[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout

Tue Jun 20 13:55:11 UTC 2017

** Description changed:

- Description:    Ubuntu 14.04.4 LTS
- Release:        14.04
- 
- openvpn-auth-ldap=2.0.3-5.1
- 
+ [Impact] 
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.

  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.

- You can see this bug referenced here:
+ Network timeouts are somewhat common and services should be resilient to
+ it. Having a service as a whole crash because of such an occurrence is
+ not acceptable.

- https://github.com/threerings/openvpn-auth-ldap/issues/11
+ This upload fixes the problem by simply including the timeout error case
+ in an existing check. It was clearly just an oversight in that one call,
+ as the remainder of the code does handle timeout errors. It was just
+ never reached.

- And a fix mentioned here:
+ [Test Case]

- https://github.com/threerings/openvpn-auth-ldap/pull/53
+  * detailed instructions how to reproduce the bug

- The above patch is not compatible with the source provided with 14.04,
- so I have updated the patch to work with the 14.04 source. I have
- provided it below.
+  * these should allow someone who is not familiar with the affected
+    package to reproduce the bug and verify that the updated package fixes
+    the problem.

- I would appreciate if a package with the fix could be released.
+ [Regression Potential] 
+ The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.

- -Aaron Peschel
- 
- Index: openvpn-auth-ldap/src/LFLDAPConnection.m
- ===================================================================
- --- openvpn-auth-ldap.orig/src/LFLDAPConnection.m       2016-07-12
- 23:24:14.710216000 +0000
- +++ openvpn-auth-ldap/src/LFLDAPConnection.m    2016-07-12
- 23:24:48.394216000 +0000
- @@ -175,7 +175,7 @@
-         /* Wait for the result */
-         timeout.tv_sec = _timeout;
-         timeout.tv_usec = 0;
- -       if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
- +       if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
-                 err = ldap_get_errno(ldapConn);
-                 if (err == LDAP_TIMEOUT)
-                         ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
- @@ -383,7 +383,7 @@
-         }
- 
-         /* Wait for the result */
- -       if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
- +       if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
-                 err = ldap_get_errno(ldapConn);
-                 if (err == LDAP_TIMEOUT)
-                         ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
- 
- ProblemType: Crash
- DistroRelease: Ubuntu 14.04
- Package: openvpn 2.3.2-7ubuntu3.1
- ProcVersionSignature: Ubuntu 3.13.0-74.118-generic 3.13.11-ckt30
- Uname: Linux 3.13.0-74-generic x86_64
- ApportVersion: 2.14.1-0ubuntu3.21
- Architecture: amd64
- AssertionMessage: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
- Date: Tue Jul 12 21:35:10 2016
- Ec2AMI: ami-9abea4fb
- Ec2AMIManifest: (unknown)
- Ec2AvailabilityZone: us-west-2c
- Ec2InstanceType: t2.small
- Ec2Kernel: unavailable
- Ec2Ramdisk: unavailable
- ExecutablePath: /usr/sbin/openvpn
- ProcCmdline: /usr/sbin/openvpn --writepid /run/openvpn/foxpass.pid --daemon ovpn-foxpass --cd /etc/openvpn --config /etc/openvpn/foxpass.conf --script-security 2
- ProcEnviron:
-  TERM=screen-256color
-  PATH=(custom, no user)
-  LANG=en_US.UTF-8
- Signal: 6
- SourcePackage: openvpn
- StacktraceTop:
-  __assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion at entry=0x7f3cd796d9bd "res != ((void *)0)", file=file at entry=0x7f3cd796e100 "sasl.c", line=line at entry=257, function=function at entry=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:92
-  __GI___assert_fail (assertion=0x7f3cd796d9bd "res != ((void *)0)", file=0x7f3cd796e100 "sasl.c", line=257, function=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:101
-  ldap_parse_sasl_bind_result () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
-  ?? () from /usr/lib/openvpn/openvpn-auth-ldap.so
-  connect_ldap () from /usr/lib/openvpn/openvpn-auth-ldap.so
- Title: openvpn assert failure: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
- UpgradeStatus: No upgrade log present (probably fresh install)
- UserGroups:
+ [Other Info]
+ There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1602813

Title:
  openvpn-auth-ldap causing segfault on network timeout

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions