Bug #952068 “stack overflow on sasl authentication failure” : Bugs : libmemcached

sinny (sinnydono) on 2012-03-11

description:

updated

Revision history for this message

sinny (sinnydono) wrote on 2012-03-12:

#1

note: in provided code sample, "memcached_server_st *srv = memcached_servers_parse(servers.c_str());" line: <servers> string contains single ip/hostname.

Revision history for this message

Brian Aker (brianaker) wrote on 2012-03-16:

#2

Have you tried creating a string and using memcached() to create your structure?

Changed in libmemcached:
status:	New → Incomplete

Revision history for this message

sinny (sinnydono) wrote on 2012-03-20:

#3

test application Edit (879 bytes, text/x-c++src)

Download full text (3.5 KiB)

more concise scenario (libmemcached 1.0.4):
- start memcached in text mode on host <addr> ( memcached -d -p 11211 -u memcached -m 64 -c 1024 -P /var/run/memcached/memcached.pid )
- compile attached file ( make test CXXFLAGS=-g LDLIBS=-lmemcached )
- execute compiled file ( ./test <addr>:11211 TEST test )

in my case this leads to the following:
-------------------------------------------------------
[root@ws home]# ./test 192.168.65.3:11211 TEST test

USAGE : ./test server_string sasl_user sasl_password

Segmentation fault
[root@ws home]#
-------------------------------------------------------

with the following backtrace (tail only):
-------------------------------------------------------
...
#6109 0xf7fc5f16 in memcached_server_clone(memcached_server_st*, memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6110 0xf7fc3ef0 in memcached_quit_server(memcached_server_st*, bool) () from /usr/lib/libmemcached.so.9
#6111 0xf7fc1125 in memcached_io_reset(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6112 0xf7fc537a in ?? () from /usr/lib/libmemcached.so.9
#6113 0xf7fc5477 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*, unsigned long long&) () from /usr/lib/libmemcached.so.9
#6114 0xf7fc5639 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*) () from /usr/lib/libmemcached.so.9
#6115 0xf7fcba9c in memcached_sasl_authenticate_connection(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6116 0xf7fbaa2f in ?? () from /usr/lib/libmemcached.so.9
#6117 0xf7fbaf19 in memcached_connect_try(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6118 0xf7fc5de0 in __server_create_with(memcached_st*, memcached_server_st*, memcached_string_t const&, unsigned short, unsigned int, memcached_connection_t) () from /usr/lib/libmemcached.so.9
#6119 0xf7fc5f16 in memcached_server_clone(memcached_server_st*, memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6120 0xf7fc3ef0 in memcached_quit_server(memcached_server_st*, bool) () from /usr/lib/libmemcached.so.9
#6121 0xf7fc1125 in memcached_io_reset(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6122 0xf7fc537a in ?? () from /usr/lib/libmemcached.so.9
#6123 0xf7fc5477 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*, unsigned long long&) () from /usr/lib/libmemcached.so.9
#6124 0xf7fc5639 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*) () from /usr/lib/libmemcached.so.9
#6125 0xf7fcba9c in memcached_sasl_authenticate_connection(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6126 0xf7fbaa2f in ?? () from /usr/lib/libmemcached.so.9
#6127 0xf7fbaf19 in memcached_connect_try(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6128 0xf7fc5de0 in __server_create_with(memcached_st*, memcached_server_st*, memcached_string_t const&, unsigned short, unsigned int, memcached_connection_t) () from /usr/lib/libmemcached.so.9
#6129 0xf7fc0fa4 in memcached_server_push () from /usr/lib/libmemcached.so.9
#6130 0x08048bef in main (argc=4, argv=0xffffdb34) at test.cpp:33
-------------------------------------------------------
...

more concise scenario (libmemcached 1.0.4):
 - start memcached in text mode on host <addr> ( memcached -d -p 11211 -u memcached -m 64 -c 1024 -P /var/run/memcached/memcached.pid )
 - compile attached file ( make test CXXFLAGS=-g LDLIBS=-lmemcached )
 - execute compiled file ( ./test <addr>:11211 TEST test )

in my case this leads to the following:
-------------------------------------------------------
[root@ws home]# ./test 192.168.65.3:11211 TEST test

USAGE : ./test server_string sasl_user sasl_password

Segmentation fault
[root@ws home]#
-------------------------------------------------------

with the following backtrace (tail only):
-------------------------------------------------------
...
#6109 0xf7fc5f16 in memcached_server_clone(memcached_server_st*, memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6110 0xf7fc3ef0 in memcached_quit_server(memcached_server_st*, bool) () from /usr/lib/libmemcached.so.9
#6111 0xf7fc1125 in memcached_io_reset(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6112 0xf7fc537a in ?? () from /usr/lib/libmemcached.so.9
#6113 0xf7fc5477 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*, unsigned long long&) () from /usr/lib/libmemcached.so.9
#6114 0xf7fc5639 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*) () from /usr/lib/libmemcached.so.9
#6115 0xf7fcba9c in memcached_sasl_authenticate_connection(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6116 0xf7fbaa2f in ?? () from /usr/lib/libmemcached.so.9
#6117 0xf7fbaf19 in memcached_connect_try(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6118 0xf7fc5de0 in __server_create_with(memcached_st*, memcached_server_st*, memcached_string_t const&, unsigned short, unsigned int, memcached_connection_t) () from /usr/lib/libmemcached.so.9
#6119 0xf7fc5f16 in memcached_server_clone(memcached_server_st*, memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6120 0xf7fc3ef0 in memcached_quit_server(memcached_server_st*, bool) () from /usr/lib/libmemcached.so.9
#6121 0xf7fc1125 in memcached_io_reset(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6122 0xf7fc537a in ?? () from /usr/lib/libmemcached.so.9
#6123 0xf7fc5477 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*, unsigned long long&) () from /usr/lib/libmemcached.so.9
#6124 0xf7fc5639 in memcached_response(memcached_server_st*, char*, unsigned int, memcached_result_st*) () from /usr/lib/libmemcached.so.9
#6125 0xf7fcba9c in memcached_sasl_authenticate_connection(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6126 0xf7fbaa2f in ?? () from /usr/lib/libmemcached.so.9
#6127 0xf7fbaf19 in memcached_connect_try(memcached_server_st*) () from /usr/lib/libmemcached.so.9
#6128 0xf7fc5de0 in __server_create_with(memcached_st*, memcached_server_st*, memcached_string_t const&, unsigned short, unsigned int, memcached_connection_t) () from /usr/lib/libmemcached.so.9
#6129 0xf7fc0fa4 in memcached_server_push () from /usr/lib/libmemcached.so.9
#6130 0x08048bef in main (argc=4, argv=0xffffdb34) at test.cpp:33
-------------------------------------------------------

tcp dump shows lots of reconnects with the following exchange:
-------------------------------------------------------
1. connection opened
2. Unknown opcode (32) Request
3. Unknown opcode (32) Response (Unknown command)
4. connection closed
-------------------------------------------------------

i know, it's not a normal real-life situation, but it does trigger the same problem as in issue head post.

Revision history for this message

douyuan (douyuan) wrote on 2012-05-14:

#4

my patch Edit (2.5 KiB, text/plain)

Download full text (4.8 KiB)

Got similar problem with "binary protocol" + "sasl auth with a wrong password".
The key is that memcached_io_reset on a MEMCACHED_AUTH_FAILURE-ed server will lead to infinite recursion.
I've made a quick & dirty fix. Hope this patch is useful to you.

Warning!
Since __server_create_with returns a pointer only, there is no way to distinguish between auth failure and memory allocation failure.

