Bug#695004: squid3: segfault on external_acl, i can confirm it!

Marco Gaiarin Wed, 21 Jan 2015 08:45:42 -0800

Package: squid3
Version: 3.1.20-2.2+deb7u2
Followup-For: Bug #695004

Caro Luigi,


I've had previously commented bug #486211, and i don't know if they are the
same, but surely the trouble came from 'external_acl'.
In that comment i say that in two similar system depicted the trouble, the
other no: clearly, only on the troubling one i've defined my 'skype' ACL...


I've in use an ACL to prevent skype use, apart some hosts (with fixed IP) or
by some users (some group membership).

My configuration is:

  auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=SANVITO 
--require-membership-of="SANVITO\\domusers"
  auth_param ntlm children 5

  external_acl_type check_ntgroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
  acl auth_required proxy_auth REQUIRED
  acl CONNECT method CONNECT
  acl block_skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
  acl users_skype external check_ntgroup ispac ced dirammre
  acl skype src "/etc/squid3/lists/skype.list"
  acl apertura time MTWHF 08:00-18:00

  http_access allow CONNECT block_skype apertura skype
  http_access allow CONNECT block_skype apertura auth_required users_skype
  http_access deny CONNECT block_skype apertura

With this setup, everytime i try to access Skype (or, indeed, an https site
using ip literal) squid require me auth, seems to accept it but refuse to
connect.

After testing all pieces of tools (eg, /usr/bin/ntlm_auth and
/usr/lib/squid3/wbinfo_group.pl) and found it working, i've finally
correlated the missing access with the sigsev, founding it fully
reproducible.

So, i've tried substituting ACL:
  http_access allow CONNECT block_skype apertura auth_required users_skype
with:
  http_access allow CONNECT block_skype apertura auth_required

and now skype works, ans squid does not sigsev.


Setting debug to 9 for external ACL i can see in cache.log:

 2015/01/21 16:41:07.920| aclMatchExternal: acl="check_ntgroup"
 2015/01/21 16:41:07.920| aclMatchExternal: check_ntgroup("gaio ispac ced 
dirammre") = lookup needed
 2015/01/21 16:41:07.920| aclMatchExternal: "gaio ispac ced dirammre": 
entry=@0, age=0
 2015/01/21 16:41:07.920| aclMatchExternal: "gaio ispac ced dirammre": queueing 
a call.
 2015/01/21 16:41:07.920| aclMatchExternal: "gaio ispac ced dirammre": return 
-1.
 2015/01/21 16:41:07.920| externalAclLookup: lookup in 'check_ntgroup' for 
'gaio ispac ced dirammre'
 2015/01/21 16:41:07.920| externalAclLookup: looking up for 'gaio ispac ced 
dirammre' in 'check_ntgroup'.
 2015/01/21 16:41:07.920| externalAclLookup: will wait for the result of 'gaio 
ispac ced dirammre' in 'check_ntgroup' (ch=0x7fc85b0128c8).
 2015/01/21 16:41:07.997| externalAclHandleReply: reply="OK"
 2015/01/21 16:41:07.997| external_acl_cache_add: Adding 'gaio ispac ced 
dirammre' = 1
 2015/01/21 16:41:07.997| aclMatchExternal: acl="check_ntgroup"
 2015/01/21 16:41:07.997| aclMatchExternal: check_ntgroup = 1
 2015/01/21 16:41:11| Starting Squid Cache version 3.1.20 for 
x86_64-pc-linux-gnu...

so, squid run correctly the external ACL script and only AFTER that hang.

Trying to put all ACL in debug mode, i've hit:

