Bug#890508: pam_ldap/nslcd: Buffer to hold rhost too small when checking authentication credentials of the user (leading to authentication failure)

[Salvatore Bonaccorso]

Source: nss-pam-ldapd
Version: 0.9.7-2
Severity: normal
Tags: upstream

Hi

The issue was found under the following precondition:

On Debian Stretch server, with pam configured to use pam_ldap from 
nss-pam-ldapd:

[...]
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=100 
use_first_pass
[...]

The sshd_config contains UseDNS=yes (changed from default).

A user now logging in from remote via SSH with a host resolving to a FQDN with
length longer than 64 bytes unsing password authentication triggers the
following:

Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=XXX.XXX.XXX.XXX.XXXXXXX.XXXXX.XXXXXXXXXXXXXX.XXX.XXXX.XXXXXXXX.XX  
user=XXXXX
Feb 12 16:41:30 XXXXXXXX nslcd[2282]: [54e2c3] client supplied argument 1 bytes 
too large
Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_ldap(sshd:auth): error reading from 
nslcd: Connection reset by peer
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Failed password for XXXXX from 
XXX.XXX.XXX.XXX port 4324 ssh2
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Connection closed by authenticating user 
XXXXX XXX.XXX.XXX.XXX port 4324 [preauth]

Looking closer on what happens the issue seem to raised in nslcd/pam.c:

263 /* check authentication credentials of the user */
264 int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)    
                                                                                
                                                                                
                                           
265 {
266   int32_t tmpint32;
267   int rc;
268   char username[BUFLEN_NAME], service[BUFLEN_NAME], ruser[BUFLEN_NAME], 
rhost[BUFLEN_HOSTNAME], tty[64];
269   char password[BUFLEN_PASSWORD];
270   const char *userdn;
271   MYLDAP_ENTRY *entry;
272   int authzrc = NSLCD_PAM_SUCCESS;
273   char authzmsg[BUFLEN_MESSAGE];
274   authzmsg[0] = '\0';
275   /* read request parameters */
276   READ_STRING(fp, username);
277   READ_STRING(fp, service);
278   READ_STRING(fp, ruser);
279   READ_STRING(fp, rhost);
280   READ_STRING(fp, tty);
281   READ_STRING(fp, password);

on line 279, where from fp the rhost is read into the rhost buffer. On Debian
system that BUFLEN_HOSTNAME will be only 64 (nslcd/common.h):

 28 #include <limits.h>
[...]
153 /* fallback definition of HOST_NAME_MAX */                                  
                                                                                
                                                                                
                                           
154 #ifndef HOST_NAME_MAX
155 #ifdef _POSIX_HOST_NAME_MAX
156 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
157 #else
158 #define HOST_NAME_MAX 255
159 #endif /* _POSIX_HOST_NAME_MAX */
160 #endif /* not HOST_NAME_MAX */
161 
162 /* common buffer lengths */
163 #define BUFLEN_NAME         256  /* user, group names and such */
164 #define BUFLEN_SAFENAME     300  /* escaped name */
165 #define BUFLEN_PASSWORD     128  /* passwords */
166 #define BUFLEN_PASSWORDHASH 256  /* passwords hashes */
167 #define BUFLEN_DN           512  /* distinguished names */
168 #define BUFLEN_SAFEDN       600  /* escapedd dn */
169 #define BUFLEN_FILTER      4096  /* search filters */
170 #define BUFLEN_HOSTNAME (HOST_NAME_MAX + 1)  /* host names (+ escaped) */
171 #define BUFLEN_MESSAGE     1024  /* message strings */

In pam/pam.c itself

293 /* perform an authentication call over nslcd */
294 static int nslcd_request_authc(pam_handle_t *pamh, struct pld_cfg *cfg,
295                                const char *username, const char *service,
296                                const char *ruser, const char *rhost,
297                                const char *tty, const char *passwd,
298                                struct nslcd_resp *authc_resp,
299                                struct nslcd_resp *authz_resp)
300 {
301   PAM_REQUEST(
302     NSLCD_ACTION_PAM_AUTHC,
303     /* log debug message */
304     pam_syslog(pamh, LOG_DEBUG, "nslcd authentication; user=%s", username),
305     /* write the request parameters */
306     WRITE_STRING(fp, username);
307     WRITE_STRING(fp, service);
308     WRITE_STRING(fp, ruser);
309     WRITE_STRING(fp, rhost);
310     WRITE_STRING(fp, tty);
311     WRITE_STRING(fp, passwd),
312     /* read the result entry */
313     READ_PAM_CODE(fp, authc_resp->res);
314     READ_STRING(fp, authc_resp->msg); /* user name */
315     /* if we want the authorisation response, save it, otherwise skip it */
316     if (authz_resp != NULL)
317     {
318       READ_PAM_CODE(fp, authz_resp->res);
319       READ_STRING(fp, authz_resp->msg);
320     }
321     else
322     {
323       SKIP(fp, sizeof(int32_t));
324       SKIP_STRING(fp);
325     }
326   )
327 }

And in our case we had a FQDN hostname one byte larger as
nslcd_pam_authc could handle for rhost.

According at least to https://tools.ietf.org/html/rfc1035#section-2.3.1
and the further clarification
https://tools.ietf.org/html/rfc2181#section-11 rhost (considering full
domain names) should probably be limited to 255.

I'm not sure how to correctly fix it.

Regards,
Salvatore