The following is part of my backtrace:
-------------------------
Program received signal SIGSEGV, Segmentation fault.
0x00000039fae42854 in vfprintf () from /lib64/libc.so.6
(gdb) bt
#0 0x00000039fae42854 in vfprintf () from /lib64/libc.so.6
#1 0x00000039fae63c99 in vsprintf () from /lib64/libc.so.6
#2 0x00000039fae4d678 in sprintf () from /lib64/libc.so.6
#3 0x00000039faee0c0e in inet_ntop () from /lib64/libc.so.6
#4 0x00000039faef2a99 in getnameinfo () from /lib64/libc.so.6
#5 0x00002aaaafe5017c in resolve_names (server=..., laddr=0x7fffff4028e0 "\023", laddr_length=1057, raddr=0x7fffff4024b0 " ",
    raddr_length=1057) at libmemcached/sasl.cc:80
#6 0x00002aaaafe503ec in memcached_sasl_authenticate_connection (server=0x1e2bb60) at libmemcached/sasl.cc:183
#7 0x00002aaaafe42d7c in _memcached_connect (server=0x1e2bb60, set_last_disconnected=false) at libmemcached/connect.cc:665
#8 0x00002aaaafe42f5a in memcached_connect_try (server=0x1e2bb60) at libmemcached/connect.cc:715
#9 0x00002aaaafe51222 in __server_create_with (memc=0x725d90, self=0x1e2bb60, hostname=..., port=11211, weight=1,
    type=MEMCACHED_CONNECTION_TCP) at libmemcached/server.cc:143
#10 0x00002aaaafe512df in memcached_server_clone (destination=0x0, source=0x1e26000) at libmemcached/server.cc:204
#11 0x00002aaaafe4cee8 in set_last_disconnected_host (self=0x1e26000) at ./libmemcached/server.hpp:93
#12 0x00002aaaafe4cfc6 in memcached_mark_server_for_timeout (server=0x1e26000) at ./libmemcached/server.hpp:117
#13 0x00002aaaafe4d211 in memcached_quit_server (ptr=0x1e26000, io_death=true) at libmemcached/quit.cc:131
#14 0x00002aaaafe497c8 in memcached_io_reset (ptr=0x1e26000) at libmemcached/io.cc:743
#15 0x00002aaaafe4efce in _read_one_response (instance=0x1e26000, buffer=0x0, buffer_length=0, result=0x725e30)
    at libmemcached/response.cc:814
#16 0x00002aaaafe4f188 in memcached_response (instance=0x1e26000, buffer=0x0, buffer_length=0, result=0x0) at libmemcached/response.cc:883
#17 0x00002aaaafe507d9 in memcached_sasl_authenticate_connection (server=0x1e26000) at libmemcached/sasl.cc:251
#18 0x00002aaaafe42d7c in _memcached_connect (server=0x1e26000, set_last_disconnected=false) at libmemcached/connect.cc:665
#19 0x00002aaaafe42f5a in memcached_connect_try (server=0x1e26000) at libmemcached/connect.cc:715
#20 0x00002aaaafe51222 in __server_create_with (memc=0x725d90, self=0x1e26000, hostname=..., port=11211, weight=1,
    type=MEMCACHED_CONNECTION_TCP) at libmemcached/server.cc:143
#21 0x00002aaaafe512df in memcached_server_clone (destination=0x0, source=0x1e204a0) at libmemcached/server.cc:204
#22 0x00002aaaafe4cee8 in set_last_disconnected_host (self=0x1e204a0) at ./libmemcached/server.hpp:93
#23 0x00002aaaafe4cfc6 in memcached_mark_server_for_timeout (server=0x1e204a0) at ./li...

Got similar problem with "binary protocol" + "sasl auth with a wrong password".
The key is that memcached_io_reset on a MEMCACHED_AUTH_FAILURE-ed server will lead to infinite recursion.
I've made a quick & dirty fix. Hope this patch is useful to you.

Warning!
Since __server_create_with returns a pointer only, there is no way to distinguish between auth failure and memory allocation failure.

