[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

memory corruption in new MEMORY keytab

To: heimdal-discuss@sics.se
Subject: memory corruption in new MEMORY keytab
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 03 Dec 2005 10:34:48 +1100
Sender: owner-heimdal-discuss@sics.se

==29202== Invalid free() / delete / delete[]
==29202==    at 0x1B909743: free (vg_replace_malloc.c:152)
==29202==    by 0x8054878: mkt_close (keytab_memory.c:124)
==29202==    by 0x8052EE1: krb5_kt_close (keytab.c:287)
==29202==    by 0x804A524: test_memory_keytab (test_keytab.c:162)
==29202==    by 0x804A5BE: main (test_keytab.c:185)
==29202==  Address 0x1B929E78 is 0 bytes inside a block of size 24
free'd
==29202==    at 0x1B909743: free (vg_replace_malloc.c:152)
==29202==    by 0x1B909BF9: realloc (vg_replace_malloc.c:190)
==29202==    by 0x8054A72: mkt_remove_entry (keytab_memory.c:217)
==29202==    by 0x8053355: krb5_kt_remove_entry (keytab.c:526)
==29202==    by 0x804A518: test_memory_keytab (test_keytab.c:160)
==29202==    by 0x804A5BE: main (test_keytab.c:185)
==29202==

With the attached patch, which as far as I can see is legit, I get
memory corruption under valgrind.

(We are getting it in smbd, but it is much easier to see in a test
program).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Index: lib/krb5/test_keytab.c
===================================================================
--- lib/krb5/test_keytab.c	(revision 502)
+++ lib/krb5/test_keytab.c	(working copy)
@@ -65,11 +65,11 @@
  */
 
 static void
-test_memory_keytab(krb5_context context, const char *keytab)
+test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2)
 {
     krb5_error_code ret;
-    krb5_keytab id, id2;
-    krb5_keytab_entry entry, entry2;
+    krb5_keytab id, id2, id3;
+    krb5_keytab_entry entry, entry2, entry3;
 
     ret = krb5_kt_resolve(context, keytab, &id);
     if (ret)
@@ -119,7 +119,24 @@
 	krb5_err(context, 1, ret, "krb5_kt_close");
 
 
+    ret = krb5_kt_resolve(context, keytab2, &id3);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
 
+    memset(&entry3, 0, sizeof(entry3));
+    ret = krb5_parse_name(context, "lha3@SU.SE", &entry3.principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    entry3.vno = 1;
+    ret = krb5_generate_random_keyblock(context,
+					ETYPE_AES256_CTS_HMAC_SHA1_96,
+					&entry3.keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    krb5_kt_add_entry(context, id3, &entry3);
+
+
     ret = krb5_kt_resolve(context, keytab, &id);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_kt_resolve");
@@ -132,11 +149,21 @@
     if (ret == 0)
 	krb5_errx(context, 1, "krb5_kt_get_entry when if should fail");
 
+    krb5_kt_remove_entry(context, id, &entry);
+
     ret = krb5_kt_close(context, id);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_kt_close");
 
     krb5_kt_free_entry(context, &entry);
+
+    krb5_kt_remove_entry(context, id3, &entry3);
+
+    ret = krb5_kt_close(context, id3);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+
+
 }
 
 int
@@ -155,7 +182,7 @@
     test_empty_keytab(context, "FILE:foo");
     test_empty_keytab(context, "KRB4:foo");
 
-    test_memory_keytab(context, "MEMORY:foo");
+    test_memory_keytab(context, "MEMORY:foo", "MEMORY:foo2");
 
     krb5_free_context(context);

This is a digitally signed message part

Follow-Ups:
- [PATCH] Re: memory corruption in new MEMORY keytab
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Subtle problems with AFS tokens after migration from 0.6 to 0.7.1
Next by Date: Re: krb5-config and static vs shared
Prev by thread: Re: Subtle problems with AFS tokens after migration from 0.6 to0.7.1
Next by thread: [PATCH] Re: memory corruption in new MEMORY keytab
Index(es):
- Date
- Thread