GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) r Starting program: /usr/local/bin/net -U Administrator%PASSWRD vampire CONCERTIA [Thread debugging using libthread_db enabled] [New Thread 0xf73bfae0 (LWP 7525)] talloc: double free error - first free may be at librpc/rpc/dcerpc_connect.c:809 Bad talloc magic value - double free PANIC: Bad talloc magic value - double free BACKTRACE: 36 stack frames: #0 /usr/local/bin/net(call_backtrace+0x2b) [0x86e31db] #1 /usr/local/bin/net(smb_panic+0x226) [0x86e34b5] #2 /usr/local/bin/net [0x86fc207] #3 /usr/local/bin/net [0x86fc2b0] #4 /usr/local/bin/net [0x86fc3be] #5 /usr/local/bin/net [0x86fcb20] #6 /usr/local/bin/net(_talloc_steal_loc+0xb4) [0x86fcd77] #7 /usr/local/bin/net(data_blob_talloc_named+0x58) [0x86e8aea] #8 /usr/local/bin/net [0x81c17cb] #9 /usr/local/bin/net(gensec_update+0x3a) [0x81b93ed] #10 /usr/local/bin/net [0x81e854d] #11 /usr/local/bin/net [0x81e964e] #12 /usr/local/bin/net(gensec_update+0x3a) [0x81b93ed] #13 /usr/local/bin/net [0x815a26e] #14 /usr/local/bin/net(smb_composite_sesssetup_send+0x1a7) [0x815a5bf] #15 /usr/local/bin/net [0x8158225] #16 /usr/local/bin/net [0x815885a] #17 /usr/local/bin/net [0x8158945] #18 /usr/local/bin/net [0x8162724] #19 /usr/local/bin/net(packet_recv+0x756) [0x8213666] #20 /usr/local/bin/net [0x816160d] #21 /usr/local/bin/net [0x86d3450] #22 /usr/local/bin/net [0x86d3b00] #23 /usr/local/bin/net(_tevent_loop_once+0xdf) [0x86cfe7b] #24 /usr/local/bin/net(composite_wait+0x44) [0x8248a3e] #25 /usr/local/bin/net [0x80dc8f3] #26 /usr/local/bin/net(libnet_RpcConnect_recv+0xb4) [0x80dcce6] #27 /usr/local/bin/net(libnet_RpcConnect+0x5e) [0x80dcd7a] #28 /usr/local/bin/net(libnet_JoinDomain+0x197) [0x80de162] #29 /usr/local/bin/net(libnet_Vampire+0x1bd) [0x80ea9a2] #30 /usr/local/bin/net(net_vampire+0x17f) [0x80d282f] #31 /usr/local/bin/net(net_run_function+0xc5) [0x80d0d11] #32 /usr/local/bin/net [0x80d151e] #33 /usr/local/bin/net(main+0x22) [0x80d15b8] #34 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xf73d6685] #35 /usr/local/bin/net [0x80d0941] Program received signal SIGABRT, Aborted. [Switching to Thread 0xf73bfae0 (LWP 7525)] 0xf7738430 in __kernel_vsyscall () (gdb) bt full #0 0xf7738430 in __kernel_vsyscall () No symbol table info available. #1 0xf73eb8a0 in raise () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #2 0xf73ed268 in abort () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #3 0x086e34ce in smb_panic (why=0x8856e5c "Bad talloc magic value - double free") at ../lib/util/fault.c:150 result = 146710952 __FUNCTION__ = "smb_panic" #4 0x086fc207 in talloc_abort (reason=0x8856e5c "Bad talloc magic value - double free") at ../lib/talloc/talloc.c:202 No locals. #5 0x086fc2b0 in talloc_abort_double_free () at ../lib/talloc/talloc.c:218 No locals. #6 0x086fc3be in talloc_chunk_from_ptr (ptr=0x8bd6c98) at ../lib/talloc/talloc.c:239 