Re: Multiple crashes in cyrus-imapd-3.0.1 (httpd)
On 05/10/2017 03:09 PM, Fritz Elfert wrote: On 10.05.2017 18:45, Ken Murchison wrote: [...] ***It would be interesting to know, what the original author of that suspicious line in httpd.c had intended.*** Setting maxbufsize to zero disables integrity and security protection since no HTTP client that I found uses qop=auth-int Which cyrus-sasl version did you use? I use SASL from git on my machines. -- Kenneth Murchison Principal Systems Software Engineer Carnegie Mellon University
Re: Multiple crashes in cyrus-imapd-3.0.1 (httpd)
On 10.05.2017 18:45, Ken Murchison wrote: [...] >> ***It would be interesting to know, what the original author of that >> suspicious line in httpd.c had intended.*** > > Setting maxbufsize to zero disables integrity and security protection > since no HTTP client that I found uses qop=auth-int > > Which cyrus-sasl version did you use? At least *here* using *Fedoras* packaged cyrus-sasl-2.1.26 (which admittingly turned out to be heavily patched by RedHat - for security?), the invocation of either sasl_setprop(httpd_saslconn, SASL_SEC_PROPS, secprops) or sasl_setprop(httpd_saslconn, SASL_SSF_EXTERNAL, _ssf) returns a value != SASL_OK. Both printed the same error message (changes with my pull request) which is why I can't tell which one failed (most likely the first one though). If you like to have a look at RedHat's patches to cyrus-sasl-2.1.26, you can browse them here: https://build.opensuse.org/package/show/home:felfert/cyrus-sasl Cheers -Fritz signature.asc Description: OpenPGP digital signature
Re: Multiple crashes in cyrus-imapd-3.0.1 (httpd)
My recommendation is to NOT use HTTP Digest since its deployment in
current clients is a non-interoperable mess. I actually regret that I
ever attempted to support it in Cyrus HTTP.
On 05/09/2017 06:30 AM, Fritz Elfert wrote:
Hello everyone,
Last week I decided to give cyrus-imap v3.0.1 a try because I wanted to play
with CalDAV and CardDAV).
My mail server runs Fedora24 and I used the distro packages
(cyrus-imapd-2.4.18-2.fc24 and
cyrus-sasl-2.1.26-26.2.fc24) until now.
Since fedora does not provide a cyrus-imapd 3.x package yet, I rolled my own
which can be
inspected (build logs) and downloaded here:
https://build.opensuse.org/package/show/home:felfert/cyrus-imapd
Unfortunately, the first attempt of accessing the administrative URLs for
CalDAV resp. CardDAV
immediately resulted in a crash of httpd where it logged the following error
message before crashing:
Failed to set SASL property
Grepping thru the code, I quickly identified two possible locations in httpd.c,
Furthermore, while
reading the code the following suspicious line in httpd.c did stand out:
secprops->maxbufsize = 0; /* don't need maxbuf */
After commenting-out this line the new httpd went a little bit further, but
still crashed (now with
a division-by-zero). Performing a post-mortem debug session on the coredump
revealed the following:
== gdb session
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `httpd -s'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 digestmd5_server_mech_step1 (stext=0x562c55c68b70, sparams=0x562c55c2c670,
serverout=0x7fff0678d7f0, serveroutlen=0x7fff0678d7e8, oparams=,
clientinlen=, clientin=) at digestmd5.c:2119
2119unsigned val = hash((char *) nonce) % text->reauth->size;
(gdb) p text->reauth->size
$1 = 0
(gdb) p text->reauth
$2 = (reauth_cache_t *) 0x562c55c07300
(gdb) p text
$3 = (context_t *) 0x562c55c68b70
(gdb) p sparams
$4 = (sasl_server_params_t *) 0x562c55c2c670
(gdb) p *sparams
$5 = {service = 0x562c55c2c760 "HTTP", appname = 0x562c55c2cad0 "Cyrus", serverFQDN = 0x562c55c2c8c0
"fsun.fe.think", user_realm = 0x0, iplocalport = 0x562c55c2db34 "192.168.2.17;50443", ipremoteport =
0x562c55c2df55 "192.168.2.25;51652", servicelen = 4, applen = 5, slen = 13, urlen = 0, iploclen = 18, ipremlen = 18,
log_level = 1, utils = 0x562c55c2c8e0, callbacks = 0x0, props = {min_ssf = 128, max_ssf = 0, maxbufsize = 4096, security_flags =
17, property_names = 0x0, property_values = 0x0}, external_ssf = 128, transition = 0x0, canon_user = 0x7f38701b59d0
<_sasl_canon_user_lookup>, propctx = 0x562c55c2ca90, gss_creds = 0x0, cbinding = 0x0, http_request = 0x7fff0678d7f0, spare_ptr4
= 0x0, spare_fptr1 = 0x0, spare_fptr2 = 0x0, spare_int1 = 0, spare_int2 = 0, spare_int3 = 0, flags = 20, param_version = 0}
(gdb) p *stext
$6 = {common = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce
= 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' , Ki_receive = '\000' , HA1 = '\000' , utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}, timestamp
= 0, stale = 0, limitssf = 0, requiressf = 0}
(gdb) p text
$7 = (context_t *) 0x562c55c68b70
(gdb) p *text
$8 = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0,
nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' ,
Ki_receive = '\000' , HA1 = '\000' , utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0,
Re: Multiple crashes in cyrus-imapd-3.0.1 (httpd)
On 05/09/2017 06:30 AM, Fritz Elfert wrote:
Hello everyone,
Last week I decided to give cyrus-imap v3.0.1 a try because I wanted to play
with CalDAV and CardDAV).
