LDAP authentication causes panic on the server

[arcenik]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Authenticate on a browser https://vault-server:8200/ui/vault/auth?with=ldap
2. Enter login/password
3. See error

2022-03-03T10:20:44.422Z [INFO]  http2: panic serving web-browser-ip:59056: runtime error: invalid memory address or nil pointer dereference
goroutine 966427941 [running]:
net/http.(*http2serverConn).runHandler.func1()
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/h2_bundle.go:5825 +0x125
panic({0x444c960, 0x89940e0})
/opt/hostedtoolcache/go/1.17.2/x64/src/runtime/panic.go:1038 +0x215
github.com/hashicorp/go-sockaddr.(*UnixSock).Contains(0xc00243bba0, {0x5edd260, 0xc00243bd40})
<autogenerated>:1 +0x33
github.com/hashicorp/vault/sdk/helper/cidrutil.RemoteAddrIsOk({0xc0024507e0, 0x5e66ff0}, {0xc00243bb40, 0x4, 0xc00243bae0})
/home/runner/work/vault/vault/sdk/helper/cidrutil/cidr.go:27 +0xaf
github.com/hashicorp/vault/builtin/credential/ldap.(*backend).pathLogin(0xc0017f2be8, {0x5e66ff0, 0xc00127c930}, 0xc001225380, 0x7f2514518fd8)
/home/runner/work/vault/vault/builtin/credential/ldap/path_login.go:68 +0x11f
github.com/hashicorp/vault/helper/mfa.(*backend).wrapLoginHandler.func1({0x5e66ff0, 0xc00127c930}, 0x4e478e8, 0x6)
/home/runner/work/vault/vault/helper/mfa/mfa.go:69 +0x3f
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc0019b4ea0, {0x5e66ff0, 0xc00127c930}, 0xc001225380)
/home/runner/work/vault/vault/sdk/framework/backend.go:278 +0x7ed
github.com/hashicorp/vault/builtin/plugin.(*PluginBackend).HandleRequest.func1()
/home/runner/work/vault/vault/builtin/plugin/backend.go:199 +0x3a
github.com/hashicorp/vault/builtin/plugin.(*PluginBackend).lazyLoadBackend(0xc0011aa7d0, {0x5e66ff0, 0xc00127c930}, {0x5e688e0, 0xc0010d8c40}, 0xc0010288a8)
/home/runner/work/vault/vault/builtin/plugin/backend.go:162 +0x19d
github.com/hashicorp/vault/builtin/plugin.(*PluginBackend).HandleRequest(0xc000b8abc8, {0x5e66ff0, 0xc00127c930}, 0xc000c086dc)
/home/runner/work/vault/vault/builtin/plugin/backend.go:197 +0x86
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc0006f9a40, {0x5e66ff0, 0xc00127c930}, 0xc001225380, 0x0)
/home/runner/work/vault/vault/vault/router.go:708 +0x15ec
github.com/hashicorp/vault/vault.(*Router).Route(...)
/home/runner/work/vault/vault/vault/router.go:505
github.com/hashicorp/vault/vault.(*Core).doRouting(0xc0012203f0, {0x5e66ff0, 0xc00127c930}, 0xc001a8a620)
/home/runner/work/vault/vault/vault/request_handling.go:741 +0x2c
github.com/hashicorp/vault/vault.(*Core).handleLoginRequest(0xc000466c00, {0x5e66ff0, 0xc00127c930}, 0xc001225380)
/home/runner/work/vault/vault/vault/request_handling.go:1223 +0xb39
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc000466c00, {0x5e66ff0, 0xc00127c8d0}, 0xc001225380)
/home/runner/work/vault/vault/vault/request_handling.go:607 +0x1034
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc000466c00, {0x5e66ff0, 0xc000c68a20}, 0xc001225380, 0x40)
/home/runner/work/vault/vault/vault/request_handling.go:442 +0x4a5
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
/home/runner/work/vault/vault/vault/request_handling.go:408
github.com/hashicorp/vault/http.request(0x4911d40, {0x5e18b30, 0xc000c68630}, 0xc0010c0600, 0xc001225380)
/home/runner/work/vault/vault/http/handler.go:865 +0x86
github.com/hashicorp/vault/http.handleLogicalInternal.func1({0x5e18b30, 0xc000c68630}, 0xc0010c0600)
/home/runner/work/vault/vault/http/logical.go:341 +0xb6
net/http.HandlerFunc.ServeHTTP(0xc000466c00, {0x5e18b30, 0xc000c68630}, 0xc000767200)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/vault/http.handleRequestForwarding.func1({0x5e18b30, 0xc000c68630}, 0xc0010c0600)
/home/runner/work/vault/vault/http/handler.go:799 +0x45f
net/http.HandlerFunc.ServeHTTP(0xc000e956c8, {0x5e18b30, 0xc000c68630}, 0x0)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
net/http.(*ServeMux).ServeHTTP(0x5e0bdf0, {0x5e18b30, 0xc000c68630}, 0xc0010c0600)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2424 +0x149
github.com/hashicorp/vault/http.wrapHelpHandler.func1({0x5e18b30, 0xc000c68630}, 0xc0010c0600)
/home/runner/work/vault/vault/http/help.go:23 +0x129
net/http.HandlerFunc.ServeHTTP(0xc0018f8ec0, {0x5e18b30, 0xc000c68630}, 0xc000e95778)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/vault/http.wrapCORSHandler.func1({0x5e18b30, 0xc000c68630}, 0xc000e95838)
/home/runner/work/vault/vault/http/cors.go:29 +0x6e4
net/http.HandlerFunc.ServeHTTP(0xc000466c00, {0x5e18b30, 0xc000c68630}, 0xc001f4a5a0)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/vault/http.rateLimitQuotaWrapping.func1({0x5e18b30, 0xc000c68630}, 0xc0010c0600)
/home/runner/work/vault/vault/http/util.go:97 +0x9d0
net/http.HandlerFunc.ServeHTTP(0xc00127c660, {0x5e18b30, 0xc000c68630}, 0x8a30498)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/vault/http.wrapGenericHandler.func1({0x5e25df0, 0xc001fab8e0}, 0xc00086ff00)
/home/runner/work/vault/vault/http/handler.go:377 +0xc3d
net/http.HandlerFunc.ServeHTTP(0xc000c086d8, {0x5e25df0, 0xc001fab8e0}, 0xc00125dc01)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/go-cleanhttp.PrintablePathCheckHandler.func1({0x5e25df0, 0xc001fab8e0}, 0xc00086ff00)
/home/runner/go/pkg/mod/github.com/hashicorp/go-cleanhttp@v0.5.2/handlers.go:42 +0x98
net/http.HandlerFunc.ServeHTTP(0x0, {0x5e25df0, 0xc001fab8e0}, 0x5e66f80)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
net/http.serverHandler.ServeHTTP({0x0}, {0x5e25df0, 0xc001fab8e0}, 0xc00086ff00)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2878 +0x43b
net/http.initALPNRequest.ServeHTTP({{0x5e66ff0, 0xc0021da120}, 0xc001bff500, {0xc0000d81c0}}, {0x5e25df0, 0xc001fab8e0}, 0xc00086ff00)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:3479 +0x245
net/http.(*http2serverConn).runHandler(0x5e14a68, 0x8a30498, 0x0, 0x0)
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/h2_bundle.go:5832 +0x78
created by net/http.(*http2serverConn).processHeaders
/opt/hostedtoolcache/go/1.17.2/x64/src/net/http/h2_bundle.go:5562 +0x510