pp = 0x8bd6c98 "\002" tc = (struct talloc_chunk *) 0x8bd6c68 #7 0x086fcb20 in _talloc_steal_internal (new_ctx=0x8bd6c98, ptr=0x8bedb40) at ../lib/talloc/talloc.c:708 tc = (struct talloc_chunk *) 0x8bedb10 new_tc = (struct talloc_chunk *) 0x8bedb10 #8 0x086fcd77 in _talloc_steal_loc (new_ctx=0x8bd6c98, ptr=0x8bedb40, location=0x8852467 "../lib/util/data_blob.c:65") at ../lib/talloc/talloc.c:758 tc = (struct talloc_chunk *) 0x8bedb10 #9 0x086e8aea in data_blob_talloc_named (mem_ctx=0x8bd6c98, p=0x8bf04b0, length=3285, name=0x872be00 "DATA_BLOB: auth/gensec/gensec_gssapi.c:543") at ../lib/util/data_blob.c:65 __talloc_steal_ret = (uint8_t *) 0x886f448 "\210ç\206\bh¦s÷\200\020s÷ÐpB÷`ü]÷ \233I÷ªö\f\bàÐ>÷0¯p÷Úö\f\bêö\f\búö\f\b`Ä>÷\032÷\f\b\220\bK÷\020\235@÷J÷\f\bZ÷\f\b`\203p÷z÷\f\b\212÷\f\b\232÷\f\b\220ÜE÷" ret = {data = 0x8bedb40 "`\202\fÑ\006\t*\206H\206÷\022\001\002\002\001", length = 3285} #10 0x081c17cb in gensec_gssapi_update (gensec_security=0x8be8730, out_mem_ctx=0x8bd6c98, in={data = 0x0, length = 0}, out=0xffc3532c) at auth/gensec/gensec_gssapi.c:543 gensec_gssapi_state = (struct gensec_gssapi_state *) 0x8be87a0 nt_status = {v = 3221225581} maj_stat = 1 min_stat = 0 min_stat2 = 4290990400 input_token = {length = 0, value = 0x0} output_token = {length = 3285, value = 0x8bf04b0} gss_oid_p = (gss_OID) 0x8870630 __FUNCTION__ = "gensec_gssapi_update" #11 0x081b93ed in gensec_update (gensec_security=0x8be8730, out_mem_ctx=0x8bd6c98, in={data = 0x0, length = 0}, out=0xffc3532c) at auth/gensec/gensec.c:983 No locals. #12 0x081e854d in gensec_spnego_parse_negTokenInit (gensec_security=0x8bd8010, spnego_state=0x8bd81a0, out_mem_ctx=0x8bd6c98, mechType=0x8bd8488, unwrapped_in={data = 0x0, length = 0}, unwrapped_out=0xffc3532c) at auth/gensec/spnego.c:485 i = 0 nt_status = {v = 0} null_data_blob = {data = 0x0, length = 0} ok = true all_sec = (const struct gensec_security_ops_wrapper *) 0x8bd8248 __FUNCTION__ = "gensec_spnego_parse_negTokenInit" #13 0x081e964e in gensec_spnego_update (gensec_security=0x8bd8010, out_mem_ctx=0x8bd6c98, in={data = 0x8bd6d98 "[0x86cfe7b]\n", length = 100}, out=0x8bd6cac) at auth/gensec/spnego.c:832 my_mechs = {0x0, 0x0} nt_status = {v = 3221225485} spnego_state = (struct spnego_state *) 0x8bd81a0 null_data_blob = {data = 0x0, length = 0} mech_list_mic = {data = 0x0, length = 0} unwrapped_out = {data = 0x0, length = 0} spnego_out = {type = 141547816, negTokenInit = {mechTypes = 0x8bd8010, reqFlags = {data = 0x1c
, length = 141746592}, reqFlagsPadding = 0 '\0', mechToken = {data = 0x0, length = 143062088}, mechListMIC = {data = 0xffc35348 "\210SÃÿr\207\033\b\200SÃÿ\020\200½\bd\205r\b \201½\bd", length = 136214076}, targetPrincipal = 0xffc35328 ""}, negTokenTarg = { negResult = 0 '\0', supportedMech = 0x0, responseToken = {data = 0x872e1b4 "DATA_BLOB: auth/gensec/spnego.c:66", length = 146632240}, mechListMIC = {data = 0x8728589 "auth/gensec/gensec.c:185", length = 0}}} spnego = {type = 0, negTokenInit = {mechTypes = 0x8bd8488, reqFlags = {data = 0x0, length = 0}, reqFlagsPadding = 0 '\0', mechToken = {data = 0x0, length = 0}, mechListMIC = {data = 0x0, length = 0}, targetPrincipal = 0x8be8620 ""}, negTokenTarg = {negResult = 0 '\0', supportedMech = 0x0, responseToken = {data = 0x0, length = 0}, mechListMIC = {data = 0x0, length = 0}}} len = 100 __FUNCTION__ = "gensec_spnego_update" #14 0x081b93ed in gensec_update (gensec_security=0x8bd8010, out_mem_ctx=0x8bd6c98, in={data = 0x8bd6d98 "[0x86cfe7b]\n", length = 100}, out=0x8bd6cac) at auth/gensec/gensec.c:983 No locals. #15 0x0815a26e in session_setup_spnego (c=0x8bd6c48, session=0x8bd7a10, io=0x8bd6bf8, req=0x8bd6ce8) at libcli/smb_composite/sesssetup.c:487 state = (struct sesssetup_state *) 0x8bd6c98 status = {v = 0} chosen_oid = 0x8713dbf "1.3.6.1.5.5.2" __FUNCTION__ = "session_setup_spnego" #16 0x0815a5bf in smb_composite_sesssetup_send (session=0x8bd7a10, io=0x8bd6bf8) at libcli/smb_composite/sesssetup.c:559 c = (struct composite_context *) 0x8bd6c48 state = (struct sesssetup_state *) 0x8bd6c98 status = {v = 4290991192} #17 0x08158225 in connect_negprot (c=0x8bd7f10, io=0x8bd7720) at libcli/smb_composite/connect.c:262 state = (struct connect_state *) 0x8bd7848 status = {v = 0} #18 0x0815885a in state_handler (c=0x8bd7f10) at libcli/smb_composite/connect.c:410 state = (struct connect_state *) 0x8bd7848 #19 0x08158945 in request_handler (req=0x8bd7fc8) at libcli/smb_composite/connect.c:441 c = (struct composite_context *) 0x8bd7f10 #20 0x08162724 in smbcli_transport_finish_recv (private_data=0x8bd6e68, blob={data = 0x8bd6bf8 "", length = 189}) at libcli/raw/clitransport.c:501 transport = (struct smbcli_transport *) 0x8bd6e68 buffer = (uint8_t *) 0x8bd6bf8 "" hdr = (uint8_t *) 0x8bd6bfc "ýó\001\200\b\235¼\bÀú±\bÀw½\b" vwv = (uint8_t *) 0x8bd6c1d "" len = 189 wct = 17 mid = 1 op = 114 req = (struct smbcli_request *) 0x8bd7fc8 __FUNCTION__ = "smbcli_transport_finish_recv" #21 0x08213666 in packet_recv (pc=0x8bd6f40) at lib/stream/packet.c:414 npending = 185 status = {v = 0} nread = 185 blob = {data = 0x8bd6bf8 "", length = 189} recv_retry = false __FUNCTION__ = "packet_recv" #22 0x0816160d in smbcli_transport_event_handler (ev=0x8b0b550, fde=0x8bd75e8, flags=1, private_data=0x8bd6e68) at libcli/raw/clitransport.c:43 transport = (struct smbcli_transport *) 0x8bd6e68 #23 0x086d3450 in epoll_event_loop (std_ev=0x8b0b5c0, tvalp=0xffc356b4) at ../lib/tevent/tevent_standard.c:309 fde = (struct tevent_fd *) 0x8bd75e8 flags = 1 ret = 1 i = 0 events = {{events = 1, data = {ptr = 0x8bd75e8, fd = 146634216, u32 = 146634216, u64 = 146634216}}} timeout = 59999 #24 0x086d3b00 in std_event_loop_once (ev=0x8b0b550, location=0x8742e74 "libcli/composite/composite.c:60") at ../lib/tevent/tevent_standard.c:544 std_ev = (struct std_event_context *) 0x8b0b5c0 tval = {tv_sec = 59, tv_usec = 998630} #25 0x086cfe7b in _tevent_loop_once (ev=0x8b0b550, location=0x8742e74 "libcli/composite/composite.c:60") at ../lib/tevent/tevent.c:490 ret = 0 nesting_stack_ptr = (void *) 0x0 #26 0x08248a3e in composite_wait (c=0x8bd4a88) at libcli/composite/composite.c:60 No locals. #27 0x080dc8f3 in libnet_RpcConnectDCInfo_recv (c=0x8bd4a88, ctx=0x8bd5170, mem_ctx=0x8bd50c0, r=0x8bd4a20) at libnet/libnet_rpc.c:873 status = {v = 143062088} s = (struct rpc_connect_dci_state *) 0x8bd4ad8 #28 0x080dcce6 in libnet_RpcConnect_recv (c=0x8bd4a88, ctx=0x8bd5170, mem_ctx=0x8bd50c0, r=0x8bd4a20) at libnet/libnet_rpc.c:973 No locals. #29 0x080dcd7a in libnet_RpcConnect (ctx=0x8bd5170, mem_ctx=0x8bd50c0, r=0x8bd4a20) at libnet/libnet_rpc.c:997 c = (struct composite_context *) 0x8bd4a88 #30 0x080de162 in libnet_JoinDomain (ctx=0x8bd5170, mem_ctx=0x8bd48b0, r=0x8bd48b0) at libnet/libnet_join.c:507 tmp_ctx = (TALLOC_CTX *) 0x8bd50c0 status = {v = 81} cu_status = {v = 146622792} connect_with_info = (struct libnet_RpcConnect *) 0x8bd4a20 samr_pipe = (struct dcerpc_pipe *) 0x86fc98a sc = {in = {system_name = 0x8bd4948, access_mask = 146622744}, out = {connect_handle = 0x886f448, result = {v = 4290992680}}} p_handle = {handle_type = 0, uuid = {time_low = 146622640, time_mid = 18712, time_hi_and_version = 2237, clock_seq = "Hô", node = "\206\b(ZÃÿ"}} od = {in = {connect_handle = 0x0, access_mask = 4148377797, sid = 0x86fc367}, out = {domain_handle = 0x8bd4880, result = {v = 4149326144}}} d_handle = {handle_type = 143062088, uuid = {time_low = 146622328, time_mid = 40948, time_hi_and_version = 63313, clock_seq = "gÃ", node = "o\b@\231Q÷"}} ln = {in = {domain_handle = 0xffc359c8, num_names = 8, names = 0x8bd47a8}, out = {rids = 0xffc359d8, types = 0x8bd4778, result = {v = 146624992}}} rids = {count = 146622328, ids = 0xffffffff} types = {count = 0, ids = 0x8bd4910} ou = {in = {domain_handle = 0x0, access_mask = 0, rid = 146625040}, out = {user_handle = 0x0, result = {v = 143062088}}} cu = {in = {domain_handle = 0x0, account_name = 0x0, acct_flags = 0, access_mask = 0}, out = {user_handle = 0x8bd4918, access_granted = 0x0, rid = 0x86fc367, result = {v = 134217728}}} u_handle = (struct policy_handle *) 0x8bd49d8 qui = {in = {user_handle = 0x8bd494d, level = 146622792}, out = {info = 0x8bd494d, result = {v = 0}}} uinfo = (union samr_UserInfo *) 0x8bd494d u_info21 = {last_logon = 17815181265969601375, last_logoff = 17821195766370935744, last_password_change = 72868802936, acct_expiry = 8443333492, allow_password_change = 629544452137943041, force_password_change = 579046971010253536, account_name = {length = 52136, size = 63292, string = 0xf7431951 "\201ã\206\016"}, full_name = {length = 18232, size = 2237, string = 0xf751b140 ""}, home_directory = {length = 0, size = 