Project

General

Profile

Support #24853

erroneous profile_get_issuer inflate on valid SAML message

Added by Paul Marillonnet over 1 year ago. Updated 5 months ago.

Status:
Solution déployée
Priority:
Normal
Category:
-
Target version:
Start date:
28 Jun 2018
Due date:
% Done:

100%

Patch proposed:
Yes
Planning:
No

Description

Using the python-lasso binding:

$ python
Python 2.7.14+ (default, Feb  6 2018, 19:12:18) 
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import lasso
>>> lasso.profileGetIssuer(u'RelayState=None&SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMUU2MTg4QjBCNDFBNjdCQjBFNTQ0RDk0NjEwREVFQzIiIEluUmVzcG9uc2VUbz0iXzBFRDY2RkJCNkNENjU1ODc4NjlGOTMyMDA1NTA4NDNFIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wNi0yN1QxNjoxNjo1NVoiIERlc3RpbmF0aW9uPSJodHRwOi8vdGVzdHNlcnZlci9sb2dpbi8iPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwNS9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BCjxTaWduZWRJbmZvPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BCjxSZWZlcmVuY2UgVVJJPSIjXzFFNjE4OEIwQjQxQTY3QkIwRTU0NEQ5NDYxMERFRUMyIj4KPFRyYW5zZm9ybXM%2BCjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCjwvVHJhbnNmb3Jtcz4KPERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BCjxEaWdlc3RWYWx1ZT55eTFHQUpsc1l6VHRCNElBZm9PN2dwVTRIc3c9PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U%2BCjwvU2lnbmVkSW5mbz4KPFNpZ25hdHVyZVZhbHVlPkdER3NNd0xGWjVDVjJONDU3bXVhNmRoWldaNSt0WTh6Zm1mN2hPR2xUNFdyS21sTWYrL041U0IvbS90Mm80VVAKdVdKTHk3N0xycDFrNy85L2EvY2cwNXYxQXUwL2xjVjFFcy9PU1dxQlk1c2ZMY0pjMUY2a3VBZUdFcmJWY0ZDSAo0bUo2NFFqTURCdTNCMVFOS2EwV1lyeXVGUXhDTVRvT3g2RkpMcGZRQVFHZTA2SG5tenhyb3AzcXRGR041KzVGCnNFbXp0T2NIVlBaWERIV2F2cFFraUNYajFZSStkUjhCSWx4eHgwdHluYTQyeE53bW11cTdnWlVZY2drcWN3U2sKNnZxK3ZFT2NUMEZ5czRvYVhDYktuWTBnUXg5TFl2SlAyaWhmUFBocDU1cmdSOVJiSlkwYlpEbEpGWkRoLzJiUwpaRkFMelBkWGVlNUJnWnc5elRxN3dBPT08L1NpZ25hdHVyZVZhbHVlPgo8S2V5SW5mbz4KPEtleVZhbHVlPgo8UlNBS2V5VmFsdWU%2BCjxNb2R1bHVzPgp6VG9mSHBXQWRoSDNCUi8rMWxWVk5HUlZZMnFIM0g0KzhjRGFvZmc1Z3k2b2F6Z0IvcVZUWml4bStldVpGMXdWCmEvVDVTUjBDQmVGRjRKWUJtQzBIV2wzOWIyYnFvTkdWMElMTEt5akRyRTg4cEhQK2s1UEJGZWI5OHpSQVk5NWYKUERPUGZnRmM0ZzY0Vzc2ZnZyaThxZlh4MzY2NVVBVE9UWG52cW5GT25pbEEvTWw5MDB1c3Q1RHkvSUt5R2dWVAo0eGdtMm5WUUQ2SFltZzdSanlnYS9MQnRURWVLZ2MzaysrZk01dDhBemhkb05DaUdaL0V6MVJ6dGFuakVvQnpXCmRTcm1IQUdzZW1NVXhGTFBwUUo4eWdsSVlpTDdmRWt5UTBLTXZSY1REazBwVnptTkVxVE5LUTNtUHdwTXorVFcKTTgrd01jOUZqTnRaYUdjMjEzb21XUT09CjwvTW9kdWx1cz4KPEV4cG9uZW50PgpBUUFCCjwvRXhwb25lbnQ%2BCjwvUlNBS2V5VmFsdWU%2BCjwvS2V5VmFsdWU%2BCjwvS2V5SW5mbz4KPC9TaWduYXR1cmU%2BPHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8%2BPC9zYW1scDpTdGF0dXM%2BPHNhbWw6QXNzZXJ0aW9uIFZlcnNpb249IjIuMCIgSUQ9Il9BQThCQzE3NUMyMjNBRDQyREM5QzE4QkFFODEzMjg4NSIgSXNzdWVJbnN0YW50PSIyMDE4LTA2LTI3VDE2OjE2OjU1WiI%2BPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHA1L21ldGFkYXRhPC9zYW1sOklzc3Vlcj48U2lnbmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPFNpZ25lZEluZm8%2BCjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPFJlZmVyZW5jZSBVUkk9IiNfQUE4QkMxNzVDMjIzQUQ0MkRDOUMxOEJBRTgxMzI4ODUiPgo8VHJhbnNmb3Jtcz4KPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BCjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9UcmFuc2Zvcm1zPgo8RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPERpZ2VzdFZhbHVlPjRkSHlYMXkxYzVvMzNyTDBUNXhZbUc2TGhTWT08L0RpZ2VzdFZhbHVlPgo8L1JlZmVyZW5jZT4KPC9TaWduZWRJbmZvPgo8U2lnbmF0dXJlVmFsdWU%2BcWxheVBhdThONUlmZnZGVHBabXYvaHNORG5hdGlEL2lmcGEySmNCUyt5b1lwVE5pU3ZLMlBVVmpuZjV5NmtRdQpxSmZ4QjhoOTVNRG5zclRTQXRvMlI5aTZJanNLRThBclZYTjQwLzBldEhyODlzRjlzWnFRYUZ6NW5MVGdTSGN0Cm9SUy8wb0NkaXFxSzI2QndKaE0vZG1rdG40Q2xzSzNIbU5KbWNnMkRVYkxtTHFOa2dGMDVCMkFQSHVFMVFidkQKc1JST3p3QmJrTmh2VnZHUkVTYTZ3MTlZdnZwQkNXSnhsc0kxUW5VTXAvUktTUDBOcG5TekdvZWIraEhrUGhmMgpVZEpjNzVWWDh5akpKSUNkaFc0OWtxK09neUQyZnpKTkNURXZKcjZtL2RndjNLYTVjUVpXTHROVFVxU09HMUJ0CjVlMjNndVhNMlNsOWZ1V1hCa2k3dlE9PTwvU2lnbmF0dXJlVmFsdWU%2BCjxLZXlJbmZvPgo8S2V5VmFsdWU%2BCjxSU0FLZXlWYWx1ZT4KPE1vZHVsdXM%2BCnpUb2ZIcFdBZGhIM0JSLysxbFZWTkdSVlkycUgzSDQrOGNEYW9mZzVneTZvYXpnQi9xVlRaaXhtK2V1WkYxd1YKYS9UNVNSMENCZUZGNEpZQm1DMEhXbDM5YjJicW9OR1YwSUxMS3lqRHJFODhwSFArazVQQkZlYjk4elJBWTk1ZgpQRE9QZmdGYzRnNjRXNzZmdnJpOHFmWHgzNjY1VUFUT1RYbnZxbkZPbmlsQS9NbDkwMHVzdDVEeS9JS3lHZ1ZUCjR4Z20yblZRRDZIWW1nN1JqeWdhL0xCdFRFZUtnYzNrKytmTTV0OEF6aGRvTkNpR1ovRXoxUnp0YW5qRW9CelcKZFNybUhBR3NlbU1VeEZMUHBRSjh5Z2xJWWlMN2ZFa3lRMEtNdlJjVERrMHBWem1ORXFUTktRM21Qd3BNeitUVwpNOCt3TWM5RmpOdFphR2MyMTNvbVdRPT0KPC9Nb2R1bHVzPgo8RXhwb25lbnQ%2BCkFRQUIKPC9FeHBvbmVudD4KPC9SU0FLZXlWYWx1ZT4KPC9LZXlWYWx1ZT4KPC9LZXlJbmZvPgo8L1NpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly9pZHA1L21ldGFkYXRhIiBTUE5hbWVRdWFsaWZpZXI9Imh0dHA6Ly90ZXN0c2VydmVyL21ldGFkYXRhLyI%2BXzZFN0E2RDQwNUI3ODQyQjVFOUQ0NDQ3MDk3NzE0MDhBPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSJGSVhNRSIgUmVjaXBpZW50PSJodHRwOi8vdGVzdHNlcnZlci9sb2dpbi8iIEluUmVzcG9uc2VUbz0iXzBFRDY2RkJCNkNENjU1ODc4NjlGOTMyMDA1NTA4NDNFIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IkZJWE1FIiBOb3RPbk9yQWZ0ZXI9IkZJWE1FIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly90ZXN0c2VydmVyL21ldGFkYXRhLzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IkZJWE1FIiBTZXNzaW9uSW5kZXg9Il9BQThCQzE3NUMyMjNBRDQyREM5QzE4QkFFODEzMjg4NSI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphbTpwYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B')
No handlers could be found for logger "Lasso" 
Erreur de segmentation

Whereas http://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php seems to indicate that the SAML message is valid.

