BUG: Garbage in output buffer when using canonuser_plugin: ldapdb, patch included

Paweł Tomulik ptomulik at meil.pw.edu.pl
Sat Oct 13 07:35:54 EDT 2012


W dniu 13.10.2012 13:29, Howard Chu pisze:
> Paweł Tomulik wrote:
>> Hi,
>>
>> I found that there is problem with ldap-based username canonicalization
>> (at least in cyrus-sasl-2.1.25).
>>
>> [...]  In the current version
>> the canonicalization will go as follows:
>>
>> original login:   12345678 at example.tld
>> canonical val:    1234 at example.com
>> result from sasl: 1234 at example.com.tld
>>
>> What is wrong here is, that in current version of cyrus-sasl the result
>> buffer
>> contains garbage at end (the extra '.tld' above). Someone forgot to 
>> append
>> trailing '\0' to the end of string.
>>
>> I attach a patch which fixes the issue.
>
> Seems to me the bug is elsewhere. The return value from this function 
> explicitly provides the length of the result. The caller should be 
> honoring the length, and not assuming the value is NUL-terminated.
>

You may be right, but note than '\0' is appended each time the 'buf' is 
modified
in this function except this one place. I don't know how the caller is 
supposed to
use the canon_user functionality. I found this bug when tried to use 
canon_user
and saslauthd (for authentication). The "garbage" was found in saslauthd 
logs
(or /var/log/auth.log, I don't remember at this moment).

-- 
Pawel Tomulik



More information about the Cyrus-sasl mailing list