Ubuntu
openvpn-auth-ldap package

  1. Bug #1602813
  2. Comment #0

Comment 0 for bug 1602813

Revision history for this message
Foxpass Dev (foxpass-dev) wrote :

Description: Ubuntu 14.04.4 LTS
Release: 14.04

openvpn-auth-ldap=2.0.3-5.1

There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.

The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.

You can see this bug referenced here:

https://github.com/threerings/openvpn-auth-ldap/issues/11

And a fix mentioned here:

https://github.com/threerings/openvpn-auth-ldap/pull/53

The above patch is not compatible with the source provided with 14.04, so I have updated the patch to work with the 14.04 source. I have provided it below.

I would appreciate if a package with the fix could be released.

-Aaron Peschel

Index: openvpn-auth-ldap/src/LFLDAPConnection.m
===================================================================
--- openvpn-auth-ldap.orig/src/LFLDAPConnection.m 2016-07-12
23:24:14.710216000 +0000
+++ openvpn-auth-ldap/src/LFLDAPConnection.m 2016-07-12
23:24:48.394216000 +0000
@@ -175,7 +175,7 @@
        /* Wait for the result */
        timeout.tv_sec = _timeout;
        timeout.tv_usec = 0;
- if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
                err = ldap_get_errno(ldapConn);
                if (err == LDAP_TIMEOUT)
                        ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
@@ -383,7 +383,7 @@
        }

        /* Wait for the result */
- if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
                err = ldap_get_errno(ldapConn);
                if (err == LDAP_TIMEOUT)
                        ldap_abandon_ext(ldapConn, msgid, NULL, NULL);

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: openvpn 2.3.2-7ubuntu3.1
ProcVersionSignature: Ubuntu 3.13.0-74.118-generic 3.13.11-ckt30
Uname: Linux 3.13.0-74-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
AssertionMessage: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Date: Tue Jul 12 21:35:10 2016
Ec2AMI: ami-9abea4fb
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-west-2c
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ExecutablePath: /usr/sbin/openvpn
ProcCmdline: /usr/sbin/openvpn --writepid /run/openvpn/foxpass.pid --daemon ovpn-foxpass --cd /etc/openvpn --config /etc/openvpn/foxpass.conf --script-security 2
ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
Signal: 6
SourcePackage: openvpn
StacktraceTop:
 __assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7f3cd796d9bd "res != ((void *)0)", file=file@entry=0x7f3cd796e100 "sasl.c", line=line@entry=257, function=function@entry=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:92
 __GI___assert_fail (assertion=0x7f3cd796d9bd "res != ((void *)0)", file=0x7f3cd796e100 "sasl.c", line=257, function=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:101
 ldap_parse_sasl_bind_result () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
 ?? () from /usr/lib/openvpn/openvpn-auth-ldap.so
 connect_ldap () from /usr/lib/openvpn/openvpn-auth-ldap.so
Title: openvpn assert failure: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: