WebAuth 4.3.3

So, funny story. And by funny, I mean "doh."

We had a production outage of our WebLogin servers a bit before I went on vacation because the hardware load balancer died, and then when it came back the load was so heavy that the WebLogin servers were overwhelmed with connections. WebLogin, due to the way that it involves accepting an Apache connection and then turning around and connecting back to itself to talk to the WebKDC, has a tendency to get into overload deadlocks. Worse, because the WebLogin script runs under FastCGI, when it deadlocks waiting for Apache to reply to it, mod_fastcgi decides that the script isn't responding and starts killing all the scripts. It's an obnoxious meltdown scenario.

I want to find some way of getting around this (such as running WebLogin via ngnix and running the WebKDC on another port), but in the short term the best solution is to just increase MaxClients to handle more load. The limitation there is the amount of memory on the servers, which was a problem since they were built 32-bit (for historical reasons). So, this weekend I started working on rebuilding them all 64-bit.

Imagine my surprise when I installed WebAuth and WebLogin on the newly-built 64-bit system and it segfaulted. It turns out that when allocating memory for a struct, it's good to allocate enough memory for the whole struct, not just for a pointer to the struct. (This is exactly the reason why I hate typedefs for structs in C, but in this case it was XS code where I don't have a good alternative, and I didn't pay close enough attention.)

So, lots of debugging later, along with a detour to set up comprehensive valgrind testing of WebAuth (at least all the parts of it that aren't the Apache modules), this release fixes one uninitialized memory error and one memory allocation size error. The latter is theoretically exploitable, although since it's inside Perl XS code with pretty sharply bounded external inputs, it's going to be pretty complicated to figure out how to exploit it and therefore I decided it didn't warrant an explicit advisory.

Obviously, anyone running earlier versions of mod_webkdc or WebLogin (4.2.0 or later, sigh) should upgrade to this release.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Posted: 2012-11-05 13:27 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04