Uploaded image for project: 'PHP Legacy Driver'
  1. PHP Legacy Driver
  2. PHP-1537

Authentication errors on Atlas free tiers may segfault

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Won't Fix
    • Affects Version/s: 1.6.16
    • Fix Version/s: None
    • Component/s: pecl-mongo
    • Labels:
      None
    • # Replies:
      1
    • Last comment by Customer:
      false

      Description

      Note: although this issue was discovered with Atlas free tier (M0), it's possible that it extends to other server types as well.

      mongo_connection_authenticate_saslstart() assumes that the "ok" field in command responses is a BSON double (type 0x01), which is typically the case for most server responses. On the Atlas free tier (M0), it appears that this may come back as a 32-bit integer (type 0x10) for some error cases.

      In my testing, I was able to capture the following raw server response (in hex):

      53000000106F6B0000000000026572726D7367001700000041757468656E7469636174696F6E206661696C65642E0010636F646500401F000002636F64654E616D65000B00000041746C61734572726F720000
      

      Using the bsonview tool from the BSON corpus test suite, this is dissected as:

       53000000 10 "ok" 00 00000000 02 "errmsg" 00 17000000 "Authentication\x20failed." 00 10 "code" 00 401F0000 02 "codeName" 00 0b000000 "AtlasError" 00 00
      

      Using ext-mongodb, the same BSON converts to the following PHP value:

      object(stdClass)#1 (4) {
        ["ok"]=>
        int(0)
        ["errmsg"]=>
        string(22) "Authentication failed."
        ["code"]=>
        int(8000)
        ["codeName"]=>
        string(10) "AtlasError"
      }
      

      This is problematic for a few reasons. It bypasses the only logic that would catch an authentication error and allows control to proceed to looking for the "conversationId" field, which does not exist. That leaves the out_payload and out_payload_len parameters uninitialized. When control returns to mongo_connection_authenticate_mongodb_scram_sha1(), we assume success. This can lead to a segfault when passing an uninitialized pointer into php_base64_decode() a few lines below.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              jmikola Jeremy Mikola
              Participants:
              Last commenter:
              Jeremy Mikola
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since reply:
                2 years, 14 weeks, 5 days ago