Hello everyone, Last week I decided to give cyrus-imap v3.0.1 a try because I wanted to play with CalDAV and CardDAV). My mail server runs Fedora24 and I used the distro packages (cyrus-imapd-2.4.18-2.fc24 and cyrus-sasl-2.1.26-26.2.fc24) until now.
Since fedora does not provide a cyrus-imapd 3.x package yet, I rolled my own which can be inspected (build logs) and downloaded here: https://build.opensuse.org/package/show/home:felfert/cyrus-imapd Unfortunately, the first attempt of accessing the administrative URLs for CalDAV resp. CardDAV immediately resulted in a crash of httpd where it logged the following error message before crashing: Failed to set SASL property Grepping thru the code, I quickly identified two possible locations in httpd.c, Furthermore, while reading the code the following suspicious line in httpd.c did stand out: secprops->maxbufsize = 0; /* don't need maxbuf */ After commenting-out this line the new httpd went a little bit further, but still crashed (now with a division-by-zero). Performing a post-mortem debug session on the coredump revealed the following: ============================================================== gdb session ============================================ [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `httpd -s'. Program terminated with signal SIGFPE, Arithmetic exception. #0 digestmd5_server_mech_step1 (stext=0x562c55c68b70, sparams=0x562c55c2c670, serverout=0x7fff0678d7f0, serveroutlen=0x7fff0678d7e8, oparams=<optimized out>, clientinlen=<optimized out>, clientin=<optimized out>) at digestmd5.c:2119 2119 unsigned val = hash((char *) nonce) % text->reauth->size; (gdb) p text->reauth->size $1 = 0 (gdb) p text->reauth $2 = (reauth_cache_t *) 0x562c55c07300 (gdb) p text $3 = (context_t *) 0x562c55c68b70 (gdb) p sparams $4 = (sasl_server_params_t *) 0x562c55c2c670 (gdb) p *sparams $5 = {service = 0x562c55c2c760 "HTTP", appname = 0x562c55c2cad0 "Cyrus", serverFQDN = 0x562c55c2c8c0 "fsun.fe.think", user_realm = 0x0, iplocalport = 0x562c55c2db34 "192.168.2.17;50443", ipremoteport = 0x562c55c2df55 "192.168.2.25;51652", servicelen = 4, applen = 5, slen = 13, urlen = 0, iploclen = 18, ipremlen = 18, log_level = 1, utils = 0x562c55c2c8e0, callbacks = 0x0, props = {min_ssf = 128, max_ssf = 0, maxbufsize = 4096, security_flags = 17, property_names = 0x0, property_values = 0x0}, external_ssf = 128, transition = 0x0, canon_user = 0x7f38701b59d0 <_sasl_canon_user_lookup>, propctx = 0x562c55c2ca90, gss_creds = 0x0, cbinding = 0x0, http_request = 0x7fff0678d7f0, spare_ptr4 = 0x0, spare_fptr1 = 0x0, spare_fptr2 = 0x0, spare_int1 = 0, spare_int2 = 0, spare_int3 = 0, flags = 20, param_version = 0} (gdb) p *stext $6 = {common = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' <repeats 16 times>, Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0, out_buf = 0x562c55c672e0 "nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess", out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0, decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0, in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}, timestamp = 0, stale = 0, limitssf = 0, requiressf = 0} (gdb) p text $7 = (context_t *) 0x562c55c68b70 (gdb) p *text $8 = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' <repeats 16 times>, Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0, out_buf = 0x562c55c672e0 "nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess", out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0, decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0, in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0} (gdb) p *text->reauth $9 = {i_am = SERVER, timeout = 0, mutex = 0x0, size = 0, e = 0x0} (gdb) ============================================================== gdb session end ============================================ The logical fix was to skip reauth, if text->reauth->size is <= 0 After applying this fix to cyrus-sasl, the whole thing now starts working correctly :-) I will provide PR's on github for both problems asap. The corresponding patches for the RPMs can be found here: https://build.opensuse.org/package/view_file/home:felfert/cyrus-imapd/cyrus-imapd-3.0.1-httpdcrash.patch?expand=1 https://build.opensuse.org/package/view_file/home:felfert/cyrus-sasl/cyrus-sasl-2.1.26-fixdivbyzero.patch?expand=1 BTW: The second crash is clearly a bug in cyrus-sasl, but regarding the first one: ***It would be interesting to know, what the original author of that suspicious line in httpd.c had intended.*** The following is pure speculation but during examination of code in cyrus-sasl's digestmd5.c, I stubled over a comment which *may* be related: /* * maxbuf A number indicating the size of the largest buffer the server * is able to receive when using "auth-int". If this directive is * missing, the default value is 65536. This directive may appear at most * once; if multiple instances are present, the client should abort the * authentication exchange. */ Cheers -Fritz
signature.asc
Description: OpenPGP digital signature
