Possible segfault in rlm_ldap

[spbnick]

Issue type

• Defect - Crash or memory corruption.
• Defect - Non compliance with a standards document, or incorrect API usage.
• Defect - Unexpected behaviour (obvious or verified by project member).
• Feature request.

Defect/Feature description

I'm investigating a segfault in v3.0.12, and found something suspicious in rlm_ldap_cacheable_groupobj, at line 458:

status = rlm_ldap_search(&result, inst, request, pconn, base_dn,
						 inst->groupobj_scope, filter, attrs, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
		break;

case LDAP_PROC_NO_RESULT:
		RDEBUG2("No cacheable group memberships found in group objects");

default:
		goto finish;
}

It seems that even if rlm_ldap_bind called by rlm_ldap_search has overwritten *pconn with NULL and returned LDAP_PROC_ERROR, rlm_ldap_cacheable_groupobj would still return RLM_MODULE_OK.

Then it seems possible, that rlm_ldap's mod_authorize could hit conn dereferencing at line 1635:

if (inst->user_map || inst->valuepair_attr) {
	RDEBUG("Processing user attributes");
	if (rlm_ldap_map_do(inst, request, conn->handle, &expanded, entry) > 0) rcode = RLM_MODULE_UPDATED;
	rlm_ldap_check_reply(inst, request);
}

and crash, which is what seems to be happening in the following backtrace from the customer.

This code appears in v3.0.x, v3.1.x, and v4.0.x branches.

Full backtrace from LLDB or GDB

(gdb) bt
#0  0x00007fc6f290a9fb in mod_authorize (instance=0x7fc6fd0fdfd0, request=0x7fc6e83e1440) at src/modules/rlm_ldap/rlm_ldap.c:1635
#1  0x00007fc6fc33f3be in call_modsingle (request=0x7fc6e83e1440, sp=0x7fc6fd1fad60, component=MOD_AUTHORIZE) at src/main/modcall.c:302
#2  modcall_recurse (request=0x7fc6e83e1440, component=MOD_AUTHORIZE, depth=4, entry=entry@entry=0x7fc6ee73c460, do_next_sibling=true) at src/main/modcall.c:578
#3  0x00007fc6fc33e4e9 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fc6ee73c448, c=<optimized out>, result=0x7fc6ee73b9d4, do_next_sibling=true) at src/main/modcall.c:408
#4  0x00007fc6fc33e6ce in modcall_recurse (request=0x7fc6e83e1440, component=MOD_AUTHORIZE, depth=3, entry=entry@entry=0x7fc6ee73c448, do_next_sibling=true) at src/main/modcall.c:789
#5  0x00007fc6fc33e4e9 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fc6ee73c430, c=<optimized out>, result=0x7fc6ee73bc84, do_next_sibling=true) at src/main/modcall.c:408
#6  0x00007fc6fc33e6ce in modcall_recurse (request=0x7fc6e83e1440, component=MOD_AUTHORIZE, depth=2, entry=entry@entry=0x7fc6ee73c430, do_next_sibling=true) at src/main/modcall.c:789
#7  0x00007fc6fc33e4e9 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fc6ee73c418, c=<optimized out>, result=0x7fc6ee73bf34, do_next_sibling=true) at src/main/modcall.c:408
#8  0x00007fc6fc33e6ce in modcall_recurse (request=0x7fc6e83e1440, component=MOD_AUTHORIZE, depth=1, entry=entry@entry=0x7fc6ee73c418, do_next_sibling=true) at src/main/modcall.c:789
#9  0x00007fc6fc33e4e9 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fc6ee73c400, c=<optimized out>, result=0x7fc6ee73c1e4, do_next_sibling=true) at src/main/modcall.c:408
#10 0x00007fc6fc33e6ce in modcall_recurse (request=request@entry=0x7fc6e83e1440, component=component@entry=MOD_AUTHORIZE, depth=depth@entry=0, entry=entry@entry=0x7fc6ee73c400, do_next_sibling=do_next_sibling@entry=true) at src/main/modcall.c:789
#11 0x00007fc6fc33f8e6 in modcall (component=component@entry=MOD_AUTHORIZE, c=c@entry=0x7fc6fd1f62d0, request=request@entry=0x7fc6e83e1440) at src/main/modcall.c:1134
#12 0x00007fc6fc33a53d in indexed_modcall (comp=comp@entry=MOD_AUTHORIZE, idx=idx@entry=0, request=request@entry=0x7fc6e83e1440) at src/main/modules.c:1028
#13 0x00007fc6fc33b64f in process_authorize (autz_type=autz_type@entry=0, request=request@entry=0x7fc6e83e1440) at src/main/modules.c:2160
#14 0x00007fc6fc329666 in rad_authenticate (request=request@entry=0x7fc6e83e1440) at src/main/auth.c:489
#15 0x00007fc6fc329f54 in rad_virtual_server (request=request@entry=0x7fc6e83e1440) at src/main/auth.c:812
#16 0x00007fc6efe55a19 in eappeap_process (handler=handler@entry=0x7fc6e04538a0, tls_session=tls_session@entry=0x7fc6e0567c50, auth_type_eap=15491030) at src/modules/rlm_eap/types/rlm_eap_peap/peap.c:1006
#17 0x00007fc6efe53bba in mod_process (arg=0x7fc6fd122840, handler=0x7fc6e04538a0) at src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c:328
#18 0x00007fc6f64b76f2 in eap_module_call (handler=handler@entry=0x7fc6e04538a0, module=<optimized out>, module=<optimized out>) at src/modules/rlm_eap/eap.c:194
#19 0x00007fc6f64b7c13 in eap_method_select (inst=inst@entry=0x7fc6fd0cfa20, handler=handler@entry=0x7fc6e04538a0) at src/modules/rlm_eap/eap.c:457
#20 0x00007fc6f64b6aa6 in mod_authenticate (instance=0x7fc6fd0cfa20, request=0x7fc6fd2c3f60) at src/modules/rlm_eap/rlm_eap.c:286
#21 0x00007fc6fc33f3be in call_modsingle (request=0x7fc6fd2c3f60, sp=0x7fc6fd1ff480, component=MOD_AUTHENTICATE) at src/main/modcall.c:302
#22 modcall_recurse (request=0x7fc6fd2c3f60, component=MOD_AUTHENTICATE, depth=1, entry=entry@entry=0x7fc6ee73d4a8, do_next_sibling=true) at src/main/modcall.c:578
#23 0x00007fc6fc33e4e9 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fc6ee73d490, c=<optimized out>, result=0x7fc6ee73d274, do_next_sibling=true) at src/main/modcall.c:408
#24 0x00007fc6fc33e6ce in modcall_recurse (request=request@entry=0x7fc6fd2c3f60, component=component@entry=MOD_AUTHENTICATE, depth=depth@entry=0, entry=entry@entry=0x7fc6ee73d490, do_next_sibling=do_next_sibling@entry=true) at src/main/modcall.c:789
#25 0x00007fc6fc33f8e6 in modcall (component=component@entry=MOD_AUTHENTICATE, c=c@entry=0x7fc6fd1ff380, request=request@entry=0x7fc6fd2c3f60) at src/main/modcall.c:1134
#26 0x00007fc6fc33a53d in indexed_modcall (comp=comp@entry=MOD_AUTHENTICATE, idx=idx@entry=15491030, request=request@entry=0x7fc6fd2c3f60) at src/main/modules.c:1028
#27 0x00007fc6fc33b65c in process_authenticate (auth_type=auth_type@entry=15491030, request=request@entry=0x7fc6fd2c3f60) at src/main/modules.c:2168
#28 0x00007fc6fc329a3e in rad_check_password (request=0x7fc6fd2c3f60) at src/main/auth.c:252
#29 rad_authenticate (request=0x7fc6fd2c3f60) at src/main/auth.c:570
#30 0x00007fc6fc34d932 in request_running (request=0x7fc6fd2c3f60, action=<optimized out>) at src/main/process.c:1527
#31 0x00007fc6fc34678c in request_handler_thread (arg=0x7fc6fd226950) at src/main/threads.c:690
#32 0x00007fc6fa75ddc5 in start_thread (arg=0x7fc6ee73e700) at pthread_create.c:308
#33 0x00007fc6fa00f73d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) p conn
$29 = (ldap_handle_t *) 0x0
(gdb) p inst->user_map || inst->valuepair_attr
$30 = 1
(gdb) p inst->profile_attr
$31 = 0x0
(gdb) p inst->default_profile
$32 = (vp_tmpl_t *) 0x0
(gdb) p inst->edir
$33 = false
(gdb) p inst->cacheable_group_dn || inst->cacheable_group_name
$34 = 1
(gdb) p inst->userobj_membership_attr
$35 = 0x0
(gdb) 

