Bug #1093

segmentation fault when using ldap-authentication on 64bit machines

Added by Anonymous 653 days ago. Updated 128 days ago.

Status:Fixed Start:
Priority:Normal Due date:
Assigned to:- % Done:

0%
Category:mod_auth
Target version:-
Pending:

No

 Resolution:

fixed

Description

What you see:
lighttpd segfaults when trying to authenticate someone against ldap.
This is on a x86_64 architecture and using a gcc with PIE & SSP. Although all 64bit architectures may be affected.

For whatever reason, gcc generates this warning here:

mod_auth.c: In function `auth_ldap_init':
mod_auth.c:581: warning: implicit declaration of function `ldap_init'
mod_auth.c:581: warning: assignment makes pointer from integer without a cast
...
http_auth.c: In function `http_auth_basic_password_compare':
http_auth.c:746: warning: implicit declaration of function `ldap_search_s'
http_auth.c:778: warning: implicit declaration of function `ldap_init'
http_auth.c:778: warning: assignment makes pointer from integer without a cast
...
(and some more from the same kind but they don't matter here)

Gcc now assumes that ldap_init returns an int, but it returns a pointer to an LDAP structure instead.
The next function using this pointer segfaults and explains the corrupted stack I saw in the backtrace.

It seems that all versions are affected. Attached is a patch which applies to 1.4.13 and explicitly declares the function in http_auth.h.

The ldap-stuff in mod_auth should definetely be rewritten since it uses many deprecated functions and lacks some functionality (use multiple ldap-servers for example).

-- dev-zero

04_all_lighttpd-1.4.13-auth-ldap-segfault.diff - Patch to fix the segfault -- dev-zero (577 Bytes) Anonymous, 03/26/2007 12:28 PM

04_all_lighttpd-1.4.13-deprecated-ldap-api.diff - And here's therefore a new patch which does exactly this (thanks to Cardoe again :) -- dev-zero (502 Bytes) Anonymous, 03/26/2007 02:16 PM

lighttpd-1.4.13-ldap-auth.2.patch - Attached the wrong copy. This is the correct version. However, it does change the way the config file behavior works for LDAP authentication so the previous patch provided by dev-zero is more desirable for 1.4. However reworking the ldap section for 1.5 m (1.2 KB) Anonymous, 03/26/2007 02:34 PM

lighttpd-1.4.13-ldap-auth.3.patch - Firefox must be caching something... -- cardoe (1.2 KB) Anonymous, 03/26/2007 02:35 PM

lighttpd-1.4.13-ldap-auth.4.patch - Let's try totally killing firefox... -- cardoe (1.2 KB) Anonymous, 03/26/2007 02:37 PM

lighttpd-1.4.13-ldap-auth.patch - Proper patch for ldap_init functions. -- cardoe (502 Bytes) Anonymous, 03/26/2007 02:25 PM

History

03/26/2007 01:00 PM - darix

the patch is the wrong solution

either compile wiht -DLDAP_DEPRECATED or use a patch that really adapts to the new openldap api.

http://en.opensuse.org/OpenLDAP_2.3_libldap_upgrade_howto

03/26/2007 02:00 PM - Anonymous

Jup, Cardoe told me the same :)

-- dev-zero

03/26/2007 02:38 PM - Anonymous

09/02/2008 12:17 AM - stbuehler

  • Status changed from New to Fixed
  • Resolution set to fixed

I don't think that patch really uses the new api? segfault got fixed.

Also available in: Atom PDF