[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout

Andreas Hasenack andreas at canonical.com
Tue Jun 20 14:32:57 UTC 2017


Configuration files for the client openvpn server. To be expanded inside
/etc.

Contents:
drwxr-xr-x root/root         0 2017-06-20 11:29 openvpn/
-rw------- root/root      1708 2017-04-19 18:07 openvpn/client.key
-rw-r--r-- root/root      1797 2017-04-19 18:07 openvpn/ca.crt
drwxr-xr-x root/root         0 2017-04-20 09:24 openvpn/client/
-rw-r--r-- root/root      5584 2017-04-19 18:07 openvpn/client.crt
drwxr-xr-x root/root         0 2017-02-10 16:16 openvpn/server/
-rw-r--r-- root/root       636 2017-04-19 17:11 openvpn/static.key
-rw-r--r-- root/root       244 2017-06-20 11:15 openvpn/client.conf
-rwxr-xr-x root/root      1301 2017-02-10 16:16 openvpn/update-resolv-conf


** Description changed:

  [Impact]
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.
  
  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.
  
  Network timeouts are somewhat common and services should be resilient to
  it. Having a service as a whole crash because of such an occurrence is
  not acceptable.
  
  This upload fixes the problem by simply including the timeout error case
  in an existing check. It was clearly just an oversight in that one call,
  as the remainder of the code does handle timeout errors. It was just
  never reached.
  
  [Test Case]
- To reproduce the problem, configure an openvpn server as usual with
- certificates and:
- - add the plugin configuration line:
-   plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
- - in /etc/openvpn/ldap.conf:
-   <LDAP>
-     BindDN uid=john,ou=people,dc=example
-     Password something
-     URL ldap://localhost
-     Timeout 1
-     TLSEnable no
-     FollowReferrals yes
-   </LDAP>
-   # no need for an <Authorization> section
- - start nc on port 389:
-   nc -l -p 389
- - start the openvpn server
+ To reproduce the problem:
+ * install openvpn and openvpn-auth-ldap:
+ $ sudo apt install openvpn openvpn-auth-ldap
+ 
+ * expand the attached openvpn-test-server.tar.gz tarball inside /etc:
+ $ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
+ 
+ * start nc on port 389:
+ $ nc -l -p 389
+ 
+ * In another terminal, start the openvpn server:
+ $ sudo openvpn --config /etc/openvpn/server.conf
  
  Next you will need an openvpn client, also configured with the SSL certs
- as usual, plus "auth-user-pass".
+ as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
  
- When you start this openvpn client, it will prompt you for username and
- password. The values you provide are irrelevant:
+ * Expand the client tarball in /etc:
+ $ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
+ 
+ * Edit /etc/openvpn/client.conf and change the "remote <hostname>" line
+ to point to your openvpn server's hostname
+ 
+ * Start the client:
+ $ sudo openvpn --config /etc/openvpn/client.conf
+ 
+ 
+ * It will prompt you for username and password. The values you provide are irrelevant:
  (...)
  Enter Auth Username: asd
  Enter Auth Password: ***
  
  The vulnerable server will crash:
- root at trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf 
+ root at trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
  Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
  Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
  Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
  Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
  Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
  Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
  Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
  openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
  Aborted (core dumped)
  
  The fixed version will just complain about a timeout error.
  
- 
  [Regression Potential]
  The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
  
  [Other Info]
  There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

** Attachment added: "openvpn-test-client.tar.gz"
   https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+attachment/4899319/+files/openvpn-test-client.tar.gz

** Description changed:

  [Impact]
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.
  
  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.
  
  Network timeouts are somewhat common and services should be resilient to
  it. Having a service as a whole crash because of such an occurrence is
  not acceptable.
  
  This upload fixes the problem by simply including the timeout error case
  in an existing check. It was clearly just an oversight in that one call,
  as the remainder of the code does handle timeout errors. It was just
  never reached.
  
  [Test Case]
  To reproduce the problem:
  * install openvpn and openvpn-auth-ldap:
  $ sudo apt install openvpn openvpn-auth-ldap
  
  * expand the attached openvpn-test-server.tar.gz tarball inside /etc:
  $ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
  
  * start nc on port 389:
  $ nc -l -p 389
  
  * In another terminal, start the openvpn server:
  $ sudo openvpn --config /etc/openvpn/server.conf
  
  Next you will need an openvpn client, also configured with the SSL certs
  as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
  
+ * Install openvpn:
+ $ sudo apt install openvpn
+ 
  * Expand the client tarball in /etc:
  $ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
  
  * Edit /etc/openvpn/client.conf and change the "remote <hostname>" line
  to point to your openvpn server's hostname
  
  * Start the client:
  $ sudo openvpn --config /etc/openvpn/client.conf
- 
  
  * It will prompt you for username and password. The values you provide are irrelevant:
  (...)
  Enter Auth Username: asd
  Enter Auth Password: ***
  
  The vulnerable server will crash:
  root at trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
  Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
  Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
  Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
  Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
  Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
  Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
  Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
  openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
  Aborted (core dumped)
  
  The fixed version will just complain about a timeout error.
  
  [Regression Potential]
  The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
  
  [Other Info]
  There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

** Description changed:

  [Impact]
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.
  
  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.
  
  Network timeouts are somewhat common and services should be resilient to
  it. Having a service as a whole crash because of such an occurrence is
  not acceptable.
  
  This upload fixes the problem by simply including the timeout error case
  in an existing check. It was clearly just an oversight in that one call,
  as the remainder of the code does handle timeout errors. It was just
  never reached.
  
