libkdexoauth2.so causes segfault in postfix smtp during xoauth2 SASL authentication
(gdb) bt
#0 xsasl_cyrus_client_get_passwd (conn=0x55b2ee539630, context=0x4004, id=-761575872, psecret=0x0) at xsasl_cyrus_client.c:197
#1 0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0, id=id@entry=16388, required=required@entry=1, result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at ./src/saslplugin/plugin_common.c:373
[snip]
(gdb) up
#1 0x00007f6a3d75cf44 in _plug_get_simple (utils=utils@entry=0x55b2ee54e3b0, id=id@entry=16388, required=required@entry=1, result=result@entry=0x7ffed29b4640, prompt_need=prompt_need@entry=0x0) at ./src/saslplugin/plugin_common.c:373
373 ret = simple_cb(simple_context, id, result, NULL);
(gdb) print simple_context
$13 = (void *) 0x55b2ee539630
(gdb) print id
$14 = 16388
(gdb) print result
$15 = (const char **) 0x7ffed29b4640
Note how the caller (libkdexoauth2.so
) is calling with:
- context
- id
- result
- null
but xsasl_cyrus_client_get_passwd's signature is:
sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret
which causes id
to end up in context
(and so on), then context
gets promptly dereferenced and causes the segfault.
I believe the bug is in xoauth2_client_mech_step
:
/* We don't use _plug_get_password because we don't really care much about
safety of the OAuth token */
token_result = _plug_get_simple(utils, SASL_CB_PASS, 1, &token, prompt_need);
Both functions are not interchangeable in how they call the plugin:
int _plug_get_simple(const sasl_utils_t *utils, unsigned int id, int required,
const char **result, sasl_interact_t **prompt_need)
// ...
ret = simple_cb(simple_context, id, result, NULL);
vs
int _plug_get_password(const sasl_utils_t *utils, sasl_secret_t **password,
unsigned int *iscopy, sasl_interact_t **prompt_need)
// ...
ret = pass_cb(utils->conn, pass_context, SASL_CB_PASS, password);
Also, the structure of returned value is incompatible: the former returns a char *
, the latter a sasl_secret_t *
.
If this code is working against an SASL client, this suggests that client has a similarly incorrect API, and fixing this code may break that client.