Uploaded image for project: 'Shibboleth SP - C++'
  1. Shibboleth SP - C++
  2. SSPCPP-705

Segfault on missing "attributes" value in AttributeChecker handler

    XMLWordPrintable

    Details

    • Operating System:
      Multiple
    • CPU Type:
      Multiple
    • C/C++ Compiler:
      Multiple
    • Web Server:
      Multiple

      Description

      A bit of a silly edge case, but in the SP, if you configure an AttributeChecker handler but don't specify a value for the "attributes" attribute (or omit it) nor for any attribute that ReloadableXMLFile recognizes, Shibboleth will segfault at startup due to a null pointer dereference.

      To reproduce, add:

      <Handler type="AttributeChecker" Location="/AttributeChecker" template="attrChecker.html"/>

      to the <Session> element in shibboleth2.xml, and restart the webserver.

      Gdb indicates that the crash is due to XMLAccessControl::background_load() assuming that 'raw.second' is non-null. When no value for 'attributes' is given, AttributeCheckerHandler's constructor spawns an XMLAccessControl instance in m_acl. The constructor for XMLAccessControl calls background_load, in which the call to ReloadableXMLFile::load() returns a (false, nullptr) pair.

      Thread 1 "apache2" received signal SIGSEGV, Segmentation fault.
      0x00007ffff0158a6a in shibsp::XMLAccessControl::background_load (this=0x555555a51ea0) at impl/XMLAccessControl.cpp:417
      
      (gdb) bt
      #0  shibsp::XMLAccessControl::background_load (this=0x555555a51eb0) at impl/XMLAccessControl.cpp:417
      #1  0x00007ffff0159526 in shibsp::XMLAccessControl::XMLAccessControl (this=0x555555a51eb0, e=0x555555a50f68, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at impl/XMLAccessControl.cpp:115
      #2  0x00007ffff0154bfe in shibsp::XMLAccessControlFactory (e=@0x7fffffffd2f0: 0x555555a50f68) at impl/XMLAccessControl.cpp:137
      #3  0x00007ffff0461acc in xmltooling::PluginManager<shibsp::AccessControl, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, xercesc_3_1::DOMElement const*>::newPlugin (
          this=0x7ffff042e150 <shibsp::g_config+16>, type="XML", p=@0x7fffffffd2f0: 0x555555a50f68) at /home/vmuser/shibsp-fuzz/install/include/xmltooling/PluginManager.h:99
      #4  0x00007ffff0114886 in shibsp::AttributeCheckerHandler::AttributeCheckerHandler (this=0x555555a4be80, e=0x555555a50f68, appId=0x555555ad9cf0 "default", __in_chrg=<optimized out>,
          __vtt_parm=<optimized out>) at handler/impl/AttributeCheckerHandler.cpp:132
      #5  0x00007ffff0113dac in shibsp::AttributeCheckerFactory (p=...) at handler/impl/AttributeCheckerHandler.cpp:104
      #6  0x00007ffff011b5c6 in xmltooling::PluginManager<shibsp::Handler, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<xercesc_3_1::DOMElement const*, char const
      *> >::newPlugin (this=0x7ffff042e1e0 <shibsp::g_config+160>, type="AttributeChecker", p=...) at /home/vmuser/shibsp-fuzz/install/include/xmltooling/PluginManager.h:99
      #7  0x00007ffff016fd02 in (anonymous namespace)::XMLApplication::doHandlers (this=0x555555ad9d10, pp=0x555555ada5d0, e=0x555555a4ded0, log=...) at impl/XMLServiceProvider.cpp:1067
      #8  0x00007ffff016c87c in (anonymous namespace)::XMLApplication::XMLApplication (this=0x555555ad9d10, sp=0x555555a63880, pp=0x555555ada5d0, e=0x555555a4ded0, base=0x0, __in_chrg=<optimized out>,
          __vtt_parm=<optimized out>) at impl/XMLServiceProvider.cpp:637
      #9  0x00007ffff017951c in (anonymous namespace)::XMLConfigImpl::XMLConfigImpl (this=0x555555aa0ec0, e=0x555555a4d0e8, first=true, outer=0x555555a63880, log=..., __in_chrg=<optimized out>,
          __vtt_parm=<optimized out>) at impl/XMLServiceProvider.cpp:2242
      #10 0x00007ffff0179e63 in (anonymous namespace)::XMLConfig::background_load (this=0x555555a63880) at impl/XMLServiceProvider.cpp:2396
      #11 0x00007ffff016a16c in (anonymous namespace)::XMLConfig::init (this=0x555555a63880) at impl/XMLServiceProvider.cpp:341
      
      (gdb) p raw
      $1 = {first = false, second = 0x0}
      (gdb) p *this
      $2 = {<shibsp::AccessControl> = {<xmltooling::Lockable> = {_vptr.Lockable = 0x7ffff041f850 <vtable for shibsp::XMLAccessControl+48>}, <No data fields>}, <xmltooling::ReloadableXMLFile> = {
          m_root = 0x555555a50f58, m_local = true, m_validate = false, m_source = "", m_backing = "", m_filestamp = 0, m_reloadInterval = 0, m_cacheTag = "", m_lock = 0x0, m_log = @0x555555a52140,
          m_id = "", m_loaded = false, m_shutdown = false, m_reload_wait = 0x0, m_reload_thread = 0x0}, m_rootAuthz = {px = 0x0}} 
      

        Attachments

          Activity

            People

            Assignee:
            rdw@iay.org.uk Rod Widdowson
            Reporter:
            vtsji@unitedid.org vtsji@unitedid.org
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours
                3h