From: tbordaz Date: Thu, 18 Aug 2022 09:17:30 +0000 (+0200) Subject: CVE-2022-2850 - Sync_repl may crash while managing invalid cookie (#5420) - Issue... X-Git-Tag: archive/raspbian/1.4.4.11-2+rpi1+deb11u1^2~2 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=9ad2a57d213410f3a2ab89bd3f9b1dcdb767f235;p=389-ds-base.git CVE-2022-2850 - Sync_repl may crash while managing invalid cookie (#5420) - Issue 5418 Bug description: If the servers receives an invalid cookie without separator '#', it parses it into an empty cookie (Sync_Cookie) instead of a NULL cookie (failure). Later it sigsegv when using the empty cookie. Fix description: If the parsing fails return NULL relates: #5418 Reviewed by: Viktor Ashirov, Mark Reynolds, William Brown, Simon Pichugin (thanks !) Origin: backport, commit:513a763b551848e5532ec22bb0086464aa09252f Gbp-Pq: Name CVE-2022-2850-Sync_repl-may-crash-with-invalid-cookie.patch --- diff --git a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py index 04c0a09..1ca88c1 100644 --- a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py +++ b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py @@ -526,3 +526,79 @@ def test_sync_repl_cookie_with_failure(topology, init_sync_repl_plugins, request testgroup.delete() request.addfinalizer(fin) + +def test_sync_repl_invalid_cookie(topology, request): + """Test sync_repl with invalid cookie + + :id: 8fa4a8f8-acf4-42a5-90f1-6ba1d8080e46 + :setup: install a standalone instance + :steps: + 1. reset instance to standard (no retroCL, no sync_repl, no dynamic plugin) + 2. Enable retroCL/content_sync + 3. Establish a sync_repl connection + 4. Tests servers results to search with invalid cookie + 5. Add/delete an user entry to check the server is up and running + :expectedresults: + 1. Should succeeds + 2. Should succeeds + 3. Should succeeds + 4. Should succeeds + 5. Should succeeds + """ + + # Reset the instance in a default config + # Disable content sync plugin + topology.standalone.restart() + topology.standalone.plugins.disable(name=PLUGIN_REPL_SYNC) + + # Disable retro changelog + topology.standalone.plugins.disable(name=PLUGIN_RETRO_CHANGELOG) + + # Disable dynamic plugins + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-dynamic-plugins', b'off')]) + topology.standalone.restart() + + # Enable retro changelog + topology.standalone.plugins.enable(name=PLUGIN_RETRO_CHANGELOG) + + # Enbale content sync plugin + topology.standalone.plugins.enable(name=PLUGIN_REPL_SYNC) + topology.standalone.restart() + + # Setup the syncer + sync = ISyncRepl(topology.standalone) + + # Test invalid cookies + cookies = ('#', '##', 'a#a#a', 'a#a#1', 'foo') + for invalid_cookie in cookies: + log.info('Testing cookie: %s' % invalid_cookie) + try: + ldap_search = sync.syncrepl_search(base=DEFAULT_SUFFIX, + scope=ldap.SCOPE_SUBTREE, + attrlist=['objectclass', 'cn', 'homedirectory', 'sn','uid'], + filterstr='(|(objectClass=groupofnames)(objectClass=person))', + mode='refreshOnly', + cookie=invalid_cookie) + poll_result = sync.syncrepl_poll(all=1) + + log.fatal('Invalid cookie accepted!') + assert False + except Exception as e: + log.info('Invalid cookie correctly rejected: {}'.format(e.args[0]['info'])) + pass + + # check that the server is still up and running + users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) + user = users.create_test_user(uid=1000) + + # Success + log.info('Test complete') + + def fin(): + topology.standalone.restart() + try: + user.delete() + except: + pass + + request.addfinalizer(fin) diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c index d84705a..5ebf5f2 100644 --- a/ldap/servers/plugins/sync/sync_util.c +++ b/ldap/servers/plugins/sync/sync_util.c @@ -775,6 +775,8 @@ sync_cookie_parse(char *cookie, PRBool *cookie_refresh, PRBool *allow_openldap_c } else { goto error_return; } + } else { + goto error_return; } } return (sc);