Hello,
I was finding that saslauthd (using rimap) would occasionally hang and
consume all available CPU time. After considerable investigation (and
after capturing lots of network traffic), I found that this occurred
when a user had a double quote (") character in their password. Further
testing with testsaslauthd revealed the same behavior. This problem
would occur any time the user name or password had any double quote
characters. This can lead to a remote DoS as neither the user name nor
the password need to be valid they just need to contain a (").
I found the source of the issue in saslauthd/auth_rimap.c. It appears
that the code is searching for the (") character and upon finding it,
gets stuck in a loop. I also found errors in the use of the memset()
function later in the same file. This problem appears to effect all
recent version of cyrus-sasl. I can confirm that I have found the
problem in 2.1.19, 2.1.20, and 2.1.22 on both Linux and OpenBSD.
To assist others, I have attached the patch that I created.
Unfortunately, I don't know what the official mechanism is for
submitting patches. I hope that this would be the appropriate place to
start.
Regards,
-Bob
--- cyrus-sasl-2.1.22/saslauthd/auth_rimap.c Thu Apr 6 15:19:54 2006
+++ cyrus-sasl-2.1.22-1/saslauthd/auth_rimap.c Fri Dec 28 03:06:18 2007
@@ -162,6 +162,7 @@
num_quotes = 0;
p1 = s;
while ((p1 = strchr(p1, '"')) != NULL) {
+ p1++;
num_quotes++;
}
@@ -438,7 +439,7 @@
syslog(LOG_WARNING, "auth_rimap: writev: %m");
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);
(void)close(s);
return strdup(RESP_IERROR);
@@ -447,7 +448,7 @@
/* don't need these any longer */
memset(qlogin, 0, strlen(qlogin));
free(qlogin);
- memset(qpass, 0, strlen(qlogin));
+ memset(qpass, 0, strlen(qpass));
free(qpass);
/* read and parse the LOGIN response */
