[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Odd krb5_free_cred_contents problem (Heimdal 1.0.2, Solaris 9)

On Sat, 23 Feb 2008 11:32:57 -0800
Russ Allbery <rra@stanford.edu> wrote:

> Alf ran into an odd problem with my pam-krb5 module built statically with
> Heimdal 1.0.2 on Solaris 9 with the Sun Studio C version 11 compiler.
> 
> pam-krb5, when authentication failed, was dying with:
> 
> 23484:      Incurred fault #5, FLTACCESS  %pc = 0x001E1668
> 23484:        siginfo: SIGBUS BUS_ADRALN addr=0xAACA6001
> 23484:      Received signal #10, SIGBUS [default]
> 23484:        siginfo: SIGBUS BUS_ADRALN addr=0xAACA6001
> 
> Inside the module, it does:
> 
> int
> pamk5_password_auth(struct pam_args *args, const char *service,
>                     krb5_creds **creds)
> {
> /* ... */
>     *creds = calloc(1, sizeof(krb5_creds));
> /* ... */
>             retval = krb5_get_init_creds_password(ctx->context, *creds,
>                           ctx->princ, pass, pamk5_prompter_krb5, args, 0,
>                           (char *) service, opts);
>             success = (retval == 0) ? PAM_SUCCESS : PAM_AUTH_ERR;
> /* ... */
>         if (*creds != NULL) {
>             krb5_free_cred_contents(ctx->context, *creds);
>             free(*creds);
>             *creds = NULL;
>         }
> 
> The krb5_free_cred_contents here appears to be the culprit, even though
> the structure is initialized all-zeros.  If I apply this patch, the crash

Curiously I just noticed valgrind [1] complains about krb5_free_cred_contents
in my app:

==19908==  Address 0x12CB4020 is 8 bytes before a block of size 10 free'd
==19908==    at 0x4A0541E: free (vg_replace_malloc.c:233)
==19908==    by 0x12320AB7: free_general_string (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x12341B6C: free_PrincipalName (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x123411FC: free_Principal (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x122804A3: krb5_free_principal (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x122649C6: krb5_free_cred_contents (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x12264C5A: krb5_free_creds (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x1235BE74: init_auth (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x1235C3E6: gss_krb5_init_sec_context (in /usr/lib64/libplexcel.so.2.7.4)
==19908==    by 0x122929CA: gss_init_sec_context (in /usr/lib64/libplexcel.so.2.7.4)

I'm using Heimdal 0.7.2 [2] on CentOS x86_64 w/ gcc also linked statically
(with many other libs into one big "libplexcel.so").

But from looking at free_PrincipalName's use of free_general_string I
could understand if it turned out valgrind just got confused. This code
has been used extensively without any reports of crashing in the code
in question.

  void
  free_PrincipalName(PrincipalName *data)
  {
      free_NAME_TYPE(&(data)->name_type);
      while((&(data)->name_string)->len){
          free_general_string(&(&(data)->name_string)->val[(&(data)->name_string)->len-1]);
          (&(data)->name_string)->len--;
      }
      free((&(data)->name_string)->val);
      (&(data)->name_string)->val = NULL; 
  }

Mike

[1] valgrind -v --tool=memcheck --num-callers=20 --leak-check=yes
     --leak-resolution=high /usr/sbin/httpd -X

[2] Heimdal has been modified in ways that *shouldn't* effect the error
    being discussed.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/