  [Test Case]
  To reproduce the problem:
  * install openvpn and openvpn-auth-ldap:
  $ sudo apt install openvpn openvpn-auth-ldap
  
  * expand the attached openvpn-test-server.tar.gz tarball inside /etc:
  $ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
  
  * start nc on port 389:
  $ nc -l -p 389
  
  * In another terminal, start the openvpn server:
- $ sudo openvpn --config /etc/openvpn/server.conf
+ $ cd /etc/openvpn
+ $ sudo openvpn --config server.conf
  
  Next you will need an openvpn client, also configured with the SSL certs
  as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
  
  * Install openvpn:
  $ sudo apt install openvpn
  
  * Expand the client tarball in /etc:
  $ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
  
  * Edit /etc/openvpn/client.conf and change the "remote <hostname>" line
  to point to your openvpn server's hostname
  
  * Start the client:
- $ sudo openvpn --config /etc/openvpn/client.conf
+ $ cd /etc/openvpn
+ $ sudo openvpn --config client.conf
  
  * It will prompt you for username and password. The values you provide are irrelevant:
  (...)
  Enter Auth Username: asd
  Enter Auth Password: ***
  
  The vulnerable server will crash:
- root at trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
+ root at trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
  Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
  Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
  Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
  Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
  Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
  Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
  Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
  openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
  Aborted (core dumped)
  
  The fixed version will just complain about a timeout error.
  
  [Regression Potential]
  The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
  
  [Other Info]
  There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

** Description changed:

  [Impact]
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.
  
  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.
  
  Network timeouts are somewhat common and services should be resilient to
  it. Having a service as a whole crash because of such an occurrence is
  not acceptable.
  
  This upload fixes the problem by simply including the timeout error case
  in an existing check. It was clearly just an oversight in that one call,
  as the remainder of the code does handle timeout errors. It was just
  never reached.
  
  [Test Case]
  To reproduce the problem:
  * install openvpn and openvpn-auth-ldap:
  $ sudo apt install openvpn openvpn-auth-ldap
  
  * expand the attached openvpn-test-server.tar.gz tarball inside /etc:
  $ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
  
  * start nc on port 389:
- $ nc -l -p 389
+ $ sudo nc -l -p 389
  
  * In another terminal, start the openvpn server:
  $ cd /etc/openvpn
  $ sudo openvpn --config server.conf
  
  Next you will need an openvpn client, also configured with the SSL certs
  as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
  
  * Install openvpn:
  $ sudo apt install openvpn
  
  * Expand the client tarball in /etc:
  $ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
  
  * Edit /etc/openvpn/client.conf and change the "remote <hostname>" line
  to point to your openvpn server's hostname
  
  * Start the client:
  $ cd /etc/openvpn
  $ sudo openvpn --config client.conf
  
  * It will prompt you for username and password. The values you provide are irrelevant:
  (...)
  Enter Auth Username: asd
  Enter Auth Password: ***
  
  The vulnerable server will crash:
  root at trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
  Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
  Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
  Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
  Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
  Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
  Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
  Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
  openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
  Aborted (core dumped)
  
  The fixed version will just complain about a timeout error.
  
  [Regression Potential]
  The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
  
  [Other Info]
  There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

** Description changed:

  [Impact]
  There is a timeout bug in the openvpn-auth-ldap package that causes
  OpenVPN to crash when the network timeout is exceeded.
  
  The openvpn-auth-ldap plugin is not correctly checking the error codes
  from ldap_result. As a result, it is not catching timeouts, and proceeds
  as if ldap_result was successful. This results in a segfault when access
  to the result (which is set to Null) is attempted.
  
  Network timeouts are somewhat common and services should be resilient to
  it. Having a service as a whole crash because of such an occurrence is
  not acceptable.
  
  This upload fixes the problem by simply including the timeout error case
  in an existing check. It was clearly just an oversight in that one call,
  as the remainder of the code does handle timeout errors. It was just
  never reached.
  
  [Test Case]
- To reproduce the problem:
+ To reproduce the problem in an openvpn server:
  * install openvpn and openvpn-auth-ldap:
  $ sudo apt install openvpn openvpn-auth-ldap
  
  * expand the attached openvpn-test-server.tar.gz tarball inside /etc:
  $ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
  
  * start nc on port 389:
  $ sudo nc -l -p 389
  
  * In another terminal, start the openvpn server:
  $ cd /etc/openvpn
  $ sudo openvpn --config server.conf
  
  Next you will need an openvpn client, also configured with the SSL certs
  as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
  
  * Install openvpn:
  $ sudo apt install openvpn
  
  * Expand the client tarball in /etc:
  $ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
  
  * Edit /etc/openvpn/client.conf and change the "remote <hostname>" line
  to point to your openvpn server's hostname
  
  * Start the client:
  $ cd /etc/openvpn
  $ sudo openvpn --config client.conf
  
  * It will prompt you for username and password. The values you provide are irrelevant:
  (...)
  Enter Auth Username: asd
  Enter Auth Password: ***
  
  The vulnerable server will crash:
  root at trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
  Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
  Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
  Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
  Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
  Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
  Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
  Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
  openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
  Aborted (core dumped)
  
  The fixed version will just complain about a timeout error.
  
  [Regression Potential]
  The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
  
  [Other Info]
  There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1602813

Title:
  openvpn-auth-ldap causing segfault on network timeout

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions



More information about the Ubuntu-server-bugs mailing list