Date: Wed, 18 Dec 2002 02:46:45 +0200 From: Arkadi Shishlov <arkadi@hosting.lv> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/46338: cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect Message-ID: <E18OSMH-000CrN-00@idea.hosting.lv>
next in thread | raw e-mail | index | archive | help
>Number: 46338
>Category: ports
>Synopsis: cyrus-sasl-1.5.27_7 mysql_verify_password() segfaults and supplies wrong connection parameters to mysql_connect
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 17 16:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Arkadi Shishlov
>Release: FreeBSD 4.6.2-RELEASE i386
>Organization:
>Environment:
System: FreeBSD idea.hosting.lv 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Mon Aug 19 20:10:07 EEST 2002 root@idea.hosting.lv:/usr/src/sys/compile/idea i386
>Description:
Take a look at following snippet of code from cyrus-sasl/lib/checkpw.c
patched with mysql authentication:
static int mysql_verify_password(sasl_conn_t *conn,
const char *userid,
const char *password,
const char *service __attribute__((unused)),
const char *user_realm __attribute__((unused)),
const char **reply)
{
[...]
cur_host = db_host;
while ( cur_host != NULL || sock == NULL) {
db_host = strchr(db_host,',');
if ( db_host != NULL ) {
db_host[0] = 0x00;
/* loop till we find some text */
while (!isalnum(db_host[0]) )
db_host++;
}
sock = mysql_connect(&mysql,db_host,db_user,db_passwd);
cur_host = db_host;
}
[...]
db_host is a string, "localhost" for example. At the first while() pass, strchr()
returns NULL, so mysql_connect() is called with db_host == NULL. Bad. It is OK,
when db_host == "localhost", cause NULL value is a special case meaning "localhost"
for mysql_connect(). Consider there is no database at localhost or db_host was not
"localhost" but "db.domain.com". mysql_connect() fails to connect and sock == NULL.
db_host == NULL. while() condition is still true and strchr() is called on NULL value.
Segfault. This 'parser' is horribly broken.
>How-To-Repeat:
Setup some software that use SASL for authentication. For example Cyrus-IMAP.
Setup it to use MySQL and supply some invalid values in config to be sure
mysql_connect() could not connect to that destination. Try to login, IMAP
daemon will segfault.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E18OSMH-000CrN-00>