[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug with keytab_any?

On Tue, Jun 12, 2001 at 05:56:54PM +0200, Johan Danielsson wrote:
> "Jacques A. Vidrine" <n@nectar.com> writes:
> 
> > Basically krb5_storage_free() is being called twice with the same
> > pointer, causing that pointer to be free'd twice.
> 
> I can't repeat this. with login or ktutil. There must be some
> interaction with PAM that does it. Can you debug further?

I haven't been able to pin it down exactly.  I haven't had a chance to
wrap my head around keytab_any.  However, I think the following should
be enough  for someone  who understands  how the  code is  supposed to
function.

I put a `while (spin);' into krb5_storage_free so I could attach & see
how it was getting  called.  What I found was that  the cursor's sp is
getting  freed by  both  fkt_end_seq_get  and krb4_kt_end_seq_get.   I
believe the sequence is something like:

   krb5_kt_read_service_key
   |krb5_kt_get_entry
   | krb5_kt_get_entry
   | |krb5_kt_next_entry
   | | any_next_entry
   | |  krb5_kt_end_seq_get
   | |   fkt_end_seq_get
   | |    krb5_storage_free
   | krb5_kt_end_seq_get
   | |krb5_kt_end_seq_get
   | | any_end_seq_get
   | |  krb5_kt_end_seq_get
   | |   krb4_kt_end_seq_get
   | |    krb5_storage_free
      
Here are two backtraces, once from each of the first two calls of
krb5_storage_free.

(gdb) bt
#0  0x28156fc8 in krb5_storage_free (sp=0x804e3e0) at store.c:105
#1  0x281523fa in fkt_end_seq_get (context=0x8055000, id=0x80532c0, cursor=0x80525b4) at keytab_file.c:400
#2  0x28151830 in krb5_kt_end_seq_get (context=0x8055000, id=0x80532c0, cursor=0x80525b4) at keytab.c:420
#3  0x28151b5a in any_next_entry (context=0x8055000, id=0x8053280, entry=0xbfbfe788, cursor=0xbfbfe77c)
    at keytab_any.c:166
#4  0x281517f1 in krb5_kt_next_entry (context=0x8055000, id=0x8053280, entry=0xbfbfe788, cursor=0xbfbfe77c)
    at keytab.c:402
#5  0x28151635 in krb5_kt_get_entry (context=0x8055000, id=0x8053280, principal=0x8052500, kvno=0, 
    enctype=ETYPE_NULL, entry=0xbfbfe7e8) at keytab.c:286
#6  0x28151457 in krb5_kt_read_service_key (context=0x8055000, keyprocarg=0x0, principal=0x8052500, vno=0, 
    enctype=ETYPE_NULL, key=0xbfbfe854) at keytab.c:183
#7  0x28147a3b in verify_krb_v5_tgt () from /usr/lib/pam_krb5.so
#8  0x281464fe in pam_sm_authenticate () from /usr/lib/pam_krb5.so
#9  0x2808aa7f in pam_getenvlist () from /usr/lib/libpam.so.1
#10 0x2808ad3e in _pam_dispatch () from /usr/lib/libpam.so.1
#11 0x2808a057 in pam_authenticate () from /usr/lib/libpam.so.1
#12 0x804acda in free ()
#13 0x8049ea1 in free ()
#14 0x8049a09 in free ()


(gdb) bt
#0  0x28156fca in krb5_storage_free (sp=0x804e3e0) at store.c:105
#1  0x281536b2 in krb4_kt_end_seq_get (context=0x8055000, id=0x8053300, c=0x80525b4) at keytab_krb4.c:222
#2  0x28151830 in krb5_kt_end_seq_get (context=0x8055000, id=0x8053300, cursor=0x80525b4) at keytab.c:420
#3  0x28151bdf in any_end_seq_get (context=0x8055000, id=0x8053280, cursor=0xbfbfe77c) at keytab_any.c:193
#4  0x28151830 in krb5_kt_end_seq_get (context=0x8055000, id=0x8053280, cursor=0xbfbfe77c) at keytab.c:420
#5  0x2815164d in krb5_kt_get_entry (context=0x8055000, id=0x8053280, principal=0x8052500, kvno=0, 
    enctype=ETYPE_NULL, entry=0xbfbfe7e8) at keytab.c:287
#6  0x28151457 in krb5_kt_read_service_key (context=0x8055000, keyprocarg=0x0, principal=0x8052500, vno=0, 
    enctype=ETYPE_NULL, key=0xbfbfe854) at keytab.c:183
#7  0x28147a3b in verify_krb_v5_tgt () from /usr/lib/pam_krb5.so
#8  0x281464fe in pam_sm_authenticate () from /usr/lib/pam_krb5.so
#9  0x2808aa7f in pam_getenvlist () from /usr/lib/libpam.so.1
#10 0x2808ad3e in _pam_dispatch () from /usr/lib/libpam.so.1
#11 0x2808a057 in pam_authenticate () from /usr/lib/libpam.so.1
#12 0x804acda in free ()
#13 0x8049ea1 in free ()
#14 0x8049a09 in free ()


While looking at  this, I found a second, more  trivial, free bug.  In
keytab_any.c::any_start_seq_get, `ed'  and `c->data' are  aliases, but
they are both free'd.  Fix below.

--- lib/krb5/keytab_any.c.ORIG	Fri Jun 15 12:56:37 2001
+++ lib/krb5/keytab_any.c	Fri Jun 15 12:57:02 2001
@@ -139,7 +139,6 @@
     ed->a = a;
     ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
     if (ret) {
-	free (ed);
 	free (c->data);
 	c->data = NULL;
 	krb5_set_error_string (context, "malloc: out of memory");

Hope this helps,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org