bug with keytab_any?

["Jacques A. Vidrine" <n@nectar.com>]

Hello,

It seems  that with Heimdal-0.3f  a bug  crept in with  the keytab_any
stuff.  I haven't tracked it down  yet, but I thought I'd provide this
information while  it was fresh --  maybe someone will give  me a hint
that will be helpful when I go back to look at this later.

Basically  krb5_storage_free() is  being  called twice  with the  same
pointer, causing that pointer to be  free'd twice.  Below is a run and
backtrace where I've set up the  system memory allocator to abort when
it detects an attempt to free already-free'd memory.

# env MALLOC_OPTIONS=A sh -c 'exec /usr/bin/login'
login: luser
Password for luser@COMPANY.COM:
login in free(): error: chunk is already free.
Abort(coredump)

GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `login'.
Program terminated with signal 6, Abort trap.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/lib/pam_krb5.so...done.
Reading symbols from /usr/lib/pam_cleartext_pass_ok.so...done.
Reading symbols from /usr/lib/libskey.so.2...done.
Reading symbols from /usr/lib/libmd.so.2...done.
Reading symbols from /usr/lib/pam_unix.so...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x280cb6a8 in kill () from /usr/lib/libc.so.4
#0  0x280cb6a8 in kill () from /usr/lib/libc.so.4
#1  0x281088e9 in abort () from /usr/lib/libc.so.4
#2  0x281073be in isatty () from /usr/lib/libc.so.4
#3  0x281073f6 in isatty () from /usr/lib/libc.so.4
#4  0x2810830e in isatty () from /usr/lib/libc.so.4
#5  0x28108585 in free () from /usr/lib/libc.so.4
#6  0x28157029 in krb5_storage_free (sp=0x804e3e0) at store.c:106
#7  0x281536e2 in krb4_kt_end_seq_get (context=0x8055000, id=0x8053300, 
    c=0x80525b4) at keytab_krb4.c:222
#8  0x28151860 in krb5_kt_end_seq_get (context=0x8055000, id=0x8053300, 
    cursor=0x80525b4) at keytab.c:420
#9  0x28151c0f in any_end_seq_get (context=0x8055000, id=0x8053280, 
    cursor=0xbfbfe7a8) at keytab_any.c:193
#10 0x28151860 in krb5_kt_end_seq_get (context=0x8055000, id=0x8053280, 
    cursor=0xbfbfe7a8) at keytab.c:420
#11 0x2815167d in krb5_kt_get_entry (context=0x8055000, id=0x8053280, 
    principal=0x8052500, kvno=0, enctype=ETYPE_NULL, entry=0xbfbfe814)
    at keytab.c:287
#12 0x28151487 in krb5_kt_read_service_key (context=0x8055000, keyprocarg=0x0, 
    principal=0x8052500, vno=0, enctype=ETYPE_NULL, key=0xbfbfe880)
    at keytab.c:183
#13 0x28147a6b in verify_krb_v5_tgt () from /usr/lib/pam_krb5.so
#14 0x2814652e in pam_sm_authenticate () from /usr/lib/pam_krb5.so
#15 0x2808aa7f in pam_getenvlist () from /usr/lib/libpam.so.1
#16 0x2808ad3e in _pam_dispatch () from /usr/lib/libpam.so.1
#17 0x2808a057 in pam_authenticate () from /usr/lib/libpam.so.1
#18 0x804acda in free ()
#19 0x8049ea1 in free ()
#20 0x8049a09 in free ()


Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org