0, string = 0x8bd5d40 ""}, home_drive = {length = 45424, size = 63313, string = 0x8bd4798 "p\f\025è"}, logon_script = {length = 1448, size = 0, string = 0xf742d844 "\201ðÇ\016"}, profile_path = {length = 62135, size = 63311, string = 0xf7500d40 "*** glibc detected *** %s: %s: 0x%s ***\n"}, description = {length = 40948, size = 63313, string = 0x8bd494d ""}, workstations = {length = 22808, size = 65475, string = 0xf742ecff "\213E\f\211G\020\211G\f\211G\004\213E\024\205Àt>\213U\024\211w\030\211W\024\211W\bÇ\207\230"}, comment = { length = 22844, size = 65475, string = 0x8bd4948 "MAIL$"}, parameters = {length = 18765, size = 2237, array = 0xf73ff9cb}, lm_owf_password = {length = 40948, size = 63313, array = 0xffc3593c}, nt_owf_password = {length = 18760, size = 2237, array = 0xffc35a28}, unknown3 = {length = 33092, size = 63298, string = 0xffc3593c "\001\200­ûHI½\bHI½\bHI½\bHI½\bMI½\bMI½\bHI½\bMI½\b"}, buf_count = 141577372, buffer = 0xffc35a9c "°H½\bÀG½\bHô\206\bØZÃÿðG½\bÀG½\bHô\206\bØZÃÿ\212Éo\bðG½\bðúo\bÀG½\bhA½\bHô\206\bÀG½\b\b[ÃÿnÉo\bðG½\b¡\ap\bH\210¼\b\003", rid = 146622792, primary_gid = 0, acct_flags = 4290992604, fields_present = 5, logon_hours = {units_per_week = 32769, bits = 0x8bd4948 "MAIL$"}, bad_password_count = 18760, logon_count = 2237, country_code = 18760, code_page = 2237, lm_password_set = 72 'H', nt_password_set = 73 'I', password_expired = 189 '½', unknown4 = 8 '\b'} r2 = {generic = {level = LIBNET_SET_PASSWORD_GENERIC, in = {account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", domain_name = 0xffc358a0 "\020", newpassword = 0xf751b1b0 ""}, out = { error_string = 0xf74ff2b7 "%s\n"}}, samr_handle = {level = LIBNET_SET_PASSWORD_GENERIC, in = {account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", user_handle = 0xffc358a0, dcerpc_pipe = 0xf751b1b0, newpassword = 0xf74ff2b7 "%s\n", info21 = 0xf7500d40}, out = {error_string = 0x0}}, samr = {level = LIBNET_SET_PASSWORD_GENERIC, in = { account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", domain_name = 0xffc358a0 "\020", newpassword = 0xf751b1b0 ""}, out = {error_string = 0xf74ff2b7 "%s\n"}}, krb5 = { level = LIBNET_SET_PASSWORD_GENERIC, in = {account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", domain_name = 0xffc358a0 "\020", newpassword = 0xf751b1b0 ""}, out = { error_string = 0xf74ff2b7 "%s\n"}}, ldap = {level = LIBNET_SET_PASSWORD_GENERIC, in = {account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", domain_name = 0xffc358a0 "\020", newpassword = 0xf751b1b0 ""}, out = {error_string = 0xf74ff2b7 "%s\n"}}, rap = {level = LIBNET_CHANGE_PASSWORD_GENERIC, in = {account_name = 0xf7735bbc "symbol=%s; lookup in file=%s [%lu]\n", domain_name = 0xffc358a0 "\020", newpassword = 0xf751b1b0 ""}, out = {error_string = 0xf74ff2b7 "%s\n"}}} pwp = {in = {user_handle = 0x2}, out = {info = 0xf7430b74, result = {v = 4149326144}}} info = {min_password_length = 6481, password_properties = 146620960} samr_account_name = {length = 10, size = 0, string = 0xffc358d4 "p±Q÷\230G½\b¨\005"} acct_flags = 4290992792 old_acct_flags = 146622792 rid = 4149544700 access_granted = 4151549940 policy_min_pw_len = 0 account_sid = (struct dom_sid *) 0x0 password_str = 0x0 #31 0x080ea9a2 in libnet_Vampire (ctx=0x8bd5170, mem_ctx=0x8bd47f0, r=0x8bd47f0) at libnet/libnet_vampire.c:664 join = (struct libnet_JoinDomain *) 0x8bd48b0 set_secrets = (struct provision_store_self_join_settings *) 0xffc35c84 b = {in = {domain_dns_name = 0x86ffaf0 "U\211åWVSèÆ\032\235ÿ\201ÃMù\026", domain_netbios_name = 0x8bd47c0 "HE½\b", domain_sid = 0x8bd4168, source_dsa_address = 0x886f448 "\210ç\206\bh¦s÷\200\020s÷ÐpB÷`ü]÷ \233I÷ªö\f\bàÐ>÷0¯p÷Úö\f\bêö\f\búö\f\b`Ä>÷\032÷\f\b\220\bK÷\020\235@÷J÷\f\bZ÷\f\b`\203p÷z÷\f\b\212÷\f\b\232÷\f\b\220ÜE÷", dest_dsa_netbios_name = 0x8bd47c0 "HE½\b", callbacks = {private_data = 0xffc35b08, check_options = 0x86fc96e <_talloc_named_const+68>, prepare_db = 0x8bd47f0, schema_chunk = 0x87007a1, config_chunk = 0x8bc8848, domain_chunk = 0x3}}, out = {error_string = 0x8bd5210 "¸E½\bI"}} s = (struct vampire_state *) 0x8bd4840 msg = (struct ldb_message *) 0x8bd51b0 error_string = 0x8bd47f0 "xE½\b@û±\b" ldb_ret = 146622448 i = 4290992936 status = {v = 141543818} account_name = 0x8bd4948 "MAIL$" netbios_name = 0x8b1fb40 "MAIL" #32 0x080d282f in net_vampire (ctx=0x8bd4198, argc=1, argv=0x8b953a0) at utils/net/net_vampire.c:224 status = {v = 1} libnetctx = (struct libnet_context *) 0x8bd5170 r = (struct libnet_Vampire *) 0x8bd47f0 tmp = 0x8bd4578 "CONCERTIA" targetdir = 0x0 domain_name = 0x8bd4578 "CONCERTIA" #33 0x080d0d11 in net_run_function (ctx=0x8bd4198, argc=2, argv=0x8b9539c, functable=0x886a420, usage_fn=0x80d1108 ) at utils/net/net.c:150 i = 5 #34 0x080d151e in binary_net (argc=5, argv=0xffc35d74) at utils/net/net.c:370 opt = -1 i = 3 rc = 0 argc_new = 3 py_cmds = (PyObject *) 0xf5e724f4 py_cmd = (PyObject *) 0x0 argv_new = (const char **) 0x8b95398 ev = (struct tevent_context *) 0x8b0b550 ctx = (struct net_context *) 0x8bd4198 pc = (poptContext) 0x8bc81d8 long_options = {{longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x886fca0, val = 0, descrip = 0x86fff97 "Help options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x886fb40, val = 0, descrip = 0x86fffa5 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x886fa20, val = 0, descrip = 0x86fffbb "Connection options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x886f920, val = 0, descrip = 0x86fffcf "Authentication options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x886fc40, val = 0, descrip = 0x86fffa5 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} __FUNCTION__ = "binary_net" #35 0x080d15b8 in main (argc=) at utils/net/net.c:383 No locals. (gdb) quit    The program is running. Exit anyway? (y or n)