[Samba] Samba4 segfault

Andrew Bartlett abartlet at samba.org
Thu Apr 22 05:16:05 MDT 2010 

On Mon, 2010-04-19 at 16:46 +0200, Marcel Ritter wrote:
> Hi,
> 
> during my tests to use Samba4 as a kdc for kerberized NFS,
> I found a bug in the KDC code, when generating a principal
> without pac (e.g. with msktutil and option --no-pac), that
> causes Samba4 to crash:
> 
> Running the following command on one of the client machines
> 
>   msktutil -c --upn nfs/testa.linex.org  -h testa.linex.org
> --computer-name testa-service-nfs  --server s4-dc1.linex.org --no-pac
> 
> results in this gdb backtrace on the samba4 dc (s4-dc1.linex.org):
> 
>   Program received signal SIGSEGV, Segmentation fault. 
>   0x00000000005e82e6 in samba_make_krb5_pac ()
>   Current language:  auto; currently asm
>   (gdb) bt  
>   #0  0x00000000005e82e6 in samba_make_krb5_pac ()
>   #1  0x00000000004ce243 in samba_wdc_get_pac ()
>   #2  0x000000000059290b in _kdc_pac_generate ()
>   #3  0x0000000000588055 in _kdc_as_rep ()
>   #4  0x00000000005922ec in kdc_as_req ()
>   #5  0x000000000059258e in krb5_kdc_process_krb5_request ()
>   #6  0x00000000005fc1dc in kdc_process ()
>   #7  0x00000000005fc4bb in kdc_tcp_call_loop ()
>   ...
> 
> Looking at the code, the error is quite easy to find: 
> 
> source4/kdc/wdc-samba4.c: krb5_error_code samba_wdc_get_pac()
>    calls 
> 
> 1.) source4/kdc/pac-glue.c: samba_kdc_get_pac_blob()
> 
>   /* The user account may be set not to want the PAC */
>   ...
>      *_pac_blob = NULL;
> 
>     and then calls
> 
> 2. source4/kdc/pac-glue.c: samba_make_krb5_pac()
>    which tries to use uninitalized "pac_blob" and segfaults
> 
> 
> A simple patch is attached that solved the problem for me.

somehow, the patch didn't make it to the list.  Can you make it with git
format-patch (if possible) and attach it to a bug, or mail it to me.  I
would be delighted to include it in the tree, or otherwise fix this
bug. 

(Sorry for the slow response, I normally expect Samba4 questions on
samba-technical during this alpha phase). 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100422/3d7fa605/attachment.pgp>

More information about the samba mailing list