 2015/01/21 17:24:05.849| ACL::FindByName 'users_skype'
 2015/01/21 17:24:05.849| ACLChecklist::asyncInProgress: 0x7f330a6df098 async 
set to 1
 2015/01/21 17:24:05.849| aclmatchAclList: async=1 nodeMatched=0 
async_in_progress=1 lastACLResult() = 0 finished() = 0
 2015/01/21 17:24:05.926| ACLChecklist::asyncInProgress: 0x7f330a6df098 async 
set to 0
 2015/01/21 17:24:05.926| ACLChecklist::preCheck: 0x7f330a6df098 checking 
'http_access allow CONNECT block_skype apertura auth_required users_skype'
 2015/01/21 17:24:05.926| ACLList::matches: checking CONNECT
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'CONNECT'
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'CONNECT' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking block_skype
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'block_skype'
 2015/01/21 17:24:05.926| aclRegexData::match: checking '151.49.25.89:443'
 2015/01/21 17:24:05.926| aclRegexData::match: looking for 
'^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
 2015/01/21 17:24:05.926| aclRegexData::match: match 
'^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' found in '151.49.25.89:443'
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'block_skype' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking apertura
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'apertura'
 2015/01/21 17:24:05.926| aclMatchTime: checking 1044 in 0-0, weekbits=0
 2015/01/21 17:24:05.926| aclMatchTime: checking 1044 in 480-1080, weekbits=3e
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'apertura' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking auth_required
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'auth_required'
 2015/01/21 17:24:05.926| ACL::cacheMatchAcl: cache hit on acl 'auth_required' 
(0x7f32fb25b090)
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'auth_required' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking users_skype
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'users_skype'
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'users_skype' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| aclmatchAclList: 0x7f330a6df098 returning true (AND 
list satisfied)
 2015/01/21 17:24:05.926| ACLChecklist::markFinished: 0x7f330a6df098 checklist 
processing finished
 2015/01/21 17:24:05.926| ACLChecklist::check: 0x7f330a6df098 match found, 
calling back with 1
 2015/01/21 17:24:05.926| ACLFilledChecklist::checkCallback: 0x7f330a6df098 
answer=1
 2015/01/21 17:24:05.926| ACLChecklist::checkCallback: 0x7f330a6df098 answer=1
 2015/01/21 17:24:05.926| FilledChecklist.cc(168) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7f330a6df098
 2015/01/21 17:24:05.926| ACLChecklist::~ACLChecklist: destroyed 0x7f330a6df098
 2015/01/21 17:24:05.927| ACLChecklist::preCheck: 0x7f330a6df098 checking 
'adaptation_access     class_av_req deny CONNECT'
 2015/01/21 17:24:05.927| ACLList::matches: checking CONNECT
 2015/01/21 17:24:05.927| ACL::checklistMatches: checking 'CONNECT'
 2015/01/21 17:24:05.927| ACL::ChecklistMatches: result for 'CONNECT' is 1
 2015/01/21 17:24:05.927| ACLList::matches: result is true
 2015/01/21 17:24:05.927| aclmatchAclList: 0x7f330a6df098 returning true (AND 
list satisfied)
 2015/01/21 17:24:05.927| ACLChecklist::markFinished: 0x7f330a6df098 checklist 
processing finished
 2015/01/21 17:24:05.927| ACLChecklist::check: 0x7f330a6df098 match found, 
calling back with 0
 2015/01/21 17:24:05.927| ACLFilledChecklist::checkCallback: 0x7f330a6df098 
answer=0
 2015/01/21 17:24:05.927| ACLChecklist::checkCallback: 0x7f330a6df098 answer=0
 2015/01/21 17:24:05.927| FilledChecklist.cc(168) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7f330a6df098
 2015/01/21 17:24:05.927| ACLChecklist::~ACLChecklist: destroyed 0x7f330a6df098
 2015/01/21 17:24:08| Starting Squid Cache version 3.1.20 for 
x86_64-pc-linux-gnu...


I hope that this info will be useful. And i'm seeking your feedback...


NOTE that this setup, practically with no change, worked in squeeze
(squid 3.1.6-1.2+squeeze4).

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages squid3 depends on:
ii  adduser           3.113+nmu3
ii  libc6             2.13-38+deb7u6
ii  libcap2           1:2.22-1.2
ii  libcomerr2        1.42.5-1.1
ii  libdb5.1          5.1.29-5
ii  libexpat1         2.1.0-1+deb7u1
ii  libgcc1           1:4.7.2-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u2
ii  libk5crypto3      1.10.1+dfsg-5+deb7u2
ii  libkrb5-3         1.10.1+dfsg-5+deb7u2
ii  libldap-2.4-2     2.4.31-1+nmu2
ii  libltdl7          2.4.2-1.1
ii  libpam0g          1.1.3-7.1
ii  libsasl2-2        2.1.25.dfsg1-6+deb7u1
ii  libstdc++6        4.7.2-5
ii  libxml2           2.8.0+dfsg1-7+wheezy2
ii  logrotate         3.8.1-4
ii  lsb-base          4.1+Debian8+deb7u1
ii  netbase           5.0
ii  squid3-common     3.1.20-2.2+deb7u2

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   <none>
ii  smbclient    2:3.6.6-6+deb7u4
pn  squid-cgi    <none>
ii  squidclient  3.1.20-2.2+deb7u2
pn  ufw          <none>

-- Configuration Files:
/etc/squid3/squid.conf changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#695004: squid3: segfault on external_acl, i can confirm it!

Reply via email to