Bug 7290 - ntlm_auth with "gss-spnego" helper dumps core
Summary: ntlm_auth with "gss-spnego" helper dumps core
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Ntlm_auth Tool (show other bugs)
Version: 3.4.0
Hardware: Other Windows XP
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-03-24 16:00 UTC by mohan
Modified: 2010-03-29 01:56 UTC (History)
0 users

See Also:

Proposed patch (3.28 KB, patch)
2010-03-25 16:26 UTC, Kai Blin
no flags Details
git-am fix for 3.4.8. (3.27 KB, patch)
2010-03-26 16:30 UTC, Jeremy Allison
kai: review+

Note You need to log in before you can comment on or make changes to this bug.
Description mohan 2010-03-24 16:00:53 UTC
I was trying to use ntlm_auth utility on samba 3.4.x (onwards) as an authentication proxy . 

It seems "gss-spnego" helper protocol dumps core every time when I send the initial command "YR". 

#0  0x00002aaaaca7a065 in raise () from /lib64/libc.so.6
#1  0x00002aaaaca7bb00 in abort () from /lib64/libc.so.6
#2  0x00002aaaac42891f in talloc_abort () from/var/home/root/samba340/libtalloc.so.1
#3  0x00002aaaac428936 in talloc_abort_unknown_value () from /var/home/root/samba340/libtalloc.so.1
#4  0x00002aaaac42bfd7 in talloc_free () from/var/home/root/samba340/libtalloc.so.1
#5  0x00005555555bced4 in free_spnego_data () from /var/home/root/samba340/ntlm_auth
#6  0x00005555555a3962 in manage_gss_spnego_request (state=<value optimized out>, buf=<value optimized out>, length=<value optimized out>) at utils/ntlm_auth.c:1099
#7  0x00005555555a827b in main (argc=<value optimized out>, argv=<value optimized out>) at utils/ntlm_auth.c:2198

Samba 3.3.x ( and prior ) releases responds with  proper "TT xxx"

I think the problem is "free_spnego_data" started using talloc_free() from samba 3.4.x onwards. 

But ntlm_auth allocates mechTypes using malloc() and calls "free_spnego_data"  and dumps core while checking the magic number
Comment 1 Kai Blin 2010-03-25 16:26:13 UTC
Created attachment 5544 [details]
Proposed patch

Hi there. This patch seems to fix the issue for me. Could you try if this solves your issue as well?
Comment 2 mohan 2010-03-26 02:53:52 UTC
Thanks Kai Blin. Works for me too.
Comment 3 Jeremy Allison 2010-03-26 15:42:52 UTC
Obvious fix - spnego_free_data inside ../libcli/auth/spnego_parse.c
 uses talloc_free on these values.

Pushing to master (and I'll investigate for 3.5.2 and 3.4.8).

Comment 4 Jeremy Allison 2010-03-26 15:51:23 UTC
Kai's patch applies cleanly to 3.5.2, but not 3.4.8. New fix to follow.
Comment 5 Jeremy Allison 2010-03-26 16:30:33 UTC
Created attachment 5550 [details]
git-am fix for 3.4.8.

Kai please review then re-assign to Karolin for inclusion in 3.5.2 and 3.4.8.
Comment 6 Kai Blin 2010-03-26 18:19:46 UTC
Comment on attachment 5550 [details]
git-am fix for 3.4.8.

Looks good to me.
Comment 7 Kai Blin 2010-03-26 18:20:34 UTC
Karolin, please pick these patches for the next 3.5 and 3.4 releases.
Comment 8 Karolin Seeger 2010-03-29 01:56:23 UTC
Pushed to v3-5-test and v3-4-test.
Closing out bug report.