0001-tools-set-output-buffer-size-in-lasso_inflate-to-20-.patch View (858 Bytes) Benjamin Dauvergne, 28 Jun 2018 11:18 PM

Associated revisions

Revision f33d51db (diff)
Added by Benjamin Dauvergne over 1 year ago

tools: set output buffer size in lasso_inflate to 20 times the input size (fixes #24853)

History

#1 Updated by Benjamin Dauvergne over 1 year ago

Sur le dernier Lasso je n'ai pas de segfault, tu peux retester en installant le dernier lasso de eobuilder ?

#2 Updated by Benjamin Dauvergne over 1 year ago

C'est bon j'ai trouvé le souci, ça compresse trop bien.

Par souci de simplicité plutôt que de chercher à allouer dynamiquement le buffer après décompression d'une requête j'alloue directement 10 fois la taille de la chaîne compressée en me disant que ça passerait toujours et puis paf là ça dépasse un facteur 10.

Un fix locale mais pas suffisant (mais pour comprendre le truc):


diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 6a9ce187..01533419 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -1353,11 +1353,11 @@ lasso_inflate(unsigned char *input, size_t len)
        zstr.zfree = NULL;
        zstr.opaque = NULL;

-       output = g_malloc(len*10);
+       output = g_malloc(len*100);
        zstr.avail_in = len;
        zstr.next_in = (unsigned char*)input;
        zstr.total_in = 0;
-       zstr.avail_out = len*10;
+       zstr.avail_out = len*100;
        zstr.total_out = 0;
        zstr.next_out = output;

#3 Updated by Benjamin Dauvergne over 1 year ago

Bon la connerie est pas de moi à l'origine, ouf ;) Enfin bon faut améliorer ça.

#4 Updated by Frédéric Péters over 1 year ago

Indeed I thought Paul would update its lasso version before copy/pasting the error; I told him it was still failing:

>>> lasso.profileGetIssuer(...)
2018-06-28 23:06:17,396 - Lasso - ERROR - 2018-06-28 23:06:17 (tools.c/:1373) Failed to inflate
>>>

While the string is successfully read by http://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

#5 Updated by Benjamin Dauvergne over 1 year ago

  • Assignee set to Benjamin Dauvergne

#6 Updated by Benjamin Dauvergne over 1 year ago

La flemme de comprendre l'API de zlib en 20 minutes, je passe le buffer à 20x la taille du buffer d'entrée (on gaspille un peu mais pas trop).

#7 Updated by Frédéric Péters over 1 year ago

Go for it.

#8 Updated by Benjamin Dauvergne over 1 year ago

  • Target version set to 2.6.1

#9 Updated by Benjamin Dauvergne over 1 year ago

  • % Done changed from 0 to 100
  • Status changed from Solution proposée to Résolu (à déployer)

#10 Updated by Paul Marillonnet over 1 year ago

Frédéric Péters a écrit :

Indeed I thought Paul would update its lasso version before copy/pasting the error; I told him it was still failing:

Was using the stretch-testing and not the stretch-eobuilder repo, and I forgot to update, my bad.

#11 Updated by Frédéric Péters over 1 year ago

  • Status changed from Résolu (à déployer) to En cours

Avec les données exposées en #19396 (commentaire 146...) le problème apparait toujours.

En modifiant ma copie locale pour logguer davantage, et aussi en passant le buffer à len*50.

  2018-07-11 17:44:49,361 - Lasso - ERROR - 2018-07-11 17:44:49 (tools.c/:1373) Failed to inflate -3 (invalid code lengths set)

-3 → Z_DATA_ERROR, Z_DATA_ERROR if the input data was corrupted (input stream not conforming to the zlib format or incorrect check value, in which case strm->msg points to a string with a more specific error). (strm-> msg is "invalid code lengths set").

#12 Updated by Benjamin Dauvergne over 1 year ago

De fait ce payload n'est pas compressé, j'ai du rater un truc, je vais relire la spéc pour voir dans quel cas ne pas tenter la décompression.

#13 Updated by Benjamin Dauvergne over 1 year ago

https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf ligne 612:

A query string parameter named SAMLEncoding is reserved to identify the encoding mechanism used. If this parameter is omitted, then the value is assumed to be urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE.

Donc Lasso se comporte normalement en réception, je vais chercher maintenant pourquoi on a émis un contenu non compressé.

#14 Updated by Benjamin Dauvergne over 1 year ago

  • Status changed from En cours to Résolu (à déployer)

Et donc c'était du binding HTTP POST, dans ce cas il faut filer directement le contenu de SAMLResponse pas l'encodage du formulaire complet.

#15 Updated by Benjamin Dauvergne over 1 year ago

In [6]: import urlparse

In [7]: content = urlparse.parse_qs(payload)['SAMLResponse'][0]

In [8]: lasso.profileGetIssuer(content)
Out[8]: 'http://idp5/metadata'

#16 Updated by Benjamin Dauvergne 5 months ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF