Segmentation fault using ExcludeAlgorithms
Jan Vilhuber
JVilhuber at absolute.com
Tue Oct 18 13:06:14 UTC 2022
I am encountering a segfault in the following code:
Thread 1 "shibd" received signal SIGSEGV, Segmentation fault.
shibsp::XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl (this=0xaaaaaaf81d60, e=0xaaaaaabe8f58, log=...)
at impl/XMLSecurityPolicyProvider.cpp:294
294 if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist) ||
The config is:
<ExcludedAlgorithms excludeDefaults="true">
http://www.w3.org/2000/09/xmldsig#sha1
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#dsa-sha1
</ExcludedAlgorithms>
If I remove all the internal algs, everything works.
Shib version is 3.3.0 (shib tooling 3.2.1) compiled myself under ubuntu focal with apache 2.4.45. I’m not sure what I can provide here that’s reasonably concise (see configure output at the end of the email). The config line was:
./configure --enable-apache-24 --with-memcached --with-odbc
Has anyone encountered this segfault before? Almost seems like alglist is null here (though it was not null before):
(gdb) n
271 const DOMElement* alglist = XMLHelper::getLastChildElement(e, ExcludedAlgorithms);
(gdb)
272 if (alglist) {
(gdb) p alglist
$3 = (const xercesc_3_2::DOMElement *) 0xaaaaaabf0298
(gdb) n
273 m_excludeDefaults = XMLHelper::getAttrBool(alglist, true, excludeDefaults);
(gdb)
274 if (alglist->hasChildNodes()) {
(gdb)
275 algs = alglist->getFirstChild()->getNodeValue();
(gdb)
288 if (algs) {
(gdb) p algs
$4 = (const XMLCh *) 0xaaaaaaed4428 u"\n\t http://www.w3.org/2000/09/xmldsig#sha1\n\t http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1\n\t http://www.w3.org/2000/09/xmldsig#rsa-sha1\n\t http://www.w3.org/2000/09/xmldsig#dsa-sha1\n "
(gdb) n
290 XMLStringTokenizer tokenizer(algs);
(gdb)
291 while (tokenizer.hasMoreTokens()) {
(gdb)
292 token = tokenizer.nextToken();
(gdb)
293 if (token) {
(gdb) p alglist
$5 = <optimized out>
(gdb) n
294 if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist) ||
(gdb) s
Thread 1 "shibd" received signal SIGSEGV, Segmentation fault.
shibsp::XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl (this=0xaaaaaaf81d60, e=0xaaaaaabe8f58, log=...)
at impl/XMLSecurityPolicyProvider.cpp:294
294 if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist) ||
(gdb)
Regards,
Jan
--- config output ---
./configure --enable-apache-24 --with-memcached --with-odbc
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for doxygen... no
[91mconfigure: WARNING: doxygen not found - will not generate any doxygen documentation
[0mchecking for perl... /usr/bin/perl
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether the compiler supports GNU C++... yes
checking whether g++ accepts -g... yes
checking for g++ option to enable C++11 features... none needed
checking dependency style of g++... gcc3
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... yes
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking for dirent.h that defines DIR... yes
checking for library containing opendir... none required
checking for strftime... yes
checking for sys/utsname.h... yes
checking for grp.h... yes
checking for pwd.h... yes
checking for sys/socket.h... yes
checking for strchr... yes
checking for strdup... yes
checking for strstr... yes
checking for timegm... yes
checking for gmtime_r... yes
checking for localtime_r... yes
checking for strtok_r... yes
checking for strcasecmp... yes
checking for getpwnam... yes
checking for getgrnam... yes
checking for initgroups... yes
checking for struct sockaddr_storage... yes
checking for struct sockaddr.sa_len... no
checking for SOCK_CLOEXEC support... yes
checking how to run the C preprocessor... gcc -E
checking whether gcc is Clang... no
checking whether pthreads work with "-pthread" and "-lpthread"... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking whether more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking for g++ options needed to detect all undeclared functions... none needed
checking whether strerror_r is declared... yes
checking whether strerror_r returns char *... yes
checking whether the compiler implements namespaces... yes
checking whether the compiler supports Standard Template Library... yes
checking for Boost headers version >= 0.0.0... yes
checking for Boost's header version... 1_71
checking for boost/bind.hpp... yes
checking for boost/lambda/lambda.hpp... yes
checking for boost/ptr_container/ptr_deque.hpp... yes
checking for boost/ptr_container/ptr_list.hpp... yes
checking for boost/ptr_container/ptr_vector.hpp... yes
checking for boost/ptr_container/ptr_array.hpp... yes
checking for boost/ptr_container/ptr_set.hpp... yes
checking for boost/ptr_container/ptr_map.hpp... yes
checking for boost/scoped_ptr.hpp... yes
checking for boost/shared_ptr.hpp... yes
checking for boost/algorithm/string.hpp... yes
checking for boost/tuple/tuple.hpp... yes
checking for ctime_r... yes, and it takes 2 arguments
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for log4shib... yes
checking for xerces-c >= 3.2... yes
checking for xml-security-c >= 2... yes
checking for xmltooling >= 3.1... yes
checking for xmltooling-lite >= 3.1... yes
checking for opensaml >= 3.1... yes
checking whether to build the ADFS module... yes
checking for NSAPI module option... no
checking for FastCGI support... no
checking for Memcached support... yes
checking for libmemcached/memcached.h... yes
checking whether memcached_last_error_message is declared... yes
checking if default apache needed... no
checking whether to build Apache 1.3 module... no
checking whether to build Apache 2.0 module... no
checking whether to build Apache 2.2 module... no
checking whether to build Apache 2.4 module... yes
checking for apxs2... no
checking for apxs... (cached) no
checking to see if Apache 2.4 apxs was located... /usr/local/apache2/bin/apxs
checking for apr-1-config... /usr/local/apache2/bin/apr-1-config
checking for apu-1-config... /usr/local/apache2/bin/apu-1-config
checking whether to build the ODBC storage service... yes, if it can be found
checking for odbc_config... no
[91mconfigure: WARNING: Cannot find odbc_config, will try to guess settings.
[0mchecking for sql.h... yes
checking if we can link againt ODBC... yes
checking for krb5-gssapi... no
checking for gss... no
checking for cxxtestgen... no
checking for cxxtestgen.pl... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating shibsp.pc
config.status: creating shibsp-lite.pc
config.status: creating shibboleth.spec
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating schemas/Makefile
config.status: creating configs/Makefile
config.status: creating shibsp/Makefile
config.status: creating plugins/Makefile
config.status: creating shibd/Makefile
config.status: creating util/Makefile
config.status: creating selinux/Makefile
config.status: creating adfs/Makefile
config.status: creating nsapi_shib/Makefile
config.status: creating fastcgi/Makefile
config.status: creating memcache-store/Makefile
config.status: creating apache/Makefile
config.status: creating odbc-store/Makefile
config.status: creating unittests/Makefile
config.status: creating config.h
config.status: creating shibsp/config_pub.h
config.status: executing depfiles commands
config.status: executing libtool commands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221018/bac5aab9/attachment.htm>
More information about the users
mailing list