[CDRIVER-2342] _mongoc_scram_start() segfault if scram->user is null Created: 05/Nov/17  Updated: 28/Oct/23  Resolved: 09/Nov/17

Status: Closed
Project: C Driver
Component/s: auth, libmongoc
Affects Version/s: 1.8.1
Fix Version/s: 1.8.2, 1.9.0

Type: Bug Priority: Major - P3
Reporter: Jeremy Mikola Assignee: Jeremy Mikola
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1045 Segfault if username is not provided ... Closed
Related
related to CDRIVER-2351 Inconsistent #ifdef checks for mongoc... Backlog

 Description   

A segfault reported in mongodb/mongo-php-driver#666 appears to come from the following usage of the PHP driver:

<?php
 
// A null connection string defaults to "mongodb://127.0.0.1:27017"
$m = new MongoDB\Driver\Manager(null, ['authMechanism' => 'SCRAM-SHA-1', 'ssl' => false]);
 
// Execute a basic ping command to trigger connection initialization
$c = $m->executeCommand('admin', new MongoDB\Driver\Command(['ping'=>1]));
var_dump($c->toArray()[0]);

GDB backtrace:

(gdb) bt
#0  0x00007fb8ec696527 in _mongoc_scram_start (scram=0x7ffd250df610, outbuf=0x7ffd250df810 "n,,n=", outbufmax=4096, outbuflen=0x7ffd250df49c, error=0x2e71788)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-scram.c:206
#1  0x00007fb8ec6978e6 in _mongoc_scram_step (scram=0x7ffd250df610, inbuf=0x7ffd250df810 "n,,n=", inbuflen=0, outbuf=0x7ffd250df810 "n,,n=", outbufmax=4096, outbuflen=0x7ffd250df49c, 
    error=0x2e71788) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-scram.c:840
#2  0x00007fb8ec668ba0 in _mongoc_cluster_auth_node_scram (cluster=0x2e6e208, stream=0x2e6d830, error=0x2e71788)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1143
#3  0x00007fb8ec6692b0 in _mongoc_cluster_auth_node (cluster=0x2e6e208, stream=0x2e6d830, hostname=0x2e714a0 "127.0.0.1", max_wire_version=5, error=0x2e71788)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1303
#4  0x00007fb8ec66a192 in mongoc_cluster_fetch_stream_single (cluster=0x2e6e208, server_id=1, reconnect_ok=true, error=0x2e70d40)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1758
#5  0x00007fb8ec669bfc in _mongoc_cluster_stream_for_server (cluster=0x2e6e208, server_id=1, reconnect_ok=true, error=0x2e70d40)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1603
#6  0x00007fb8ec66a81d in _mongoc_cluster_stream_for_optype (cluster=0x2e6e208, optype=MONGOC_SS_READ, read_prefs=0x2e6d6f0, error=0x2e70d40)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1978
#7  0x00007fb8ec66a87e in mongoc_cluster_stream_for_reads (cluster=0x2e6e208, read_prefs=0x2e6d6f0, error=0x2e70d40)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:2008
#8  0x00007fb8ec676283 in _mongoc_cursor_fetch_stream (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:579
#9  0x00007fb8ec676411 in _mongoc_cursor_initial_query (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:624
#10 0x00007fb8ec67a96b in _mongoc_cursor_next (cursor=0x2e70b80, bson=0x7ffd250e0cb8) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:1828
#11 0x00007fb8ec67a67a in mongoc_cursor_next (cursor=0x2e70b80, bson=0x7ffd250e0cb8) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:1760
#12 0x00007fb8ec6b8c99 in phongo_advance_cursor_and_check_for_error (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/php_phongo.c:525
#13 0x00007fb8ec6b9033 in phongo_execute_command (client=0x2e6e200, db=0x7fb8ecc793d8 "admin", zcommand=0x7fb8ecc131a0, zreadPreference=0x0, server_id=-1, return_value=0x7fb8ecc130f0, 
    return_value_used=1) at /home/jmikola/workspace/mongodb/phpc/php_phongo.c:608
#14 0x00007fb8ec6d2527 in zim_Manager_executeCommand (execute_data=0x7fb8ecc13140, return_value=0x7fb8ecc130f0) at /home/jmikola/workspace/mongodb/phpc/src/MongoDB/Manager.c:304
...

Looking to the exact point of failure takes us to this line in mongoc-scram.c. It looks like libmongoc is accessing scram->user without first ensuring it is not null.

I quickly tested how libmongoc reacts if username is set on the URI but password remains unset. I encountered an "Authentication failed" error/exception instead of a segfault. I'm not sure if there may be a lingering issue with a null scram->pass value later in the SCRAM flow, but that may be worth a look.



 Comments   
Comment by Githook User [ 09/Nov/17 ]

Author:

{'name': 'Jeremy Mikola', 'username': 'jmikola', 'email': 'jmikola@gmail.com'}

Message: CDRIVER-2342 check for null user in _mongoc_scram_start
Branch: r1.8
https://github.com/mongodb/mongo-c-driver/commit/48fae8421fd3d188689808b7bfd2ed8c063e0f68

Comment by Githook User [ 09/Nov/17 ]

Author:

{'name': 'Jeremy Mikola', 'username': 'jmikola', 'email': 'jmikola@gmail.com'}

Message: CDRIVER-2342 check for null user in _mongoc_scram_start
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/d503e61e42a8e3bd1a9ccdd0bff7116034407b25

Generated at Wed Feb 07 21:14:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.