The branch, master has been updated
       via  34f8ab774d1 s3/librpc/crypto: Fix double free with unresolved 
credential cache
      from  5e987e2f40e s3: VFS: Add cmocka test for vfs_full_audit to make 
sure all arrays are correct.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 34f8ab774d1484b0e60dbdec8ad2a1607ad92122
Author: Noel Power <noel.po...@suse.com>
Date:   Tue Apr 14 11:21:22 2020 +0100

    s3/librpc/crypto: Fix double free with unresolved credential cache
    
    We free gse_ctx->k5ctx but then free it again in the
    talloc dtor. This patch just lets the talloc dtor handle
    things and removes the extra krb5_free_context
    
    Failed to resolve credential cache 'DIR:/run/user/1000/krb5cc'! (No 
credentials cache found)
    ==30762== Invalid read of size 8
    ==30762==    at 0x108100F4: k5_os_free_context (in 
/usr/lib64/libkrb5.so.3.3)
    ==30762==    by 0x107EA661: krb5_free_context (in /usr/lib64/libkrb5.so.3.3)
    ==30762==    by 0x7945D2E: gse_context_destructor (gse.c:84)
    ==30762==    by 0x645FB49: _tc_free_internal (talloc.c:1157)
    ==30762==    by 0x645FEC5: _talloc_free_internal (talloc.c:1247)
    ==30762==    by 0x646118D: _talloc_free (talloc.c:1789)
    ==30762==    by 0x79462E4: gse_context_init (gse.c:241)
    ==30762==    by 0x794636E: gse_init_client (gse.c:268)
    ==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
    ==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
    ==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
    ==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step 
(spnego.c:633)
    ==30762==  Address 0x17259928 is 40 bytes inside a block of size 496 free'd
    ==30762==    at 0x4C2F50B: free (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==30762==    by 0x79462CA: gse_context_init (gse.c:238)
    ==30762==    by 0x794636E: gse_init_client (gse.c:268)
    ==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
    ==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
    ==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
    ==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step 
(spnego.c:633)
    ==30762==    by 0xBC813E2: gensec_spnego_client_negTokenInit_start 
(spnego.c:537)
    ==30762==    by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
    ==30762==    by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
    ==30762==    by 0xBC85622: gensec_update_send (gensec.c:449)
    ==30762==    by 0x551BFD0: cli_session_setup_gensec_local_next 
(cliconnect.c:997)
    ==30762==  Block was alloc'd at
    ==30762==    at 0x4C306B5: calloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==30762==    by 0x107EA7AE: krb5_init_context_profile (in 
/usr/lib64/libkrb5.so.3.3)
    ==30762==    by 0xB853215: smb_krb5_init_context_common (krb5_samba.c:3597)
    ==30762==    by 0x794615B: gse_context_init (gse.c:209)
    ==30762==    by 0x794636E: gse_init_client (gse.c:268)
    ==30762==    by 0x7947602: gensec_gse_client_start (gse.c:786)
    ==30762==    by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
    ==30762==    by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
    ==30762==    by 0xBC8167F: gensec_spnego_client_negTokenInit_step 
(spnego.c:633)
    ==30762==    by 0xBC813E2: gensec_spnego_client_negTokenInit_start 
(spnego.c:537)
    ==30762==    by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
    ==30762==    by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
    ==30762==
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14344
    Signed-off-by: Noel Power <noel.po...@suse.com>
    Reviewed-by: Volker Lendecke <v...@samba.org>
    
    Autobuild-User(master): Noel Power <npo...@samba.org>
    Autobuild-Date(master): Tue Apr 14 22:55:51 UTC 2020 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source3/librpc/crypto/gse.c | 4 ----
 1 file changed, 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 6675f4dc597..1cf111bd974 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -244,10 +244,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 
 err_out:
-       if (gse_ctx->k5ctx) {
-               krb5_free_context(gse_ctx->k5ctx);
-       }
-
        TALLOC_FREE(gse_ctx);
        return status;
 }


-- 
Samba Shared Repository

Reply via email to