Bug 6149 – SEGFAULT in oldgaa_globus_read_string()

Bug 6149 - SEGFAULT in oldgaa_globus_read_string()

Summary:

SEGFAULT in oldgaa_globus_read_string()

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authorization
Version:	4.1.0
Platform:	All Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Joe Bester

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-06-11 09:47 by Jason Alt
Modified:	2008-08-11 14:51 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jason Alt 2008-06-11 09:47:34

pcontext->buf is (pcontext->buflen + 1) bytes long but is not specifically null
terminated. So it bombs in the call to sscanf() on my system.

[jalt@blitzkrieg source-trees]$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 5)
[jalt@blitzkrieg source-trees]$ rpm -qf /usr/lib/libc.so
glibc-devel-2.3.4-2.36

I would appreciate any hints on how to avoid this bug. I assume there's a way
since I hadn't seen it before I started calling gsi_init_sec_context() directly
instead of using the globus_ftp_control() libraries. 

Package Information:
[jalt@blitzkrieg 1.28]$ gpt-query
-file=/home/jalt/uberftp-1.92/lib/libglobus_oldgaa_gcc32dbg.a
/lib/libglobus_oldgaa_gcc32dbg.a is owned by globus_gsi_callback-gcc32dbg-dev
[jalt@blitzkrieg 1.28]$ gpt-query -name=globus_gsi_callback
2 packages were found in /home/jalt/uberftp-1.92/ that matched your query:

packages found that matched your query
        globus_gsi_callback-gcc32dbg-dev pkg version: 0.26.0
        globus_gsi_callback-gcc32dbg-rtl pkg version: 0.26.0


Example showing the unterminated buffer:
(gdb) print &pcontext->buf[0]
$5 = 0xe0fa00 "# New NCSA CA Policy\n \naccess_id_CA   X509   
'/C=US/O=National Center for Supercomputing Applications/CN=Certification
Authority'\npos_rights     globus  CA:sign\ncond_subjects  globus 
'/C=US/O=Nation"...
(gdb) print pcontext->buflen
$6 = 245
(gdb) print strlen(pcontext->buf)
$7 = 268

Stack trace. 0-3 omitted, they are calls to strlen() within gdb after the
segfault.

#4  0x009ce630 in rawmemchr () from /lib/tls/libc.so.6
#5  0x009c38e5 in _IO_str_init_static_internal () from /lib/tls/libc.so.6
#6  0x009b87cd in vsscanf () from /lib/tls/libc.so.6
#7  0x009b39fb in sscanf () from /lib/tls/libc.so.6
#8  0x00b33b8f in oldgaa_globus_read_string (pcontext=0x2f6420,
    str=0x2f5d00
"����\002\030/G`z\225���\v+<Nau\212����\002\0359Vt\223�����\022(?Wp\212����\033;L^q\205\232����\022-If\204�����\r\"8Og\200\232���\f+K\\n\201\225����\b\"=Yv\224����\t\0352H_w\220����\034;[l~\221�����\0302Mi\206����\006\031-BXo\207����\016,Kk|\216�����\017(B]y\226���\004\026)=Rh\177\227���\001\036<[{\214\236����\a\0378Rm\211���\003\024&9Mbx\217�"...,
errstring=0x0)
    at globus_oldgaa_utils.c:625
#9  0x00b33af1 in oldgaa_globus_help_read_string (pcontext=0x2f6420,
    str=0x2f5d00
"����\002\030/G`z\225���\v+<Nau\212����\002\0359Vt\223�����\022(?Wp\212����\033;L^q\205\232����\022-If\204�����\r\"8Og\200\232���\f+K\\n\201\225����\b\"=Yv\224����\t\0352H_w\220����\034;[l~\221�����\0302Mi\206����\006\031-BXo\207����\016,Kk|\216�����\017(B]y\226���\004\026)=Rh\177\227���\001\036<[{\214\236����\a\0378Rm\211���\003\024&9Mbx\217�"...,
    message=0xb3546c "parse principals: Empty policy")
    at globus_oldgaa_utils.c:574
#10 0x00b340bb in oldgaa_globus_parse_principals (pcontext=0x2f6420,
    policy=0xbfe6e174, tmp_str=0x8b5700 "", start=0xbfe6e13c,
    added_principal=0xbfe6e138) at globus_oldgaa_utils.c:976
#11 0x00b33eda in oldgaa_globus_parse_policy (pcontext=0x2f6420,
    policy_handle=0xbfe6e174) at globus_oldgaa_utils.c:815
#12 0x00b3367e in oldgaa_globus_policy_retrieve (minor_status=0xbfe6e1e0,
    object=0x0, policy_db=0x2c9640) at globus_oldgaa_utils.c:322
#13 0x00b30794 in oldgaa_get_object_policy_info (minor_status=0xbfe6e1e0,
    object=0x0, policy_db=0x2c9640,
    retrieve=0xb33623 <oldgaa_globus_policy_retrieve>,
    policy_handle=0xbfe6e1f8) at oldgaa_api.c:94
#14 0x00bba5aa in globus_i_gsi_callback_check_gaa_auth (
    x509_context=0xbfe6e370, callback_data=0x304440)
    at globus_gsi_callback.c:1238
#15 0x00bba2af in globus_i_gsi_callback_check_signing_policy (
    x509_context=0xbfe6e370, callback_data=0x304440)
    at globus_gsi_callback.c:1124
#16 0x00bb960b in globus_i_gsi_callback_cred_verify (preverify_ok=1,
    callback_data=0x304440, x509_context=0xbfe6e370)
    at globus_gsi_callback.c:740
#17 0x00bb9153 in globus_gsi_callback_handshake_callback (preverify_ok=1,
    x509_context=0xbfe6e370) at globus_gsi_callback.c:529
#18 0x004af9f9 in internal_verify (ctx=0xbfe6e370) at x509_vfy.c:776
#19 0x004aed0e in X509_verify_cert (ctx=0xbfe6e370) at x509_vfy.c:306
#20 0x00bb8efc in globus_gsi_callback_X509_verify_cert (context=0xbfe6e370,
    arg=0x0) at globus_gsi_callback.c:383
#21 0x001494a8 in ssl_verify_cert_chain (s=0x84a000, sk=0x2c1100)
    at ssl_cert.c:487
#22 0x001396e7 in ssl3_get_server_certificate (s=0x84a000) at s3_clnt.c:833
#23 0x0013859f in ssl3_connect (s=0x84a000) at s3_clnt.c:275
#24 0x00147e88 in SSL_do_handshake (s=0x84a000) at ssl_lib.c:1826
#25 0x00152740 in ssl_ctrl (b=0x304180, cmd=101, num=0, ptr=0x0)
---Type <return> to continue, or q <return> to quit---
    at bio_ssl.c:417
#26 0x00477424 in BIO_ctrl (b=0x304180, cmd=101, larg=0, parg=0x0)
    at bio_lib.c:324
#27 0x005f873e in globus_i_gsi_gss_handshake (minor_status=0xbfe6e704,
    context_handle=0x834380) at globus_i_gsi_gss_utils.c:848
#28 0x005f3b4f in gss_init_sec_context (minor_status=0xbfe6e770,
    initiator_cred_handle=0x90cc40, context_handle_P=0x55c584,
    target_name=0x2f37f0, mech_type=0x0, req_flags=16434, time_req=0,
    input_chan_bindings=0x0, input_token=0xbfe6e788, actual_mech_type=0x0,
    output_token=0xbfe6e780, ret_flags=0x0, time_rec=0x0)
    at init_sec_context.c:190

dump of pcontext:
(gdb) print *pcontext
$25 = {str = 0x2edf80 "not defined", parse_error = 0x2f3a10 "not defined",
  buf = 0xd62e00 "# New NCSA CA Policy\n \naccess_id_CA   X509   
'/C=US/O=National Center for Supercomputing Applications/CN=Certification
Authority'\npos_rights     globus  CA:sign\ncond_subjects  globus 
'/C=US/O=Nation"...,
  buflen = 245, index = 0}

------- Comment #1 From Jason Alt 2008-06-11 10:37:11 -------

I should mention that this is 4.1.3. I see that 4.1.2 and earlier used
fscanf(). So that's how I can avoid this bug.

------- Comment #2 From Joe Bester 2008-06-16 12:36:36 -------

I think this was fixed in CVS 2007-12-12 in the 4.0 branch and trunk. See
http://viewcvs.globus.org/viewcvs.cgi/gsi/callback/source/library/oldgaa/globus_oldgaa_utils.c?r1=1.9&r2=1.10&pathrev=MAIN
for the 4.1.x related patch.