Bug#815208: sasl2-bin: auth_rimap infinite loop (hang) when IMAP server closes connection

Jered Floyd jered at convivian.com
Sat Feb 20 03:38:27 UTC 2016 

Package: sasl2-bin
Version: 2.1.26.dfsg1-13+deb8u1jf1
Severity: important
Tags: upstream patch

Dear Maintainer,

I run Zimbra Collaboration Server (ZCS 8.5.x) which send a BYE and closes the connection on failed authentication.  This causes auth_rimap to go into an infinite loop as its criteria for if data is available on the socket is incorrect.

This bug was introduced by the patch for upstream bug #3211, included in cyrus-sasl2 2.1.26.  The while() loop at auth_rimap.c:607 (line #496 upstream) has incorrect exit criteria -- if the socket is closed and the fd is at EOF the loop will not exit.

A patch is attached, which I have tested and confirmed resolves the issue.  This patch stacks onto cyrus-sasl2_2.1.26.dfsg1-13+deb8u1.

I have submitted this bug and patch upstream, and it is tracked as bug #3920: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3920

Sample IMAP exchange:
  S:   * OK IMAP4 ready
  C:   saslauthd LOGIN "test" "test"
  S:   saslauthd NO LOGIN failed
  S:   * BYE Zimbra IMAP server terminating connection
  Server closes connection

Sample strace:
  alarm(30)                               = 0
  read(12, "* OK IMAP4 ready\r\n", 1000)  = 18
  alarm(0)                                = 30
  select(13, [12], NULL, NULL, {1, 0})    = 0 (Timeout)
  sendto(4, "<39>Feb 19 21:20:24 saslauthd[55"..., 100, MSG_NOSIGNAL, NULL, 0) = 100
  alarm(30)                               = 0
  writev(12, [{"saslauthd LOGIN ", 16}, {"\"test\"", 6}, {" ", 1}, {"\"test\"", 6}, {"\r\n", 2}], 5) = 31
  alarm(0)                                = 30
  alarm(30)                               = 0
  read(12, "saslauthd NO LOGIN failed\r\n", 1000) = 27
  alarm(0)                                = 20
  select(13, [12], NULL, NULL, {1, 0})    = 1 (in [12], left {0, 999831})
  read(12, "* BYE Zimbra IMAP server termina"..., 973) = 49
  select(13, [12], NULL, NULL, {0, 999831}) = 1 (in [12], left {0, 999719})
  read(12, "", 924)                       = 0
  select(13, [12], NULL, NULL, {0, 999719}) = 1 (in [12], left {0, 999717})
  read(12, "", 924)                       = 0
  select(13, [12], NULL, NULL, {0, 999717}) = 1 (in [12], left {0, 999715})
etc.

Regards,
--Jered



-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sasl2-bin depends on:
ii  db-util                5.3.0
ii  debconf [debconf-2.0]  1.5.56
ii  libc6                  2.19-18+deb8u3
ii  libcomerr2             1.42.12-1.1
ii  libdb5.3               5.3.28-9
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
ii  libk5crypto3           1.12.1+dfsg-19+deb8u2
ii  libkrb5-3              1.12.1+dfsg-19+deb8u2
ii  libldap-2.4-2          2.4.40+dfsg-1+deb8u2
ii  libpam0g               1.1.8-3.1+deb8u1
ii  libsasl2-2             2.1.26.dfsg1-13+deb8u1jf1
ii  libssl1.0.0            1.0.1k-3+deb8u2

sasl2-bin recommends no packages.

sasl2-bin suggests no packages.

-- Configuration Files:
/etc/default/saslauthd changed [not included]

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth_rimap_socket_closed.patch
Type: text/x-diff
Size: 698 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20160219/b227c831/attachment.patch>

More information about the Pkg-cyrus-sasl2-debian-devel mailing list