================================================================= ==20964==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000280b0 at pc 0x7ff28a03d66e bp 0x7fffb880f280 sp 0x7fffb880ea28 READ of size 16 at 0x60b0000280b0 thread T0 #0 0x7ff28a03d66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) #1 0x7ff284b90a1c in talloc_strdup ../../lib/talloc/talloc.c:2471 #2 0x7ff2819ff186 in continue_ip_open_socket ../../source4/librpc/rpc/dcerpc_sock.c:267 #3 0x7ff27ed54a6f in composite_done ../../source4/libcli/composite/composite.c:143 #4 0x7ff2819ffc98 in continue_socket_connect ../../source4/librpc/rpc/dcerpc_sock.c:118 #5 0x7ff27ed54a6f in composite_done ../../source4/libcli/composite/composite.c:143 #6 0x7ff27ed54459 in socket_connect_handler ../../source4/lib/socket/connect.c:131 #7 0x7ff28407c7d3 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:138 #8 0x7ff284090c65 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:736 #9 0x7ff284090c65 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:937 #10 0x7ff284089612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #11 0x7ff28407ae16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #12 0x7ff27ed54970 in composite_wait ../../source4/libcli/composite/composite.c:58 #13 0x7ff281a0ed39 in dcerpc_pipe_connect_b_recv ../../source4/librpc/rpc/dcerpc_connect.c:1100 #14 0x7ff281a0ef04 in dcerpc_pipe_connect_b ../../source4/librpc/rpc/dcerpc_connect.c:1128 #15 0x7ff272dbe891 in libnet_JoinDomain (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x59891) #16 0x7ff272dc19d0 in libnet_Join_member (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x5c9d0) #17 0x7ff27304401a in py_net_join_member ../../source4/libnet/py_net.c:143 #18 0x5030d4 (/usr/bin/python3.6+0x5030d4) #19 0x507640 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507640) #20 0x504c27 (/usr/bin/python3.6+0x504c27) #21 0x501b2d in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501b2d) #22 0x591460 (/usr/bin/python3.6+0x591460) #23 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) #24 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) #25 0x504c27 (/usr/bin/python3.6+0x504c27) #26 0x501b2d in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501b2d) #27 0x591460 (/usr/bin/python3.6+0x591460) #28 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) #29 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) #30 0x504c27 (/usr/bin/python3.6+0x504c27) #31 0x501ba6 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501ba6) #32 0x591460 (/usr/bin/python3.6+0x591460) #33 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) #34 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) #35 0x504c27 (/usr/bin/python3.6+0x504c27) #36 0x501ba6 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501ba6) #37 0x591460 (/usr/bin/python3.6+0x591460) #38 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) #39 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) #40 0x504c27 (/usr/bin/python3.6+0x504c27) #41 0x506392 in PyEval_EvalCode (/usr/bin/python3.6+0x506392) #42 0x634d51 (/usr/bin/python3.6+0x634d51) #43 0x634e09 in PyRun_FileExFlags (/usr/bin/python3.6+0x634e09) #44 0x6385c7 in PyRun_SimpleFileExFlags (/usr/bin/python3.6+0x6385c7) #45 0x639159 in Py_Main (/usr/bin/python3.6+0x639159) #46 0x4a6f0f in main (/usr/bin/python3.6+0x4a6f0f) #47 0x7ff2893b8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #48 0x5afa09 in _start (/usr/bin/python3.6+0x5afa09) 0x60b0000280b0 is located 96 bytes inside of 112-byte region [0x60b000028050,0x60b0000280c0) freed by thread T0 here: #0 0x7ff28a0ca7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7ff284b9ae6d in _tc_free_internal ../../lib/talloc/talloc.c:1221 #2 0x7ff284b9a4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 #3 0x7ff284b9a4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 #4 0x7ff284b88baf in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 #5 0x7ff284b88baf in _tc_free_internal ../../lib/talloc/talloc.c:1183 #6 0x7ff284b88baf in _talloc_free_internal ../../lib/talloc/talloc.c:1247 #7 0x7ff284b88baf in _talloc_free ../../lib/talloc/talloc.c:1789 #8 0x7ff2819fe8e5 in dcerpc_pipe_open_socket_recv ../../source4/librpc/rpc/dcerpc_sock.c:180 #9 0x7ff2819ff11b in continue_ip_open_socket ../../source4/librpc/rpc/dcerpc_sock.c:240 #10 0x7ff27ed54a6f in composite_done ../../source4/libcli/composite/composite.c:143 #11 0x7ff2819ffc98 in continue_socket_connect ../../source4/librpc/rpc/dcerpc_sock.c:118 #12 0x7ff27ed54a6f in composite_done ../../source4/libcli/composite/composite.c:143 #13 0x7ff27ed54459 in socket_connect_handler ../../source4/lib/socket/connect.c:131 #14 0x7ff28407c7d3 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:138 #15 0x7ff284090c65 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:736 #16 0x7ff284090c65 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:937 #17 0x7ff284089612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #18 0x7ff28407ae16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #19 0x7ff27ed54970 in composite_wait ../../source4/libcli/composite/composite.c:58 #20 0x7ff281a0ed39 in dcerpc_pipe_connect_b_recv ../../source4/librpc/rpc/dcerpc_connect.c:1100 #21 0x7ff281a0ef04 in dcerpc_pipe_connect_b ../../source4/librpc/rpc/dcerpc_connect.c:1128 #22 0x7ff272dbe891 in libnet_JoinDomain (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x59891) #23 0x7ff272dc19d0 in libnet_Join_member (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x5c9d0) #24 0x7ff27304401a in py_net_join_member ../../source4/libnet/py_net.c:143 #25 0x5030d4 (/usr/bin/python3.6+0x5030d4) previously allocated by thread T0 here: #0 0x7ff28a0cab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ff284b90fbb in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7ff284b90fbb in __talloc ../../lib/talloc/talloc.c:824 #3 0x7ff284b90fbb in __talloc_strlendup ../../lib/talloc/talloc.c:2455 #4 0x7ff284b90fbb in talloc_strdup ../../lib/talloc/talloc.c:2471 #5 0x7ff27ed4ef67 in ipv6_tcp_get_my_addr ../../source4/lib/socket/socket_ip.c:1002 #6 0x7ff27ed518dd in socket_get_my_addr ../../source4/lib/socket/socket.c:347 #7 0x7ff2819ff836 in continue_socket_connect ../../source4/librpc/rpc/dcerpc_sock.c:68 #8 0x7ff27ed54a6f in composite_done ../../source4/libcli/composite/composite.c:143 #9 0x7ff27ed54459 in socket_connect_handler ../../source4/lib/socket/connect.c:131 #10 0x7ff28407c7d3 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:138 #11 0x7ff284090c65 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:736 #12 0x7ff284090c65 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:937 #13 0x7ff284089612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #14 0x7ff28407ae16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 #15 0x7ff27ed54970 in composite_wait ../../source4/libcli/composite/composite.c:58 #16 0x7ff281a0ed39 in dcerpc_pipe_connect_b_recv ../../source4/librpc/rpc/dcerpc_connect.c:1100 #17 0x7ff281a0ef04 in dcerpc_pipe_connect_b ../../source4/librpc/rpc/dcerpc_connect.c:1128 #18 0x7ff272dbe891 in libnet_JoinDomain (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x59891) #19 0x7ff272dc19d0 in libnet_Join_member (bin/shared/private/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so+0x5c9d0) #20 0x7ff27304401a in py_net_join_member ../../source4/libnet/py_net.c:143 #21 0x5030d4 (/usr/bin/python3.6+0x5030d4) SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) Shadow bytes around the buggy address: 0x0c167fffcfc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c167fffcfd0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 0x0c167fffcfe0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c167fffcff0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c167fffd000: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd =>0x0c167fffd010: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa 0x0c167fffd020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffd030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffd040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffd050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffd060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20964==ABORTING