Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2342

_mongoc_scram_start() segfault if scram->user is null

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.8.2, 1.9.0
    • Affects Version/s: 1.8.1
    • Component/s: auth, libmongoc
    • None

      A segfault reported in mongodb/mongo-php-driver#666 appears to come from the following usage of the PHP driver:

      <?php
      
      // A null connection string defaults to "mongodb://127.0.0.1:27017"
      $m = new MongoDB\Driver\Manager(null, ['authMechanism' => 'SCRAM-SHA-1', 'ssl' => false]);
      
      // Execute a basic ping command to trigger connection initialization
      $c = $m->executeCommand('admin', new MongoDB\Driver\Command(['ping'=>1]));
      var_dump($c->toArray()[0]);
      

      GDB backtrace:

      (gdb) bt
      #0  0x00007fb8ec696527 in _mongoc_scram_start (scram=0x7ffd250df610, outbuf=0x7ffd250df810 "n,,n=", outbufmax=4096, outbuflen=0x7ffd250df49c, error=0x2e71788)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-scram.c:206
      #1  0x00007fb8ec6978e6 in _mongoc_scram_step (scram=0x7ffd250df610, inbuf=0x7ffd250df810 "n,,n=", inbuflen=0, outbuf=0x7ffd250df810 "n,,n=", outbufmax=4096, outbuflen=0x7ffd250df49c, 
          error=0x2e71788) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-scram.c:840
      #2  0x00007fb8ec668ba0 in _mongoc_cluster_auth_node_scram (cluster=0x2e6e208, stream=0x2e6d830, error=0x2e71788)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1143
      #3  0x00007fb8ec6692b0 in _mongoc_cluster_auth_node (cluster=0x2e6e208, stream=0x2e6d830, hostname=0x2e714a0 "127.0.0.1", max_wire_version=5, error=0x2e71788)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1303
      #4  0x00007fb8ec66a192 in mongoc_cluster_fetch_stream_single (cluster=0x2e6e208, server_id=1, reconnect_ok=true, error=0x2e70d40)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1758
      #5  0x00007fb8ec669bfc in _mongoc_cluster_stream_for_server (cluster=0x2e6e208, server_id=1, reconnect_ok=true, error=0x2e70d40)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1603
      #6  0x00007fb8ec66a81d in _mongoc_cluster_stream_for_optype (cluster=0x2e6e208, optype=MONGOC_SS_READ, read_prefs=0x2e6d6f0, error=0x2e70d40)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:1978
      #7  0x00007fb8ec66a87e in mongoc_cluster_stream_for_reads (cluster=0x2e6e208, read_prefs=0x2e6d6f0, error=0x2e70d40)
          at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cluster.c:2008
      #8  0x00007fb8ec676283 in _mongoc_cursor_fetch_stream (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:579
      #9  0x00007fb8ec676411 in _mongoc_cursor_initial_query (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:624
      #10 0x00007fb8ec67a96b in _mongoc_cursor_next (cursor=0x2e70b80, bson=0x7ffd250e0cb8) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:1828
      #11 0x00007fb8ec67a67a in mongoc_cursor_next (cursor=0x2e70b80, bson=0x7ffd250e0cb8) at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cursor.c:1760
      #12 0x00007fb8ec6b8c99 in phongo_advance_cursor_and_check_for_error (cursor=0x2e70b80) at /home/jmikola/workspace/mongodb/phpc/php_phongo.c:525
      #13 0x00007fb8ec6b9033 in phongo_execute_command (client=0x2e6e200, db=0x7fb8ecc793d8 "admin", zcommand=0x7fb8ecc131a0, zreadPreference=0x0, server_id=-1, return_value=0x7fb8ecc130f0, 
          return_value_used=1) at /home/jmikola/workspace/mongodb/phpc/php_phongo.c:608
      #14 0x00007fb8ec6d2527 in zim_Manager_executeCommand (execute_data=0x7fb8ecc13140, return_value=0x7fb8ecc130f0) at /home/jmikola/workspace/mongodb/phpc/src/MongoDB/Manager.c:304
      ...
      

      Looking to the exact point of failure takes us to this line in mongoc-scram.c. It looks like libmongoc is accessing scram->user without first ensuring it is not null.

      I quickly tested how libmongoc reacts if username is set on the URI but password remains unset. I encountered an "Authentication failed" error/exception instead of a segfault. I'm not sure if there may be a lingering issue with a null scram->pass value later in the SCRAM flow, but that may be worth a look.

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: