Skip Menu |
 

From: Dominique Laigle <dlaigle@gmail.com>
Date: Tue, 1 Mar 2011 12:23:22 +0100
Subject: Kerberos 1.9 : Bug in LDAP plugin in libkdb_ldap
To: krb5-bugs@mit.edu
To: krb5-bugs@mit.edu

Subject: misspelled "Kerberos" in title of installation guide
From: dlaigle@gmail.com
Reply-To: dlaigle@gmail.com


Show quoted text
>Submitter-Id:  BULL Luxembourg
>Originator:    Dominique Laigle
>Organization:
BULL Luxembourg SA
Show quoted text
>Confidential:  no
>Synopsis:      Bug in kdb_ldap::ldap_err.c
>Severity:      critical
>Priority:      high
>Category:      krb5-kdc
>Class:         sw-bug
>Release:       1.9 stable
>Environment:
        <machine, os, target, libraries (multiple lines)>
     System: Solaris 10 (SPARC,x86) & AIX (5.3, 6.1)
     Machine: T52220
     Using OpenLDAP 2.4.23, Build 32 bit on Solaris, 64 bit on AIX,
both with gcc
     >Description:
             When principal names are badly formed, ending with "("
kdc loops on initiating new LDAP connection, which leads to saturate
slapd up to the max connections possible (and make it to ignore all
other incoming requests = DoS on LDAP)
     >How-To-Repeat:
             create badly formed principal name, say "foo(" and get
the TGT with kinit.
     >Fix:

*** Explanations

             All principal lookup ends up in LDAP_SEARCH_1 defined in
kdb_ldap.h:

#define LDAP_SEARCH_1(...)         \
    do {                                                                \
        st = ldap_search_ext_s(...); \
        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
            [...]
        }                                                               \
    } while (translate_ldap_error(st, OP_SEARCH) ==
KRB5_KDB_ACCESS_ERROR && tempst == 0);

1. So long "translate_ldap_error" returns KRB5_KDB_ACCESS_ERROR,
LDAP_SEARCH_1 will loop
   and initiate a new LDAP connection with "krb5_ldap_rebind".

2. When the filter is not correct - this appears when the principal
name ends with "(" -,  "ldap_search_ext_s" returns LDAP_FILTER_ERROR,
value "-7". The function  "translate_ldap_error" defined in ldap_err.c
doesn't catch this case and considers it as "LDAP_API_ERROR". Thus, in
our case of badly named principals, "translate_ldap_error" always
returns KRB5_KDB_ACCESS_ERROR making LDAP_SEARCH_1 to loop after
having initiated a new connection.

*** Fix proposal:
Change ldap_err.c making "translate_ldap_error" to return another
error than KRB5_KDB_ACCESS_ERROR.
I propose to add one statment forcing the return code to "No ENTRY" as
showed in the diff -u hereafter:

--- ldap_err.c.org      Tue Mar  1 11:39:36 2011
+++ ldap_err.c  Tue Mar  1 11:40:15 2011
@@ -139,6 +139,7 @@
             return KRB5_KDB_CONSTRAINT_VIOLATION;

     case LDAP_REFERRAL:
+    case LDAP_FILTER_ERROR:
         return KRB5_KDB_NOENTRY;

     case LDAP_ADMINLIMIT_EXCEEDED:


Regards

- Dominique Laigle
Thanks; this was already fixed in the patch for #6860 (which was for a set of related security
issues).