Multiple crashes in cyrus-imapd-3.0.1 (httpd)

Ken Murchison murch at andrew.cmu.edu
Wed May 10 12:46:52 EDT 2017 

My recommendation is to NOT use HTTP Digest since its deployment in 
current clients is a non-interoperable mess.  I actually regret that I 
ever attempted to support it in Cyrus HTTP.


On 05/09/2017 06:30 AM, Fritz Elfert wrote:
> Hello everyone,
>
> Last week I decided to give cyrus-imap v3.0.1 a try because I wanted to play with CalDAV and CardDAV).
> My mail server runs Fedora24 and I used the distro packages (cyrus-imapd-2.4.18-2.fc24 and
> cyrus-sasl-2.1.26-26.2.fc24) until now.
>
> Since fedora does not provide a cyrus-imapd 3.x package yet, I rolled my own which can be
> inspected (build logs) and downloaded here:
>
> https://build.opensuse.org/package/show/home:felfert/cyrus-imapd
>
> Unfortunately, the first attempt of accessing the administrative URLs for CalDAV resp. CardDAV
> immediately resulted in a crash of httpd where it logged the following error message before crashing:
>
> Failed to set SASL property
>
> Grepping thru the code, I quickly identified two possible locations in httpd.c, Furthermore, while
> reading the code the following suspicious line in httpd.c did stand out:
>
> secprops->maxbufsize = 0;                           /* don't need maxbuf */
>
> After commenting-out this line the new httpd went a little bit further, but still crashed (now with
> a division-by-zero). Performing a post-mortem debug session on the coredump revealed the following:
>
> ============================================================== gdb session ============================================
>
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `httpd -s'.
> Program terminated with signal SIGFPE, Arithmetic exception.
> #0  digestmd5_server_mech_step1 (stext=0x562c55c68b70, sparams=0x562c55c2c670, serverout=0x7fff0678d7f0, serveroutlen=0x7fff0678d7e8,     oparams=<optimized out>, clientinlen=<optimized out>, clientin=<optimized out>) at digestmd5.c:2119
> 2119            unsigned val = hash((char *) nonce) % text->reauth->size;
> (gdb) p text->reauth->size
> $1 = 0
> (gdb) p text->reauth
> $2 = (reauth_cache_t *) 0x562c55c07300
> (gdb) p text
> $3 = (context_t *) 0x562c55c68b70
> (gdb) p sparams
> $4 = (sasl_server_params_t *) 0x562c55c2c670
> (gdb) p *sparams
> $5 = {service = 0x562c55c2c760 "HTTP", appname = 0x562c55c2cad0 "Cyrus", serverFQDN = 0x562c55c2c8c0 "fsun.fe.think", user_realm = 0x0,   iplocalport = 0x562c55c2db34 "192.168.2.17;50443", ipremoteport = 0x562c55c2df55 "192.168.2.25;51652", servicelen = 4, applen = 5, slen = 13,   urlen = 0, iploclen = 18, ipremlen = 18, log_level = 1, utils = 0x562c55c2c8e0, callbacks = 0x0, props = {min_ssf = 128, max_ssf = 0,     maxbufsize = 4096, security_flags = 17, property_names = 0x0, property_values = 0x0}, external_ssf = 128, transition = 0x0,   canon_user = 0x7f38701b59d0 <_sasl_canon_user_lookup>, propctx = 0x562c55c2ca90, gss_creds = 0x0, cbinding = 0x0,   http_request = 0x7fff0678d7f0, spare_ptr4 = 0x0, spare_fptr1 = 0x0, spare_fptr2 = 0x0, spare_int1 = 0, spare_int2 = 0, spare_int3 = 0,   flags = 20, param_version = 0}
> (gdb) p *stext
> $6 = {common = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think",     nonce = 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0,     Ki_send = '\000' <repeats 16 times>, Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0,     out_buf = 0x562c55c672e0 "nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess", out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0,     decode_buf_len = 0, decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0,       buffer = 0x0, cursize = 0, in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0,     cipher_enc_context = 0x0, cipher_dec_context = 0x0}, timestamp = 0, stale = 0, limitssf = 0, requiressf = 0}
> (gdb) p text
> $7 = (context_t *) 0x562c55c68b70
> (gdb) p *text
> $8 = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0,   nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0,   Ki_send = '\000' <repeats 16 times>, Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0,   out_buf = 0x562c55c672e0 "nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess", out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0,   decode_buf_len = 0, decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0,     cursize = 0, in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0,   cipher_dec_context = 0x0}
> (gdb) p *text->reauth
> $9 = {i_am = SERVER, timeout = 0, mutex = 0x0, size = 0, e = 0x0}
> (gdb)
> ============================================================== gdb session end ============================================
>
> The logical fix was to skip reauth, if text->reauth->size is <= 0
>
> After applying this fix to cyrus-sasl, the whole thing now starts working correctly :-)
>
> I will provide PR's on github for both problems asap.
> The corresponding patches for the RPMs can be found here:
>
> https://build.opensuse.org/package/view_file/home:felfert/cyrus-imapd/cyrus-imapd-3.0.1-httpdcrash.patch?expand=1
>
> https://build.opensuse.org/package/view_file/home:felfert/cyrus-sasl/cyrus-sasl-2.1.26-fixdivbyzero.patch?expand=1
>
> BTW:
> The second crash is clearly a bug in cyrus-sasl, but regarding the first one:
>
> ***It would be interesting to know, what the original author of that suspicious line in httpd.c had intended.***
>
> The following is pure speculation but during examination of code in cyrus-sasl's digestmd5.c,
> I stubled over a comment which *may* be related:
>      /*
>       * maxbuf A number indicating the size of the largest buffer the server
>       * is able to receive when using "auth-int". If this directive is
>       * missing, the default value is 65536. This directive may appear at most
>       * once; if multiple instances are present, the client should abort the
>       * authentication exchange.
>       */
>
> Cheers
>   -Fritz
>

-- 
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University

More information about the Cyrus-devel mailing list