Uploaded image for project: 'Shibboleth SP - C++'
  1. Shibboleth SP - C++
  2. SSPCPP-711

Shibd segfaults when applying regexp scope filter with noncapturing groups

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.1
    • Labels:
      None
    • Environment:

      CentOS 6 x86_64, Apache 2.2, shibboleth-2.6.0-2.1.x86_64

    • Operating System:
      Linux
    • CPU Type:
      x86_64
    • C/C++ Compiler:
      Multiple
    • Web Server:
      Apache 2.2

      Description

      I have tried putting a regexp Scope into the metadata of one of my (TEST) IdPs. I was aiming for a regexp that would allow exactly two values - and looking at the syntax description at https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html I decided to go for non-capturing groups - because there's no need to capture the result. So I used:

      <shibmd:Scope regexp="true">^(?:canterbury.ac.nz|idp3test.ac.nz)$</shibmd:Scope>
      

      And when the SP got to verify the EPPN value received against this scope, it crashed.

      In the browser, I got:

      shibsp::ListenerException
      
      The system encountered an error at Thu Sep 15 09:27:22 2016
      
      To report this problem, please contact the site administrator at support@nesi.org.nz.
      
      Please include the following message in any email:
      
      shibsp::ListenerException at (https://wiki.test.bestgrid.org/Shibboleth.sso/SAML2/POST)
      
      Failure receiving response to remoted message (default/SAML2/POST).
      

      In shibd.log, when running with log4j.rootCategory=DEBUG, I got:

      2016-09-15 09:27:21 DEBUG Shibboleth.SSO.SAML2 [3]: extracting pushed attributes...
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeExtractor.XML [3]: unable to extract attributes, unknown XML object type: saml2p:Response
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeExtractor.XML [3]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeExtractor.XML [3]: unable to extract attributes, unknown XML object type: saml2:AuthnStatement
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeDecoder.String [3]: decoding SimpleAttribute (displayName) from SAML 2 Attribute (urn:oid:2.16.840.1.113730.3.1.241) with 1 value(s)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeDecoder.String [3]: decoding SimpleAttribute (sn) from SAML 2 Attribute (urn:oid:2.5.4.4) with 1 value(s)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeDecoder.String [3]: decoding SimpleAttribute (givenName) from SAML 2 Attribute (urn:oid:2.5.4.42) with 1 value(s)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeDecoder.Scoped [3]: decoding ScopedAttribute (eppn) from SAML 2 Attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) with 1 value(s)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeDecoder.String [3]: decoding SimpleAttribute (mail) from SAML 2 Attribute (urn:oid:0.9.2342.19200300.100.1.3) with 1 value(s)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeFilter [3]: filtering 5 attribute(s) from (https://ng2dev.canterbury.ac.nz/idp/shibboleth)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeFilter [3]: applying filtering rule(s) for attribute (mail) from (https://ng2dev.canterbury.ac.nz/idp/shibboleth)
      2016-09-15 09:27:21 DEBUG Shibboleth.AttributeFilter [3]: applying filtering rule(s) for attribute (eppn) from (https://ng2dev.canterbury.ac.nz/idp/shibboleth)
      

      and when also watching shibd with strace, I got:

      [pid 13195] stat("/etc/shibboleth/attribute-policy.xml", {st_mode=S_IFREG|0644, st_size=3266, ...}) = 0
      [pid 13195] write(4, "2016-09-15 09:27:21 DEBUG Shibbo"..., 137) = 137
      [pid 13195] lseek(4, 0, SEEK_END)       = 276799
      [pid 13195] write(4, "2016-09-15 09:27:21 DEBUG Shibbo"..., 160) = 160
      [pid 13195] lseek(4, 0, SEEK_END)       = 276959
      [pid 13195] write(4, "2016-09-15 09:27:21 DEBUG Shibbo"..., 160) = 160
      [pid 13195] lseek(4, 0, SEEK_END)       = 277119
      [pid 13195] fstat(2, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
      [pid 13195] ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7f0a9abfc5b0) = -1 ENOTTY (Inappropriate ioctl for device)
      [pid 13195] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0ab937e000
      [pid 13195] rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
      [pid 13195] write(2, "terminate called after throwing "..., 77) = 77
      [pid 13195] tgkill(13151, 13195, SIGABRT) = 0
      [pid 13195] --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=13151, si_uid=498} ---
      [pid 13195] +++ killed by SIGABRT (core dumped) +++
      [pid 13178] +++ killed by SIGABRT (core dumped) +++
      [pid 13157] +++ killed by SIGABRT (core dumped) +++
      [pid 13156] +++ killed by SIGABRT (core dumped) +++
      [pid 13155] +++ killed by SIGABRT (core dumped) +++
      [pid 13153] +++ killed by SIGABRT (core dumped) +++
      [pid 13152] +++ killed by SIGABRT (core dumped) +++
      [pid 13180] +++ killed by SIGABRT (core dumped) +++
      [pid 13158] +++ killed by SIGABRT (core dumped) +++
      [pid 13154] +++ killed by SIGABRT (core dumped) +++
      +++ killed by SIGABRT (core dumped) +++
      

      I'm running with the default /etc/shibboleth/attribute-policy.xml that applies ScopingRules to eppn and affiliation. When I commented out the rules for eppn, it segfaulted one step later at affilication.

      If I change the regexp to a capturing group:

      <shibmd:Scope regexp="true">^(canterbury.ac.nz|idp3test.ac.nz)$</shibmd:Scope>
      

      it works all fine.

      So I do have a workaround ... but segfaulting shibd looks quite bad...

      Happy to provide more testing, but I think the non-capturing group regexp should be enough to reproduce.

      Cheers,
      Vlad

        Attachments

          Activity

            People

            Assignee:
            rdw@iay.org.uk Rod Widdowson
            Reporter:
            tuakiriadmin-vmencl@virtualhome.tuakiri.ac.nz Vladimir Mencl
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h