[spbnick]

Here are some log fragments that seem to show the issue occurring (server restarting after segfault):

Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Bind with uid=scrubbed,ou=scrubbed,dc=scrubbed,dc=scrubbed to ldap://scrubbed.com:389 failed: Timed out while waiting for server to respond
Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Opening connection failed (7)
Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Bind with uid=scrubbed,ou=scrubbed,dc=scrubbed,dc=scrubbed to ldap://scrubbed.com:389 failed: Timed out while waiting for server to respond
Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Opening connection failed (8)
Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Bind with uid=scrubbed,ou=scrubbed,dc=scrubbed,dc=scrubbed to ldap://scrubbed.com:389 failed: Timed out while waiting for server to respond
Mon Mar 20 10:26:40 2017 : Error: rlm_ldap (ldap): Failed to reconnect (0), no free connections are available
Mon Mar 20 10:26:40 2017 : Info: rlm_ldap (ldap): Opening additional connection (9), 5 of 30 pending slots used
Mon Mar 20 10:30:01 2017 : Error: Cannot update core dump limit: Operation not permitted
Mon Mar 20 10:30:01 2017 : Info: Core dumps are enabled

Wed Mar  1 11:13:02 2017 : Error: rlm_ldap (ldap): Bind with uid=scrubbed,ou=scrubbed,dc=scrubbed,dc=scrubbed to ldap://scrubbed.com:389 failed: Can't contact LDAP server
Wed Mar  1 11:13:02 2017 : Error: rlm_ldap (ldap): Failed to reconnect (7), no free connections are available
Wed Mar  1 11:13:02 2017 : Error: Cannot update core dump limit: Operation not permitted
Wed Mar  1 11:13:02 2017 : Info: Core dumps are enabled