode_buf;
+ unsigned char * p;
ret = _plug_buf_alloc(text->utils,
&(text->encode_buf),
@@ -384,6 +384,8 @@ sasl_gss_encode(void *context, const struct iovec *inv
return ret;
}
+ p = (unsigned char *) text->encode_buf;
+
p[0] = (output_token->length>>24) & 0xFF;
p[1] = (output_token->length>>16) & 0xFF;
p[2] = (output_token->length>>8) & 0xFF;
updated the package revision:
? patches/patch-plugins_gssapi_c
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/cyrus-sasl2/Makefile,v
retrieving revision 1.64
diff -u -r1.64 Makefile
--- Makefile 21 Dec 2011 14:36:15 -0000 1.64
+++ Makefile 6 Feb 2012 09:12:42 -0000
@@ -20,7 +20,7 @@
CATEGORIES= security
-REVISION= 1
+REVISION= 2
HOMEPAGE= http://www.cyrusimap.org/
in directory ~/ports/security/cyrus-sasl2, do:
$ make clean
$ make configure
$ make
$ make fake
$ make package
$ make update
resulting in a working ldapwhoami:
$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: re...@test.lan
SASL SSF: 56
SASL data security layer installed.
dn:uid=remco,cn=gssapi,cn=auth
