Hello everyone,
Last week I decided to give cyrus-imap v3.0.1 a try because I wanted to play
with CalDAV and CardDAV).
My mail server runs Fedora24 and I used the distro packages
(cyrus-imapd-2.4.18-2.fc24 and
cyrus-sasl-2.1.26-26.2.fc24) until now.
Since fedora does not provide a cyrus-imapd 3.x package yet, I rolled my own
which can be
inspected (build logs) and downloaded here:
https://build.opensuse.org/package/show/home:felfert/cyrus-imapd
Unfortunately, the first attempt of accessing the administrative URLs for
CalDAV resp. CardDAV
immediately resulted in a crash of httpd where it logged the following error
message before crashing:
Failed to set SASL property
Grepping thru the code, I quickly identified two possible locations in httpd.c,
Furthermore, while
reading the code the following suspicious line in httpd.c did stand out:
secprops->maxbufsize = 0; /* don't need maxbuf */
After commenting-out this line the new httpd went a little bit further, but
still crashed (now with
a division-by-zero). Performing a post-mortem debug session on the coredump
revealed the following:
============================================================== gdb session
============================================
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `httpd -s'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 digestmd5_server_mech_step1 (stext=0x562c55c68b70, sparams=0x562c55c2c670,
serverout=0x7fff0678d7f0, serveroutlen=0x7fff0678d7e8, oparams=<optimized out>,
clientinlen=<optimized out>, clientin=<optimized out>) at digestmd5.c:2119
2119 unsigned val = hash((char *) nonce) % text->reauth->size;
(gdb) p text->reauth->size
$1 = 0
(gdb) p text->reauth
$2 = (reauth_cache_t *) 0x562c55c07300
(gdb) p text
$3 = (context_t *) 0x562c55c68b70
(gdb) p sparams
$4 = (sasl_server_params_t *) 0x562c55c2c670
(gdb) p *sparams
$5 = {service = 0x562c55c2c760 "HTTP", appname = 0x562c55c2cad0 "Cyrus", serverFQDN = 0x562c55c2c8c0
"fsun.fe.think", user_realm = 0x0, iplocalport = 0x562c55c2db34 "192.168.2.17;50443", ipremoteport =
0x562c55c2df55 "192.168.2.25;51652", servicelen = 4, applen = 5, slen = 13, urlen = 0, iploclen = 18, ipremlen = 18,
log_level = 1, utils = 0x562c55c2c8e0, callbacks = 0x0, props = {min_ssf = 128, max_ssf = 0, maxbufsize = 4096, security_flags =
17, property_names = 0x0, property_values = 0x0}, external_ssf = 128, transition = 0x0, canon_user = 0x7f38701b59d0
<_sasl_canon_user_lookup>, propctx = 0x562c55c2ca90, gss_creds = 0x0, cbinding = 0x0, http_request = 0x7fff0678d7f0, spare_ptr4
= 0x0, spare_fptr1 = 0x0, spare_fptr2 = 0x0, spare_int1 = 0, spare_int2 = 0, spare_int3 = 0, flags = 20, param_version = 0}
(gdb) p *stext
$6 = {common = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce
= 0x0, nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' <repeats 16
times>, Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}, timestamp
= 0, stale = 0, limitssf = 0, requiressf = 0}
(gdb) p text
$7 = (context_t *) 0x562c55c68b70
(gdb) p *text
$8 = {state = 1, i_am = SERVER, http_mode = 16, reauth = 0x562c55c07300, authid = 0x0, realm = 0x562c55c66d30 "fsun.fe.think", nonce = 0x0,
nonce_count = 0, cnonce = 0x0, realms = 0x0, realm_cnt = 0, response_value = 0x0, seqnum = 0, rec_seqnum = 0, Ki_send = '\000' <repeats 16 times>,
Ki_receive = '\000' <repeats 16 times>, HA1 = '\000' <repeats 16 times>, utils = 0x0, out_buf = 0x562c55c672e0
"nonce=\"1Udc9hC0Ylt73aZl4Un7Te62r/VLOGdwf4VM7P7vFQM=\",realm=\"fsun.fe.think\",qop=\"auth\",maxbuf=4096,charset=utf-8,algorithm=md5-sess",
out_buf_len = 216, enc_in_buf = 0x0, encode_buf = 0x0, decode_buf = 0x0, decode_packet_buf = 0x0, encode_buf_len = 0, decode_buf_len = 0,
decode_packet_buf_len = 0, decode_context = {utils = 0x0, needsize = 0, sizebuf = "\000\000\000", size = 0, buffer = 0x0, cursize = 0,
in_maxbuf = 0}, cipher_enc = 0x0, cipher_dec = 0x0, cipher_init = 0x0, cipher_free = 0x0, cipher_enc_context = 0x0, cipher_dec_context = 0x0}
(gdb) p *text->reauth
$9 = {i_am = SERVER, timeout = 0, mutex = 0x0, size = 0, e = 0x0}
(gdb)
============================================================== gdb session end
============================================
The logical fix was to skip reauth, if text->reauth->size is <= 0
After applying this fix to cyrus-sasl, the whole thing now starts working
correctly :-)
I will provide PR's on github for both problems asap.
The corresponding patches for the RPMs can be found here:
https://build.opensuse.org/package/view_file/home:felfert/cyrus-imapd/cyrus-imapd-3.0.1-httpdcrash.patch?expand=1
https://build.opensuse.org/package/view_file/home:felfert/cyrus-sasl/cyrus-sasl-2.1.26-fixdivbyzero.patch?expand=1
BTW:
The second crash is clearly a bug in cyrus-sasl, but regarding the first one:
***It would be interesting to know, what the original author of that suspicious
line in httpd.c had intended.***