My mail server runs Fedora24 and I used the distro packages
(cyrus-imapd-2.4.18-2.fc24 and
cyrus-sasl-2.1.26-26.2.fc24) until now.
Since fedora does not provide a cyrus-imapd 3.x package yet, I rolled my own
which can be
inspected (build logs) and downloaded here:
https://build.opensuse.org/package/show/home:felfert/cyrus-imapd
Unfortunately, the first attempt of accessing the administrative URLs for
CalDAV resp. CardDAV
immediately resulted in a crash of httpd where it logged the following error
message before crashing:
Failed to set SASL property
Grepping thru the code, I quickly identified two possible locations in httpd.c,
Furthermore, while
reading the code the following suspicious line in httpd.c did stand out:
secprops->maxbufsize = 0; /* don't need maxbuf */
After commenting-out this line the new httpd went a little bit further, but
still crashed (now with
a division-by-zero). Performing a post-mortem debug session on the coredump
revealed the following:
== gdb session
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `httpd -s'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 digestmd5_server_mech_step1 (stext=0x562c55c68b70, sparams=0x562c55c2c670,
serverout=0x7fff0678d7f0, serveroutlen=0x7fff0678d7e8, oparams=,
clientinlen=, clientin=) at digestmd5.c:2119
2119unsigned val = hash((char *) nonce) % text->reauth->size;
(gdb) p text->reauth->size
$1 = 0
(gdb) p text->reauth
$2 = (reauth_cache_t *) 0x562c55c07300
(gdb) p text
$3 = (context_t *) 0x562c55c68b70
(gdb) p sparams
$4 = (sasl_server_params_t *) 0x562c55c2c670
(gdb) p *sparams
$5 = {service = 0x562c55c2c760 "HTTP", appname = 0x562c55c2cad0 "Cyrus", serverFQDN = 0x562c55c2c8c0
"fsun.fe.think", user_realm = 0x0, iplocalport = 0x562c55c2db34 "192.168.2.17;50443", ipremoteport =
0x562c55c2df55 "192.168.2.25;51652", servicelen = 4, applen = 5, slen = 13, urlen = 0, iploclen = 18, ipremlen = 18,
log_level = 1, utils = 0x562c55c2c8e0, callbacks = 0x0, props = {min_ssf = 128, max_ssf = 0, maxbufsize = 4096, security_flags =
17, property_names = 0x0, property_values = 0x0}, external_ssf = 128, transition = 0x0, canon_user = 0x7f38701b59d0
<_sasl_canon_user_lookup>, propctx = 0x562c55c2ca90, gss_creds = 0x0, cbinding = 0x0, http_request = 0x7fff0678d7f0, spare_ptr4
= 0x0, spare_fptr1 = 0x0, spare_fptr2 = 0x0, spare_int1 = 0, spare_int2 = 0, spare_int3 = 0, flags = 20, param_version = 0}
(gdb) p *stext
$6 = {common = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce
= 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' , Ki_receive = '\000' , HA1 = '\000' , utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}, timestamp
= 0, stale = 0, limitssf = 0, requiressf = 0}
(gdb) p text
$7 = (context_t *) 0x562c55c68b70
(gdb) p *text
$8 = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0,
nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' ,
Ki_receive = '\000' , HA1 = '\000' , utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}
(gdb) p *text->reauth
$9 = {i_am = SERVER, timeout = 0, mutex = 0x0, size = 0, e = 0x0}
(gdb)
== gdb session
