3588 – external_acl crashes squid 3.1.17 or later

Bug 3588 - external_acl crashes squid 3.1.17 or later

Summary: external_acl crashes squid 3.1.17 or later

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Squid
Classification:	Unclassified
Component:	other (show other bugs)
Version:	3.1
Hardware:	PC x86_64 (64-bit) Linux - All

Importance:	P2 critical
Assignee:	SQUID BUGS ALIAS

URL:

Depends on:
Blocks:

Reported:	2012-07-11 14:00 UTC by Sergei Epiphanov
Modified:	2014-07-07 05:12 UTC (History)
CC List:	1 user (show)

See Also:
Browser:	---
Fixed Versions:
Needs:

Attachments
Fix my problem. (728 bytes, patch) 2012-07-11 14:00 UTC, Sergei Epiphanov	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergei Epiphanov 2012-07-11 14:00:25 UTC

Created attachment 2706 [details]
Fix my problem.

I use external_acl to check users. I add this lines to squid.conf:
=======
external_acl_type log_conn ttl=120 negative_ttl=10 children=5 %LOGIN %SRC %DST
/usr/lib/squid/log_connect.pl
acl log_conn external log_conn
http_access allow password log_conn
=======
These lines work fine in 3.1.16 and crash squid in 3.1.17 and later. I found that if I delete one line from code I again can use squid with external_acl. I attach a patch to cut off line from 3.1.20.

If I delete log_conn fgrom http_access squid works fine.

Symptoms: browser looses connection to server, 'access violation' lines in log, strange lock counts to external_acl match list when use

debug_options ALL,9

Also you can find this bug at https://bugzilla.altlinux.org/show_bug.cgi?id=27329 where I posted this problem first.

Comment 1 Sergei Epiphanov 2012-07-11 14:33:36 UTC

Additional info.

Using external_acl without patch I found lines in logs that shows that this acl has auth result not in auth_acl_t in 'int ACLFilledChecklist::authenticated()':

"unexpected authenticateAuthenticate reply"

because of line
auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser (&auth_user_request, headertype, request, conn(), src_addr);

where (I think so) you can find lines

    if (t && t->lastReply != AUTH_ACL_CANNOT_AUTHENTICATE
            && t->lastReply != AUTH_ACL_HELPER) {

which are better change to

    if (t && (t->lastReply == AUTH_AUTHENTICATED
            || t->lastReply == AUTH_ACL_CHALLENGE) {


I may be wrong but nevertheless...

Comment 2 Amos Jeffries 2012-08-29 08:01:12 UTC

What you "fix" patch does is make the external helepr response cache never match anything (key is made empty before comparision with a string).

Since 3.1 series is deprecated for support now. Please test and see if this bug still exists in 3.2.1 or later.

Comment 3 Eliezer Croitoru 2014-07-06 20:54:37 UTC

Well a fake helper test can be conducted on 3.4.6.
From my past tests this should not be an issue on 3.4.X

Eliezer

Comment 4 Amos Jeffries 2014-07-07 05:12:06 UTC

Closing as WORKSFORME as the related helper code has been through several major re-writes since the affected version. If this reappears in a version 3.4 or later a new bug report with new trace details will be needed.