Skip to content

segmentation fault in ngx_http_auth_ldap_ssl_handshake_handler with ssl_check_cert and ssl_ca_dir #236

Open
@mmguero

Description

@mmguero

My config file looks like this:

ldap_server ad_server {
  url "ldaps://192.168.0.73:636/DC=local,DC=lan?uid?sub?(objectClass=posixAccount)";
  ssl_check_cert on;
  ssl_ca_dir /var/run/ca-trust;

  binddn "xxxxxxxxxx";
  binddn_passwd "xxxxxxxxxx";

  require valid_user;
}

When I remove the ssl_ stuff, it works fine. With it in, however, I get:

...
[alert] 360#360: worker process 405 exited on signal 11
...

Putting things up in GDB, I see the segfault here, in ngx_http_auth_ldap_ssl_handshake_handler:

1340│           if (!addr_verified) { // domain not in cert? try IP
1341│             size_t len; // get IP length
1342├───────────> if (conn->sockaddr->sa_family == 4) len = 4;
1343│             else if (conn->sockaddr->sa_family == 6) len = 16;
1344│             else { // very unlikely indeed
1345│               ngx_http_auth_ldap_close_connection(c);
1346│               return;
1347│             }
1348│             addr_verified = X509_check_ip(cert, (const unsigned char*)conn->sockaddr->sa_data, len, 0);
1349│           }
(gdb) print *conn
$3 = {data = 0x55bdc4c27ff0, read = 0x55bdc4c2c0a0, write = 0x55bdc4c440c0, fd = 21, recv = 0x55bdc45e2078 <ngx_ssl_recv>, send = 0x55bdc45e26f5 <ngx_ssl_write>, recv_chain = 0x55bdc45e2647 <
ngx_ssl_recv_chain>, send_chain = 0x55bdc45e3046 <ngx_ssl_send_chain>, listening = 0x0, sent = 0, log = 0x55bdc4b70ec8, pool = 0x55bdc4b70e60, type = 1, sockaddr = 0x0, socklen = 0, addr_text
 = {len = 0, data = 0x0}, proxy_protocol = 0x0, ssl = 0x55bdc4c28228, udp = 0x0, local_sockaddr = 0x0, local_socklen = 0, buffer = 0x0, queue = {prev = 0x0, next = 0x0}, number = 1, requests
= 0, buffered = 0, log_error = 1, timedout = 0, error = 0, destroyed = 0, idle = 0, reusable = 0, close = 0, shared = 0, sendfile = 1, sndlowat = 0, tcp_nodelay = 0, tcp_nopush = 0, need_last
_buf = 0, busy_count = 0, sendfile_task = 0x0}

So conn->sockaddr is 0x0, hence the segfault.

Let me know if you need more information. This is running in a docker container (Dockerfile) and was discovered as I was working on an enhancement for my project, idaholab/Malcolm#128

Here's the backtrace into the function:

(gdb) bt
#0  ngx_http_auth_ldap_ssl_handshake_handler (conn=0x7f9260474590, validate=validate@entry=1) at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:1326
#1  0x000055aefc148ecf in ngx_http_auth_ldap_ssl_handshake_validating_handler (conn=<optimized out>) at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:1383
#2  0x000055aefc09dccf in ngx_ssl_handshake_handler (ev=0x55aefcf530a0) at src/event/ngx_event_openssl.c:1890
#3  0x000055aefc0983ee in ngx_epoll_process_events (cycle=0x55aefce97eb0, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:901
#4  0x000055aefc08c5e9 in ngx_process_events_and_timers (cycle=cycle@entry=0x55aefce97eb0) at src/event/ngx_event.c:247
#5  0x000055aefc096104 in ngx_worker_process_cycle (cycle=0x55aefce97eb0, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:750
#6  0x000055aefc09443d in ngx_spawn_process (cycle=cycle@entry=0x55aefce97eb0, proc=proc@entry=0x55aefc095fdd <ngx_worker_process_cycle>, data=data@entry=0x0, name=name@entry=0x55aefc14e746 "
worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:199
#7  0x000055aefc095094 in ngx_start_worker_processes (cycle=cycle@entry=0x55aefce97eb0, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:359
#8  0x000055aefc096a17 in ngx_master_process_cycle (cycle=0x55aefce97eb0) at src/os/unix/ngx_process_cycle.c:131
#9  0x000055aefc06b097 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:382

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions