-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in XrdSecProtocolgsi::AuthzFunCheck() if AuthzFun fails #595
Comments
Thanks for reporting this issue. Can you reproduce this issue reliably, and if yes, does reverting to 4.6.1 fixes the problem? xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Line 1903 in a9430a2
|
I've opened this issue on behalf of CMS site T2_US_Florida. After upgrading to 4.7.0, they reported frequent segfaults at the same offset (XrdSecProtocolgsi.cc#L1558). They downgraded back to 4.6.1 and the service runs normally. |
OK, thanks :-) |
I think that this part of code from 4.6.1: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 1907 to 1913 in a9430a2
corresponds to this one from 4.7.0: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 1865 to 1870 in e8755d4
In 4.7.0 the lines that remove the entry after deletion from cache disappeared (also the new XrdSutCache doesn't have the Remove method ;-). |
A check on the entry validity was misplaced. Should fix issue xrootd#595 .
Hi, |
The PR fixes the problem in my test-bed. |
@jthiltges : any news? |
Marian is working toward an OSG build of xrootd that can hopefully be tested at Florida. Thank you both. |
Fix for segfault in cache checking (issue #595)
A check on the entry validity was misplaced. Should fix issue #595 .
I'd like to engage Florida to test this where we originally discovered the issue. While RC1 should cover fix for this particular issue I'd prefer to move on to OSG build from RC2 coming this week (?) which should include even more (interesting) patches. That way I save one iteration asking Florida update to RC1 and right after that to RC2. Is that acceptable we wait for RC2 or are you insisting on the testing of RC1? By the time we know results of RC1 testing there will be RC2 out of the door I believe. |
If it's a hassle for you then don't bother with RC1, as I tested it in my test-bed I have a high degree of confidence in this patch ;-) I can wait few more days for confirmation :-) |
A check on the entry validity was misplaced. Should fix issue xrootd#595 .
Any news? (preferably good news ;-) |
As far as I understood the conversation in #606, we can close this one. |
After updating from xrootd 4.6 to 4.7.0, a site using GSI authentication with LCMAPS and GUMS reported xrootd segfaults:
Source line: https://github.com/xrootd/xrootd/blob/771dbc31b2/src/XrdSecgsi/XrdSecProtocolgsi.cc#L1558
Looking at the core file, the variable notafter (e->buf2.buf) was null, and accessing the null pointer triggered the segfault:
My guess as to what's happening in XrdSecProtocolgsi::Authenticate():
buf2 is free()d and then there happens to be a failure in the AuthzFun LCMAPS callout. Authenticate() breaks out of the block and buf2 is never reassigned. A later authorization call with the same DN will retrieve the same cache entry and trigger the segfault in AuthzFunCheck().
This guess is supported by log entries of "ERROR: the authorization plug-in reported a failure for this handshake" shortly before the segfaults.
I'm not sure of the best place to fix it. Maybe just "if (e && e->buf2.buf)" in AuthzFunCheck(), similar to the recent fix in QueryProxyCheck()?
The text was updated successfully, but these errors were encountered: