In init_sam_from_buffer_v0 and init_sam_from_buffer_v1 (or just
init_sam_from_buffer in older versions), if the call to tdb_unpack() fails for
some reason, control passes to the label "done"; the code then frees a number of
pointers which may never have been initialized. This can cause the process in
question to crash; it certainly has on Linux (glibc's malloc/free doesn't do
much in the way of sanity checks, I believe). The fix is simple: initialize the
various pointers to NULL, so that in case of unpack failure the free is a no-op,
as was apparently intended.
One thing that can trigger this bug is trying to downgrade a system from 3.0.4
to 3.0.2a; any records that have been written in the _v1 format will have a time
value (when the password must change) where the old unpacker expects to find the
length of the username.
fixed. Just to note though that downgrading is not supported for tdb's.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.