After a restart/unseal it no longer crash but I have this error instead

Authentication failed: TypeError: s is undefined

Environment:

• Vault Server Version (retrieve with vault status): 1.9.1
• Vault CLI Version (retrieve with vault version): 1.9.1
• Server Operating System/Architecture: CentOS 7.9.2009

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.

[arcenik]

After update to 1.9.3 I have a new error

Authentication failed: missing client token

[arcenik]

On the Vault server, a tcpdump capture show no LDAP(S) traffic at all with trying to authenticate

# tcpdump -i ens192 -nn port 389 or 636
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

[swayne275]

Hi, thanks for calling this out. Can you tell me more about the difference between 1.9.1 and 1.9.3 behavior? I checked the 1.9.2 and 1.9.3 changelogs and don't see a bug fix called out for this, so I want to differentiate between "panic is gone, new issue arose" and "new issue arose that prevents us from getting to where the panic occurs".

Thanks!

[arcenik]

It looks like the token_bound_cidrs was configured incorrectly (using the web interface). The CIDRs where quoted "12.34.56.00/24" instead of 12.34.56.00/24

After the 1.9.1->1.9.3 upgrade the ldap auth where no longer present and had to be re-created (using a root token from the unseal key).

[arcenik]

Here is a poc

package main

import (
  "fmt"
  "github.com/hashicorp/vault/sdk/helper/cidrutil"
  sockaddr "github.com/hashicorp/go-sockaddr"
)

func main() {
  sa, _ := sockaddr.NewSockAddr("\"12.34.56.0/24\"")
  sam := &sockaddr.SockAddrMarshaler{ SockAddr: sa, }
  res := cidrutil.RemoteAddrIsOk("12.34.56.78", []*sockaddr.SockAddrMarshaler {sam} )
  fmt.Printf("res: %b", res)
}

The result

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x5444be]

goroutine 1 [running]:
github.com/hashicorp/go-sockaddr.(*UnixSock).Contains(0xc0000a42c0, 0x5d4f80, 0xc0000a4320, 0xc0000a4320)
        <autogenerated>:1 +0x2e
github.com/hashicorp/vault/sdk/helper/cidrutil.RemoteAddrIsOk(0x5a308c, 0xb, 0xc0000d1f38, 0x1, 0x1, 0x0)
        /mnt/d/Temp/vaultbug/src/github.com/hashicorp/vault/sdk/helper/cidrutil/cidr.go:27 +0xad
main.main()
        /mnt/d/Temp/vaultbug/main.go:14 +0xc4

[swayne275]

Thanks! This was very helpful. I've tracked down what's causing the issue and put up a PR (which is subject to review)

[arcenik]

Are you sure ? This issue is not about unix socket.

[swayne275]

the poc that you gave winds up in a panic due to unix socket not implementing the interface (on my machine)

edit: I'm not saying that's the entirety of the issue, just that this is a panic that was generated along the way

[arcenik]

So "12.34.56.0/24" is interpreted as a unix socket ?

[swayne275]

on my machine (macOS 12) running vault 1.9.3 it is

the panics that you included in this issue are also on a UnixSock

[arcenik]

It does not crash anymore but the result is still wrong

[swayne275]

so is the next part of the issue that the address shouldn't be quoted?

[arcenik]

It should be validated more properly. It should be refused when you configure auth/ldap with this kind of data.

[swayne275]

thanks for pointing it out! for now we'll fix the crash, and we'll take some time to discuss and figure out the best course of action

[arcenik]

It looks like it has been fixed.