** Description changed: - Description: Ubuntu 14.04.4 LTS - Release: 14.04 - - openvpn-auth-ldap=2.0.3-5.1 - + [Impact] There is a timeout bug in the openvpn-auth-ldap package that causes OpenVPN to crash when the network timeout is exceeded. The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted. - You can see this bug referenced here: + Network timeouts are somewhat common and services should be resilient to + it. Having a service as a whole crash because of such an occurrence is + not acceptable. - https://github.com/threerings/openvpn-auth-ldap/issues/11 + This upload fixes the problem by simply including the timeout error case + in an existing check. It was clearly just an oversight in that one call, + as the remainder of the code does handle timeout errors. It was just + never reached. - And a fix mentioned here: + [Test Case] - https://github.com/threerings/openvpn-auth-ldap/pull/53 + * detailed instructions how to reproduce the bug - The above patch is not compatible with the source provided with 14.04, - so I have updated the patch to work with the 14.04 source. I have - provided it below. + * these should allow someone who is not familiar with the affected + package to reproduce the bug and verify that the updated package fixes + the problem. - I would appreciate if a package with the fix could be released. + [Regression Potential] + The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built. - -Aaron Peschel - - Index: openvpn-auth-ldap/src/LFLDAPConnection.m - =================================================================== - --- openvpn-auth-ldap.orig/src/LFLDAPConnection.m 2016-07-12 - 23:24:14.710216000 +0000 - +++ openvpn-auth-ldap/src/LFLDAPConnection.m 2016-07-12 - 23:24:48.394216000 +0000 - @@ -175,7 +175,7 @@ - /* Wait for the result */ - timeout.tv_sec = _timeout; - timeout.tv_usec = 0; - - if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) { - + if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) { - err = ldap_get_errno(ldapConn); - if (err == LDAP_TIMEOUT) - ldap_abandon_ext(ldapConn, msgid, NULL, NULL); - @@ -383,7 +383,7 @@ - } - - /* Wait for the result */ - - if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) { - + if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) { - err = ldap_get_errno(ldapConn); - if (err == LDAP_TIMEOUT) - ldap_abandon_ext(ldapConn, msgid, NULL, NULL); - - ProblemType: Crash - DistroRelease: Ubuntu 14.04 - Package: openvpn 2.3.2-7ubuntu3.1 - ProcVersionSignature: Ubuntu 3.13.0-74.118-generic 3.13.11-ckt30 - Uname: Linux 3.13.0-74-generic x86_64 - ApportVersion: 2.14.1-0ubuntu3.21 - Architecture: amd64 - AssertionMessage: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed. - Date: Tue Jul 12 21:35:10 2016 - Ec2AMI: ami-9abea4fb - Ec2AMIManifest: (unknown) - Ec2AvailabilityZone: us-west-2c - Ec2InstanceType: t2.small - Ec2Kernel: unavailable - Ec2Ramdisk: unavailable - ExecutablePath: /usr/sbin/openvpn - ProcCmdline: /usr/sbin/openvpn --writepid /run/openvpn/foxpass.pid --daemon ovpn-foxpass --cd /etc/openvpn --config /etc/openvpn/foxpass.conf --script-security 2 - ProcEnviron: - TERM=screen-256color - PATH=(custom, no user) - LANG=en_US.UTF-8 - Signal: 6 - SourcePackage: openvpn - StacktraceTop: - __assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7f3cd796d9bd "res != ((void *)0)", file=file@entry=0x7f3cd796e100 "sasl.c", line=line@entry=257, function=function@entry=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:92 - __GI___assert_fail (assertion=0x7f3cd796d9bd "res != ((void *)0)", file=0x7f3cd796e100 "sasl.c", line=257, function=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:101 - ldap_parse_sasl_bind_result () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 - ?? () from /usr/lib/openvpn/openvpn-auth-ldap.so - connect_ldap () from /usr/lib/openvpn/openvpn-auth-ldap.so - Title: openvpn assert failure: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed. - UpgradeStatus: No upgrade log present (probably fresh install) - UserGroups: + [Other Info] + There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
