[krbdev.mit.edu #3087]

The RT System itself via RT rt-comment at krbdev.mit.edu
Mon Jun 6 15:58:00 EDT 2005 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Mon Jun  6 15:57:53 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id PAA07474; Mon, 6 Jun 2005 15:57:53 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j56JvKWn013471
	for <krb5-send-pr at krbdev.mit.edu>; Mon, 6 Jun 2005 15:57:20 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j56GEGWn013208
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 6 Jun 2005 12:14:16 -0400
Received: from coppi.bath.ac.uk (coppi.bath.ac.uk [138.38.32.23])
	j56GCCOq029684
	for <krb5-bugs at mit.edu>; Mon, 6 Jun 2005 12:12:12 -0400 (EDT)
Received: from ccsdhd by coppi.bath.ac.uk with local  id 1DfKCx-0005Od-Fx;
	Mon, 06 Jun 2005 17:12:11 +0100
To: krb5-bugs at mit.edu
From: Dennis Davis <D.H.Davis at bath.ac.uk>
X-send-pr-version: 3.99
Message-Id: <E1DfKCx-0005Od-Fx at coppi.bath.ac.uk>
Date: Mon, 06 Jun 2005 17:12:11 +0100
X-Spam-Score: -2.599
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Mon, 06 Jun 2005 15:57:18 -0400
cc: Dennis Davis <d.h.davis at bath.ac.uk>
Subject: Double free problems with libcom_err.
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: Dennis Davis <D.H.Davis at bath.ac.uk>
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Dennis Davis
>Organization:
	University of Bath
>Confidential:	
	no
>Synopsis:	
	I see double free problems in libcom_err
>Severity:	
	non-critical
>Priority:	
	medium
>Category:	
	krb5-libs
>Class:		
	sw-bug
>Release:	1.4.1
>Environment:
	
	Machine: anquetil.bath.ac.uk
	os: OpenBSD3.7
	Target: Working build of krb5-1.4.1
System: OpenBSD anquetil.bath.ac.uk 3.7 EXIM_SERVER#0 i386


>Description:
	
I've configured and built krb5-1.4.1 with:

LDFLAGS=-lpthread \
CC=cc CFLAGS="-O2 -g -fPIC" \
           ./configure --prefix=/kerberosV \
            --enable-dns-for-realm --with-krb4 \
            --with-tcl=/usr/local --disable-shared \
            --enable-static --disable-ipv6 \
            --enable-thread-support

Running kinit, klist, kadmin, telnet etc all produce messages
similar to:

klist in free(): error: chunk is already free
Abort trap

Turning the abort into a warning gives:

anquetil.bath.ac.uk ?// MALLOC_OPTIONS=a /kerberosV/bin/klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_526)


Kerberos 4 ticket cache: /tmp/tkt526
klist: You have no tickets cached
klist in free(): warning: chunk is already free
klist in free(): warning: chunk is already free
klist in free(): warning: chunk is already free
klist in free(): warning: chunk is already free
klist in free(): warning: chunk is already free
klist in free(): warning: chunk is already free
anquetil.bath.ac.uk ?// 

Note that the command always seems to work OK and the error seems to
occur as part of the cleanup before the command exits.  This is most
noticable with the telnet command.  The failure occurs after the
connection to the remote site has been closed.

Running a simple program under gdb gives:


a.out in free(): error: chunk is already free

Program received signal SIGABRT, Aborted.
0x0e16b71d in kill () from /usr/lib/libc.so.34.2
(gdb) bt
#0  0x0e16b71d in kill () from /usr/lib/libc.so.34.2
#1  0x0e19830f in abort () from /usr/lib/libc.so.34.2
#2  0x0e16fb71 in execve () from /usr/lib/libc.so.34.2
#3  0x00000002 in ?? ()
#4  0xcfbf82bc in ?? ()
#5  0x00000004 in ?? ()
#6  0x0a680027 in fsync () from /usr/lib/libpthread.so.6.1
#7  0x0e16fc1f in execve () from /usr/lib/libc.so.34.2
#8  0x2e126f80 in _des_bits8 () from /usr/lib/libc.so.34.2
#9  0x2e130ec8 in optopt () from /usr/lib/libc.so.34.2
#10 0xcfbf8334 in ?? ()
#11 0x0e16fb82 in execve () from /usr/lib/libc.so.34.2
#12 0xcfbf8324 in ?? ()
#13 0x0e156e44 in __errno () from /usr/lib/libc.so.34.2
#14 0x0e17072c in execve () from /usr/lib/libc.so.34.2
#15 0x2e126f80 in _des_bits8 () from /usr/lib/libc.so.34.2
#16 0x0000000f in ?? ()
#17 0x3c018000 in ?? ()
#18 0x0e1706c1 in execve () from /usr/lib/libc.so.34.2
#19 0x00000000 in ?? ()
#20 0x2e133f1c in ?? () from /usr/lib/libc.so.34.2
#21 0xcfbf83a4 in ?? ()
#22 0x0e1708a9 in free () from /usr/lib/libc.so.34.2
#23 0x0e1708a9 in free () from /usr/lib/libc.so.34.2
#24 0x1c05d9b7 in remove_error_table (et=0x3c0110e0) at error_message.c:340
#25 0x1c0240e3 in profile_library_finalizer () at prof_file.c:63
#26 0x1c0027c8 in __register_frame_info ()
#27 0x1c05eb85 in __fini ()
#28 0x0e17116a in exit () from /usr/lib/libc.so.34.2
#29 0x1c002759 in ___start ()
#30 0x1c0026bf in _start ()

So the problem appears to be in lines 334 to 342 of
utils/et/error_message.c:

  334       /* Remove the first occurrance we can find.  Prefer dynamic
  335          entries, but if there are none, check for a static one too.  */
  336       for (del = &et_list_dynamic; *del; del = &(*del)->next)
  337           if ((*del)->table->base == et->base) {
  338               /*@only@*/ struct dynamic_et_list *old = *del;
  339               *del = old->next;
  340               free (old);
  341               return k5_mutex_unlock(&et_list_lock);
  342           }

>How-To-Repeat:
	
	Happens every time I use klist, kinit, etc.
>Fix:
	
For the moment I'm using a very Quick'N'Dirty fix.  I've just removed
the above lines from utils/et/error_message.c.  I appreciate that
this is hardly ideal.  But it seems to work for now.

More information about the krb5-bugs mailing list