Package: cyrus-sasl2
Version: 2.1.26.dfsg1-12
Severity: normal
Tags: patch
Under certain conditions (server load? memory pressure?) it was possible
for responses from saslauthd to get lost. The client library sends data
and waits for a response. The server sends a response and immediately
closes the connection without waiting for the connection to flush. The
pending response can get lost (kernel throws it away), leaving the
client to error out with "size read failed". The solution is for the
server to more carefully shut down the socket and wait for the client
to close the connection.
-Kees
--
Kees Cook @debian.org
Index: cyrus-sasl2-2.1.26.dfsg1/saslauthd/ipc_unix.c
===================================================================
--- cyrus-sasl2-2.1.26.dfsg1.orig/saslauthd/ipc_unix.c 2012-01-27 15:31:36.000000000 -0800
+++ cyrus-sasl2-2.1.26.dfsg1/saslauthd/ipc_unix.c 2015-02-07 02:09:41.432110469 -0800
@@ -217,6 +217,7 @@
int rc;
int conn_fd;
+ unsigned char dummy;
while(1) {
@@ -261,6 +262,8 @@
}
do_request(conn_fd);
+ shutdown(conn_fd, SHUT_WR);
+ while (read(conn_fd, &dummy, 1) > 0) { }
close(conn_fd);
if(flags & DETACH_TTY) {
@@ -275,6 +278,8 @@
* Normal prefork mode.
*************************************************************/
do_request(conn_fd);
+ shutdown(conn_fd, SHUT_WR);
+ while (read(conn_fd, &dummy, 1) > 0) { }
close(conn_fd);
}
