BUG: Garbage in output buffer when using canonuser_plugin: ldapdb, patch included
Paweł Tomulik
ptomulik at meil.pw.edu.pl
Sat Oct 13 07:35:54 EDT 2012
W dniu 13.10.2012 13:29, Howard Chu pisze:
> Paweł Tomulik wrote:
>> Hi,
>>
>> I found that there is problem with ldap-based username canonicalization
>> (at least in cyrus-sasl-2.1.25).
>>
>> [...] In the current version
>> the canonicalization will go as follows:
>>
>> original login: 12345678 at example.tld
>> canonical val: 1234 at example.com
>> result from sasl: 1234 at example.com.tld
>>
>> What is wrong here is, that in current version of cyrus-sasl the result
>> buffer
>> contains garbage at end (the extra '.tld' above). Someone forgot to
>> append
>> trailing '\0' to the end of string.
>>
>> I attach a patch which fixes the issue.
>
> Seems to me the bug is elsewhere. The return value from this function
> explicitly provides the length of the result. The caller should be
> honoring the length, and not assuming the value is NUL-terminated.
>
You may be right, but note than '\0' is appended each time the 'buf' is
modified
in this function except this one place. I don't know how the caller is
supposed to
use the canon_user functionality. I found this bug when tried to use
canon_user
and saslauthd (for authentication). The "garbage" was found in saslauthd
logs
(or /var/log/auth.log, I don't remember at this moment).
--
Pawel Tomulik
More information about the Cyrus-sasl
mailing list