[Bug 1103353] [NEW] Invalid GnuTLS cipher suite strings causes libldap to crash

Launchpad Bug Tracker 1103353 at bugs.launchpad.net
Mon Mar 30 11:24:15 UTC 2015 

You have been subscribed to a public bug by Robie Basak (racb):

If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
crashes due to a double free. GnuTLS is extremely picky about the cipher
suite strings it accepts; as a first measure, try LDAP cipher suite
string "SECURE256" or "NORMAL". If that stops the crash, then you have
encountered this bug.

Typically, the crash report begins with something like

*** glibc detected *** APPLICATION: double free or corruption (!prev)
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]

The actual double free happens in
openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.

The root cause of the double free is lack of GnuTLS return value checks
when calling gnutls_priority*() functions. The code simply assumes they
succeed, and when GnuTLS fails to provide a valid context due to those
failures, ldap_int_tls_init_ctx() tries to free the never-fully-
initialized context.

A simple fix is to create GnuTLS security contexts using the configured
cipher suite string, instead of "NORMAL" as
openldap/libraries/libldap/tls_g.c now does. If the cipher suite string
is invalid, then do not create the context at all. This is caught
earlier in ldap_int_tls_init_ctx(), and avoids the crash.

** Affects: openldap (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: openldap (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: patch
-- 
Invalid GnuTLS cipher suite strings causes libldap to crash
https://bugs.launchpad.net/bugs/1103353
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report.

More information about the Ubuntu-server-bugs mailing list