Rentrancy violation in auth_krb5.c kills mupdate

[brong]

From: paul r turgyan
Bugzilla-Id: 2705
Version: 2.2.x
Owner: Ken Murchison

[brong]

From: paul r turgyan

There is a reentrancy violation in auth_krb5 when used in a multi-threaded
application like the mupdater. At auth_krb5.c line 97 is a static
pointer that is being returned to the caller. This pointer points to
a malloc'd buffer that is freed and possibly re-malloc'd. The problem
happens when one thread frees the buffer that was previously returned
to a different thread. When this happens, you'll see a core file with a
stack backtrace like:

(gdb) bt
#0 0x403195d8 in strcmp () at strcmp:-1
#1 0x0806f340 in auth_memberof (auth_state=0x41f15678,
identifier=0xbf1f9f9c "imap/mail.umich.edu") at auth_krb5.c:83
#2 0x0805c8a9 in global_authisa (authstate=0x41f15678, opt=IMAPOPT_ZERO)
at global.c:335
#3 0x0805cf7b in mysasl_proxy_policy (conn=0x820a5c8, context=0x0,
requested_user=0x820aed8 "imap/test.mail.umich.edu", rlen=24,
auth_identity=0x820afd9 "imap/test.mail.umich.edu", alen=24,
def_realm=0x0, urlen=0, propctx=0x81f9958) at global.c:539
#4 0x4002767e in do_authorization (s_conn=0x820a5c8) at server.c:1160
#5 0x40027c8f in sasl_server_step (conn=0x820a5c8, clientin=0x0,
clientinlen=65, serverout=0xbf1fa480, serveroutlen=0x0) at server.c:1417
#6 0x0805dcfe in saslserver (conn=0x820a5c8, mech=0x0,
init_resp=0x820a5c8 "\001", resp_prefix=0x8093c61 "",
continuation=0x8093c61 "", empty_chal=0x8093c61 "", pin=0x81f1500,
pout=0x81fd9d8, sasl_result=0xbf1ffa34, success_data=0x0)
at saslserver.c:134
#7 0x0804f18a in cmd_authenticate (C=0x0, tag=0x41fc6300 "A01",
mech=0x820a5c8 "\001", clientstart=0x0) at mupdate.c:1365
#8 0x0804dbc7 in docmd (c=0x8210b58) at mupdate.c:675
#9 0x0804ec0a in thread_main (rock=0x0) at mupdate.c:1235
#10 0x40255d03 in pthread_start_thread (arg=0xbf1ffbe0) at manager.c:300

I can reproduce this problem using 2 backends, a mupdater, and a
client machine. On the client machine I start up 2 cyradm processes.
Each cyradm process tries to create about 350,000 mailboxes. After
a couple of hours you would find a mupdate core file.

This is how I fixed this problem. In cmd_authenticate I added the
usual mutex locks.

*** mupdate.c- Fri Dec 17 11:32:16 2004
--- mupdate.c Thu Sep 8 09:57:56 2005

---

*** 1361,1368 ****
--- 1361,1370 ----
{
int r, sasl_result;

• pthread_mutex_lock(&mailboxes_mutex); /* LOCK */
  r = saslserver(C->saslconn, mech, clientstart, "", "", "",
               C->pin, C->pout, &sasl_result, NULL);
  

• pthread_mutex_unlock(&mailboxes_mutex); /* UNLOCK */
  
  if (r) {
    const char *errorstring = NULL;
  

[brong]

Attachment-Id: 386
From: Ken Murchison
Type: text/plain
File: mupdate.patch

Alternate (more localized) patch

[brong]

From: Ken Murchison

*** This bug has been marked as a duplicate of 2720 ***