Red Hat Bugzilla – Bug 251853
spnego_malloc causes nsupdate to crash badly
Last modified: 2013-04-30 19:36:34 EDT
Description of problem:
nsupdate segfaults when using gssapi to do GSS-TSIG based updates
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure a server to accept GSS-TSIG updates
2. Do an update via nsupdate after a kinit
Get a SIGABORT from glibc
I traced the problem to someone being on crack when coding lib/dns/spnego.c
In that file malloc/free/realloc are redefined to use
These functions will not returned the actual address allocated but an address
_inside_ the allocated space. The problem is that later on things like
gss_release_buffer() are called to free this memory.
as libgssapi does not use spnego_free (how could it) to release the memory what
happens is that actually the code tries to free the wrong address. (just
valgrind nsupdate and you will find that memory is allocated with spnego_malloc
and later on a free() with an address 16 bytes inside an allocated chunck is
performed by gss_release_buffer).
I "cured" the problem simply removing spnego_[malloc/free/realloc] and using the
standard glibc fiunctions.
Created attachment 161140 [details]
Remove completely wrong alloc/free functions
Temporary fixed with your patch, final decision is on upstream
After discussion with upstream patch will be nicely.
"We should be calling gss_release_buffer() on buffers we got from the GSS
library, spnego_free() on buffers allocated with spnego_malloc(), and should
never mix the two."
I'm going to create proposed patch
Created attachment 162048 [details]
Patch which conforms BIND coding standards
Created attachment 168579 [details]
Patch which uses real malloc to create gss_buffer structures
This patch fixes the problem on the other end: when the gss_buffer_desc.value
is allocated, the real malloc is used.
I have an uneasy feeeling when a standard gss structure flows around containing
non-freeable pointers inside.
If I get it right, in most cases the gss_buffer is filled by a gss library
call, which, naturally, uses the real malloc. Later on, gss_release_buffer may
be called. When we have to alloc the space ourselves, we should use the
Please note that I do not understand all code in spnego.c, so I'm not sure if
this is the only case where such a broken gss_buffer is created. From that
perspective, Simo's original patch is still the safest one, so I un-pbsoleted
(In reply to comment #5)
Yes, better patch than mine. But in the end I solve this issue by
'--disable-isc-spnego' configure option. This options fire away nasty hacks in
spnego.c (this spnego isn't compiled with this option) and use code from gssapi
fixed in 9.5.0-11.a6 (start using gssapi spnego, not ISC's)