[Pkg-samba-maint] Bug#399008: segfaults on bad kerberos ticket

Peter Palfrader weasel at debian.org
Fri Nov 17 04:31:06 CET 2006 

Package: samba
Version: 3.0.23c-3

Thanks to vmware, which isn't able to keep my clocks synched properly in
the test environment, I get a few interesting cases that I normally
wouldn't see. :)


weasel at krb:~$ date
Fri Nov 17 09:02:40 CET 2006
smb:~# date
Fri Nov 17 04:33:22 CET 2006


[not really synced, as you can see]

weasel at krb:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000_E6AQnS
        Principal: weasel at SBG.PALFRADER.ORG

  Issued           Expires          Principal
Nov 17 08:52:18  Nov 17 18:52:18  krbtgt/SBG.PALFRADER.ORG at SBG.PALFRADER.ORG
weasel at krb:~$ smbclient -L smb.test.sbg.palfrader.org -U weasel  -k
session setup failed: Call returned zero bytes (EOF)
weasel at krb:~$ 

the samba log shows:

==> /var/log/samba/log.172.22.118.21 <==
[2006/11/17 04:33:33, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/17 04:33:33, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 4212 (3.0.23c)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/17 04:33:33, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/17 04:33:33, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/17 04:33:33, 0] lib/util.c:smb_panic(1592)
  PANIC (pid 4212): internal error
[2006/11/17 04:33:33, 0] lib/util.c:log_stack_trace(1699)
  BACKTRACE: 14 stack frames:
   #0 /usr/sbin/smbd(log_stack_trace+0x23) [0x822b883]
   #1 /usr/sbin/smbd(smb_panic+0x46) [0x822b976]
   #2 /usr/sbin/smbd [0x821a02a]
   #3 [0xffffe420]
   #4 /usr/lib/libkrb5.so.3(krb5_ktfile_get_next+0x8f) [0xa7ef8a9f]
   #5 /usr/lib/libkrb5.so.3(krb5_kt_next_entry+0x39) [0xa7ef5c29]
   #6 /usr/sbin/smbd(ads_verify_ticket+0xa1c) [0x82aedbc]
   #7 /usr/sbin/smbd [0x80becde]
   #8 /usr/sbin/smbd(reply_sesssetup_and_X+0x17d0) [0x80c1280]
   #9 /usr/sbin/smbd [0x80ea334]
   #10 /usr/sbin/smbd(smbd_process+0x6f8) [0x80eb4f8]
   #11 /usr/sbin/smbd(main+0x10df) [0x82c29ff]
   #12 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xa7c10ea8]
   #13 /usr/sbin/smbd [0x8082a31]
[2006/11/17 04:33:33, 0] lib/util.c:smb_panic(1600)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 4212]
Cannot access memory at address 0x1
[2006/11/17 04:33:37, 0] lib/util.c:smb_panic(1608)
  smb_panic(): action returned status 0
[2006/11/17 04:33:37, 0] lib/fault.c:dump_core(173)
  dumping core in /var/log/samba/cores/smbd



Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1481128256 (LWP 4212)]
0xffffe410 in __kernel_vsyscall ()
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xa7c89183 in waitpid () from /lib/tls/i686/cmov/libc.so.6
#2  0xa7c31669 in strtold_l () from /lib/tls/i686/cmov/libc.so.6
#3  0xa7dc1add in system () from /lib/tls/i686/cmov/libpthread.so.0
#4  0x0822b9da in smb_panic (why=0x8320a87 "internal error") at lib/util.c:1601
#5  0x0821a02a in sig_fault (sig=11) at lib/fault.c:47
#6  <signal handler called>
#7  0xa7c583eb in fseek () from /lib/tls/i686/cmov/libc.so.6
#8  0xa7ef8a9f in krb5_ktfile_get_next () from /usr/lib/libkrb5.so.3
#9  0xa7ef5c29 in krb5_kt_next_entry () from /usr/lib/libkrb5.so.3
#10 0x082aedbc in ads_verify_ticket (mem_ctx=0x83963b0, 
    realm=0x83e7630 "SBG.PALFRADER.ORG", time_offset=0, ticket=0xaf8fd97c, 
    principal=0xaf8fd9a8, pac_data=0xaf8fd9a4, ap_rep=0xaf8fd970, 
    session_key=0xaf8fd94c) at libads/kerberos_verify.c:92
#11 0x080becde in reply_spnego_negotiate (conn=0x0, inbuf=0xa7abf008 "", 
    outbuf=0xa7a9e008 "", vuid=100, length=696, bufsize=131072, blob1=
      {data = 0x84155d0 "`\202\002^\006\006+\006\001\005\005\002<A0>\202\002R0\202\002N<A0>\0310\027\006\t*\206H\202<F7>\022\001\002\002\006\n+\006\001\004\001\2027\002\002\n<A2>\202\002/\004\202\002+`\202\002'\006\t*\206H\206<F7>\022\001\002\002\001", length = 610, free = 0x8229210 <free_data_blob>}, auth_ntlmssp_state=0x8417948)
    at smbd/sesssetup.c:197
#12 0x080c1280 in reply_sesssetup_and_X (conn=0x0, inbuf=0xa7abf008 "", 
    outbuf=0xa7a9e008 "", length=696, bufsize=131072) at smbd/sesssetup.c:721
#13 0x080ea334 in switch_message (type=115, inbuf=0xa7abf008 "", 
    outbuf=0xa7a9e008 "", size=696, bufsize=131072) at smbd/process.c:991
#14 0x080eb4f8 in smbd_process () at smbd/process.c:1018
#15 0x082c29ff in main (argc=) at smbd/server.c:1024



Whatever samba does, it certainly shouldn't segfault.

If you think it's libkrb's fault, please reassign to libkrb53 1.4.4-3,
possibly raising the severity.

Cheers,
Peter
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

More information about the Pkg-samba-maint mailing list