7290 – ntlm_auth with "gss-spnego" helper dumps core

Bug 7290 - ntlm_auth with "gss-spnego" helper dumps core

Summary: ntlm_auth with "gss-spnego" helper dumps core

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	Ntlm_auth Tool (show other bugs)
Version:	3.4.0
Hardware:	Other Windows XP

Importance:	P3 normal
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-03-24 16:00 UTC by mohan
Modified:	2010-03-29 01:56 UTC (History)
CC List:	0 users

See Also:

Attachments
Proposed patch (3.28 KB, patch) 2010-03-25 16:26 UTC, Kai Blin	no flags	Details
git-am fix for 3.4.8. (3.27 KB, patch) 2010-03-26 16:30 UTC, Jeremy Allison	kai: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mohan 2010-03-24 16:00:53 UTC

I was trying to use ntlm_auth utility on samba 3.4.x (onwards) as an authentication proxy . 

It seems "gss-spnego" helper protocol dumps core every time when I send the initial command "YR". 

#0  0x00002aaaaca7a065 in raise () from /lib64/libc.so.6
#1  0x00002aaaaca7bb00 in abort () from /lib64/libc.so.6
#2  0x00002aaaac42891f in talloc_abort () from/var/home/root/samba340/libtalloc.so.1
#3  0x00002aaaac428936 in talloc_abort_unknown_value () from /var/home/root/samba340/libtalloc.so.1
#4  0x00002aaaac42bfd7 in talloc_free () from/var/home/root/samba340/libtalloc.so.1
#5  0x00005555555bced4 in free_spnego_data () from /var/home/root/samba340/ntlm_auth
#6  0x00005555555a3962 in manage_gss_spnego_request (state=<value optimized out>, buf=<value optimized out>, length=<value optimized out>) at utils/ntlm_auth.c:1099
#7  0x00005555555a827b in main (argc=<value optimized out>, argv=<value optimized out>) at utils/ntlm_auth.c:2198

Samba 3.3.x ( and prior ) releases responds with  proper "TT xxx"

I think the problem is "free_spnego_data" started using talloc_free() from samba 3.4.x onwards. 

But ntlm_auth allocates mechTypes using malloc() and calls "free_spnego_data"  and dumps core while checking the magic number

Comment 1 Kai Blin 2010-03-25 16:26:13 UTC

Created attachment 5544 [details]
Proposed patch

Hi there. This patch seems to fix the issue for me. Could you try if this solves your issue as well?

Comment 2 mohan 2010-03-26 02:53:52 UTC

Thanks Kai Blin. Works for me too.

Comment 3 Jeremy Allison 2010-03-26 15:42:52 UTC

Obvious fix - spnego_free_data inside ../libcli/auth/spnego_parse.c
 uses talloc_free on these values.

Pushing to master (and I'll investigate for 3.5.2 and 3.4.8).

Jeremy.

Comment 4 Jeremy Allison 2010-03-26 15:51:23 UTC

Kai's patch applies cleanly to 3.5.2, but not 3.4.8. New fix to follow.
Jeremy.

Comment 5 Jeremy Allison 2010-03-26 16:30:33 UTC

Created attachment 5550 [details]
git-am fix for 3.4.8.

Kai please review then re-assign to Karolin for inclusion in 3.5.2 and 3.4.8.
Thanks,
Jeremy.

Comment 6 Kai Blin 2010-03-26 18:19:46 UTC

Comment on attachment 5550 [details]
git-am fix for 3.4.8.

Looks good to me.

Comment 7 Kai Blin 2010-03-26 18:20:34 UTC

Karolin, please pick these patches for the next 3.5 and 3.4 releases.

Comment 8 Karolin Seeger 2010-03-29 01:56:23 UTC

Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!