-
Committer:
Jason Stephenson
-
Author(s):
Mike Rylander
-
Date:
2021-02-18 12:22:32 UTC
-
Revision ID:
git-v1:e7111d22e7b4b7852ef8d90ef774b5bdfc23d3c5
LP#1836254: Handle null authtoken in PCRUD
When the authtoken received from the client is the unquoted literal
string "null" in a pcrud request, the drone processing the request
will crash with a segmentation fault as the session verification code
passes a NULL pointer to strcmp.
To reproduce this bug, make the following request via srfsh:
request open-ils.pcrud open-ils.pcrud.search.pgt null
{"parent":null},{"flesh":-1,"flesh_fields":{"pgt":["children"]}}
Note that srfsh hangs util it times out.
Next, grep /var/log/syslog for the string segfault. You should find
something resembling the following:
Jul 12 15:29:43 buster kernel: [ 94.794920] opensrf-c[1357]:
segfault at 0 ip 00007fe3bbb8b219 sp 00007fff2877a020 error 4 in
liboils_pcrud.so.2.0.0[7fe3bbb82000+10000]
After patching Evergreen with this commit, repeat the srfsh request
again. This time, the call should return almost immediately with an
osrfMethodException: "permacrud received a bad auth token: (null)."
When you grep syslog for segfault this time, you should find no new
occurrences.
Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>