There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
The above patch is not compatible with the source provided with 14.04, so I have updated the patch to work with the 14.04 source. I have provided it below.
I would appreciate if a package with the fix could be released.
Description: Ubuntu 14.04.4 LTS
Release: 14.04
openvpn- auth-ldap= 2.0.3-5. 1
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
You can see this bug referenced here:
https:/ /github. com/threerings/ openvpn- auth-ldap/ issues/ 11
And a fix mentioned here:
https:/ /github. com/threerings/ openvpn- auth-ldap/ pull/53
The above patch is not compatible with the source provided with 14.04, so I have updated the patch to work with the 14.04 source. I have provided it below.
I would appreciate if a package with the fix could be released.
-Aaron Peschel
Index: openvpn- auth-ldap/ src/LFLDAPConne ction.m ======= ======= ======= ======= ======= ======= ======= ======= ==== auth-ldap. orig/src/ LFLDAPConnectio n.m 2016-07-12 auth-ldap/ src/LFLDAPConne ction.m 2016-07-12
timeout. tv_sec = _timeout;
timeout. tv_usec = 0; ldapConn, msgid, 1, &timeout, &res) == -1) { ldapConn, msgid, 1, &timeout, &res) <= 0) { errno(ldapConn) ;
ldap_ abandon_ ext(ldapConn, msgid, NULL, NULL);
=======
--- openvpn-
23:24:14.710216000 +0000
+++ openvpn-
23:24:48.394216000 +0000
@@ -175,7 +175,7 @@
/* Wait for the result */
- if (ldap_result(
+ if (ldap_result(
err = ldap_get_
if (err == LDAP_TIMEOUT)
@@ -383,7 +383,7 @@
}
/* Wait for the result */ ldapConn, msgid, 1, &timeout, &res) == -1) { ldapConn, msgid, 1, &timeout, &res) <= 0) { errno(ldapConn) ;
ldap_ abandon_ ext(ldapConn, msgid, NULL, NULL);
- if (ldap_result(
+ if (ldap_result(
err = ldap_get_
if (err == LDAP_TIMEOUT)
ProblemType: Crash ature: Ubuntu 3.13.0- 74.118- generic 3.13.11-ckt30 sasl_bind_ result: Assertion `res != ((void *)0)' failed. Zone: us-west-2c foxpass. pid --daemon ovpn-foxpass --cd /etc/openvpn --config /etc/openvpn/ foxpass. conf --script-security 2 256color assertion@ entry=0x7f3cd79 6d9bd "res != ((void *)0)", file=file@ entry=0x7f3cd79 6e100 "sasl.c", line=line@ entry=257, function= function@ entry=0x7f3cd79 6e3e0 "ldap_parse_ sasl_bind_ result" ) at assert.c:92 0x7f3cd796d9bd "res != ((void *)0)", file=0x7f3cd796e100 "sasl.c", line=257, function= 0x7f3cd796e3e0 "ldap_parse_ sasl_bind_ result" ) at assert.c:101 sasl_bind_ result () from /usr/lib/ x86_64- linux-gnu/ libldap_ r-2.4.so. 2 openvpn/ openvpn- auth-ldap. so openvpn/ openvpn- auth-ldap. so sasl_bind_ result: Assertion `res != ((void *)0)' failed.
DistroRelease: Ubuntu 14.04
Package: openvpn 2.3.2-7ubuntu3.1
ProcVersionSign
Uname: Linux 3.13.0-74-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
AssertionMessage: openvpn: sasl.c:257: ldap_parse_
Date: Tue Jul 12 21:35:10 2016
Ec2AMI: ami-9abea4fb
Ec2AMIManifest: (unknown)
Ec2Availability
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ExecutablePath: /usr/sbin/openvpn
ProcCmdline: /usr/sbin/openvpn --writepid /run/openvpn/
ProcEnviron:
TERM=screen-
PATH=(custom, no user)
LANG=en_US.UTF-8
Signal: 6
SourcePackage: openvpn
StacktraceTop:
__assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=
__GI___assert_fail (assertion=
ldap_parse_
?? () from /usr/lib/
connect_ldap () from /usr/lib/
Title: openvpn assert failure: openvpn: sasl.c:257: ldap_parse_
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: