search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
130 stars 97 forks source link

core dumped due double free #201

Closed lsang6WIND closed 9 months ago

lsang6WIND commented 9 months ago

This is the backtrace:

0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=139791231046400) at ./nptl/pthread_kill.c:44

44 ./nptl/pthread_kill.c: No such file or directory. (gdb) bt

0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=139791231046400) at ./nptl/pthread_kill.c:44

1 __pthread_kill_internal (signo=6, threadid=139791231046400) at ./nptl/pthread_kill.c:78

2 __GI___pthread_kill (threadid=139791231046400, signo=signo@entry=6) at ./nptl/pthread_kill.c:89

3 0x00007f23aeec6476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26

4 0x00007f23aeeac7f3 in __GI_abort () at ./stdlib/abort.c:79

5 0x00007f23aef0d6f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f23af05fb8c "%s\n") at ../sysdeps/posix/libc_fatal.c:155

6 0x00007f23aef24d7c in malloc_printerr (str=str@entry=0x7f23af062710 "free(): double free detected in tcache 2") at ./malloc/malloc.c:5664

7 0x00007f23aef2712b in _int_free (av=0x7f23af09dc80 , p=0x555dde01b570, have_lock=0) at ./malloc/malloc.c:4473

8 0x00007f23aef294d3 in __GI___libc_free (mem=) at ./malloc/malloc.c:3391

9 0x00007f23aea38d94 in _pam_send_account () from /lib/security/pam_tacplus.so

10 0x00007f23aea3915f in _pam_account () from /lib/security/pam_tacplus.so

11 0x00007f23aea3a7b4 in pam_sm_open_session () from /lib/security/pam_tacplus.so

12 0x00007f23af769301 in ?? () from /lib/x86_64-linux-gnu/libpam.so.0

13 0x0000555ddcd01d2e in ?? ()

14 0x00007f23aeeadd90 in __libc_start_call_main (main=main@entry=0x555ddccfe550, argc=argc@entry=3, argv=argv@entry=0x7ffcebaed028)

at ../sysdeps/nptl/libc_start_call_main.h:58

15 0x00007f23aeeade40 in __libc_start_main_impl (main=0x555ddccfe550, argc=3, argv=0x7ffcebaed028, init=, fini=,

rtld_fini=<optimized out>, stack_end=0x7ffcebaed018) at ../csu/libc-start.c:392

16 0x0000555ddcd02845 in ?? ()

The double free occurred in _pam_send_account, there are 2 free calls, all on re.msg. re is initialised by tac_acct_read which calls tac_acct_read_timeout: https://github.com/kravietz/pam_tacplus/blob/4284d9016e64def2bb81d5f50f96dc3b59bfdc39/libtac/lib/acct_r.c#L142 and immediately, freed in the next line https://github.com/kravietz/pam_tacplus/blob/4284d9016e64def2bb81d5f50f96dc3b59bfdc39/libtac/lib/acct_r.c#L143

The blame shows https://github.com/kravietz/pam_tacplus/commit/6380c5a81ea6e10c0083c2c383801f23b950530c#diff-2fe19f6a6f6d7f1b2133ea778a73c3ae77f972c2c82b158fef51ca61dba92cfaL138 that it should be freed by the caller.