The following is part of my backtrace:
-------------------------
Program received signal SIGSEGV, Segmentation fault.
0x00000039fae42854 in vfprintf () from /lib64/libc.so.6
(gdb) bt
#0  0x00000039fae42854 in vfprintf () from /lib64/libc.so.6
#1  0x00000039fae63c99 in vsprintf () from /lib64/libc.so.6
#2  0x00000039fae4d678 in sprintf () from /lib64/libc.so.6
#3  0x00000039faee0c0e in inet_ntop () from /lib64/libc.so.6
#4  0x00000039faef2a99 in getnameinfo () from /lib64/libc.so.6
#5  0x00002aaaafe5017c in resolve_names (server=..., laddr=0x7fffff4028e0 "\023", laddr_length=1057, raddr=0x7fffff4024b0 " ",
    raddr_length=1057) at libmemcached/sasl.cc:80
#6  0x00002aaaafe503ec in memcached_sasl_authenticate_connection (server=0x1e2bb60) at libmemcached/sasl.cc:183
#7  0x00002aaaafe42d7c in _memcached_connect (server=0x1e2bb60, set_last_disconnected=false) at libmemcached/connect.cc:665
#8  0x00002aaaafe42f5a in memcached_connect_try (server=0x1e2bb60) at libmemcached/connect.cc:715
#9  0x00002aaaafe51222 in __server_create_with (memc=0x725d90, self=0x1e2bb60, hostname=..., port=11211, weight=1,
    type=MEMCACHED_CONNECTION_TCP) at libmemcached/server.cc:143
#10 0x00002aaaafe512df in memcached_server_clone (destination=0x0, source=0x1e26000) at libmemcached/server.cc:204
#11 0x00002aaaafe4cee8 in set_last_disconnected_host (self=0x1e26000) at ./libmemcached/server.hpp:93
#12 0x00002aaaafe4cfc6 in memcached_mark_server_for_timeout (server=0x1e26000) at ./libmemcached/server.hpp:117
#13 0x00002aaaafe4d211 in memcached_quit_server (ptr=0x1e26000, io_death=true) at libmemcached/quit.cc:131
#14 0x00002aaaafe497c8 in memcached_io_reset (ptr=0x1e26000) at libmemcached/io.cc:743
#15 0x00002aaaafe4efce in _read_one_response (instance=0x1e26000, buffer=0x0, buffer_length=0, result=0x725e30)
    at libmemcached/response.cc:814
#16 0x00002aaaafe4f188 in memcached_response (instance=0x1e26000, buffer=0x0, buffer_length=0, result=0x0) at libmemcached/response.cc:883
#17 0x00002aaaafe507d9 in memcached_sasl_authenticate_connection (server=0x1e26000) at libmemcached/sasl.cc:251
#18 0x00002aaaafe42d7c in _memcached_connect (server=0x1e26000, set_last_disconnected=false) at libmemcached/connect.cc:665
#19 0x00002aaaafe42f5a in memcached_connect_try (server=0x1e26000) at libmemcached/connect.cc:715
#20 0x00002aaaafe51222 in __server_create_with (memc=0x725d90, self=0x1e26000, hostname=..., port=11211, weight=1,
    type=MEMCACHED_CONNECTION_TCP) at libmemcached/server.cc:143
#21 0x00002aaaafe512df in memcached_server_clone (destination=0x0, source=0x1e204a0) at libmemcached/server.cc:204
#22 0x00002aaaafe4cee8 in set_last_disconnected_host (self=0x1e204a0) at ./libmemcached/server.hpp:93
#23 0x00002aaaafe4cfc6 in memcached_mark_server_for_timeout (server=0x1e204a0) at ./libmemcached/server.hpp:117
#24 0x00002aaaafe4d211 in memcached_quit_server (ptr=0x1e204a0, io_death=true) at libmemcached/quit.cc:131
#25 0x00002aaaafe497c8 in memcached_io_reset (ptr=0x1e204a0) at libmemcached/io.cc:743
#26 0x00002aaaafe4efce in _read_one_response (instance=0x1e204a0, buffer=0x0, buffer_length=0, result=0x725e30)
    at libmemcached/response.cc:814
#27 0x00002aaaafe4f188 in memcached_response (instance=0x1e204a0, buffer=0x0, buffer_length=0, result=0x0) at libmemcached/response.cc:883
#28 0x00002aaaafe507d9 in memcached_sasl_authenticate_connection (server=0x1e204a0) at libmemcached/sasl.cc:251
#29 0x00002aaaafe42d7c in _memcached_connect (server=0x1e204a0, set_last_disconnected=false) at libmemcached/connect.cc:665
#30 0x00002aaaafe42f5a in memcached_connect_try (server=0x1e204a0) at libmemcached/connect.cc:715
#31 0x00002aaaafe51222 in __server_create_with (memc=0x725d90, self=0x1e204a0, hostname=..., port=11211, weight=1,
    type=MEMCACHED_CONNECTION_TCP) at libmemcached/server.cc:143
#32 0x00002aaaafe512df in memcached_server_clone (destination=0x0, source=0x1e1a940) at libmemcached/server.cc:204
#33 0x00002aaaafe4cee8 in set_last_disconnected_host (self=0x1e1a940) at ./libmemcached/server.hpp:93
#34 0x00002aaaafe4cfc6 in memcached_mark_server_for_timeout (server=0x1e1a940) at ./libmemcached/server.hpp:117
#35 0x00002aaaafe4d211 in memcached_quit_server (ptr=0x1e1a940, io_death=true) at libmemcached/quit.cc:131
#36 0x00002aaaafe497c8 in memcached_io_reset (ptr=0x1e1a940) at libmemcached/io.cc:743
#37 0x00002aaaafe4efce in _read_one_response (instance=0x1e1a940, buffer=0x0, buffer_length=0, result=0x725e30)
    at libmemcached/response.cc:814

Huabin Zheng (huabin-zheng) on 2012-06-06

Changed in libmemcached:
status:	Incomplete → Opinion

libmemcached

stack overflow on sasl authentication failure

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches