Bug 10817 - smbclient segfaults using the echo command
Summary: smbclient segfaults using the echo command
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.1.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-17 13:37 UTC by Andreas Schneider
Modified: 2014-09-29 18:03 UTC (History)
2 users (show)

See Also:


Attachments
proposed patch for master (857 bytes, patch)
2014-09-17 13:41 UTC, Andreas Schneider
asn: review? (metze)
jra: review+
Details
v4-1-test patch (1.12 KB, patch)
2014-09-23 07:56 UTC, Andreas Schneider
jra: review+
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2014-09-17 13:37:41 UTC
smbclient segfaults using the echo command.

Reproducer:

1. smbclient //magrathea/wurst
2. echo 5 42

we call TALLOC_FREE(subreq) and a few lines later smbXcli_req_set_pending(subreq) on the NULL pointer.

Backtrace:

#0  0x00007ffff6bc7702 in _tevent_req_data (req=0x0) at ../lib/tevent/tevent_req.c:321
No locals.
#1  0x00007ffff7e2f837 in smbXcli_req_set_pending (req=0x0) at ../libcli/smb/smbXcli_base.c:881
        state = 0x7ffff7e4c7b0
        conn = 0x5555555b53e0
        pending = 0x5555555b5380
        num_pending = 0
#2  0x00007ffff7e3dfa0 in smb1cli_echo_done (subreq=0x0) at ../libcli/smb/smb1cli_echo.c:123
        req = 0x5555555b6d20
        state = 0x5555555b6eb0
        status = {v = 0}
        num_bytes = 2
        bytes = 0x5555555b5b59 "42\377\377\177"
        recv_iov = 0x5555555b5800
        expected = {{status = {v = 0}, wct = 1 '\001'}}
#3  0x00007ffff6bc7175 in _tevent_req_notify_callback (req=0x5555555b53e0, location=0x7ffff7e4a8e8 "../libcli/smb/smbXcli_base.c:2074") at ../lib/tevent/tevent_req.c:112
No locals.
#4  0x00007ffff6bc7248 in tevent_req_finish (req=0x5555555b53e0, state=TEVENT_REQ_DONE, location=0x7ffff7e4a8e8 "../libcli/smb/smbXcli_base.c:2074") at ../lib/tevent/tevent_req.c:149
No locals.
#5  0x00007ffff6bc726f in _tevent_req_done (req=0x5555555b53e0, location=0x7ffff7e4a8e8 "../libcli/smb/smbXcli_base.c:2074") at ../lib/tevent/tevent_req.c:155
No locals.
#6  0x00007ffff7e32a19 in smb1cli_conn_dispatch_incoming (conn=0x5555555897c0, tmp_mem=0x5555555b73c0, inbuf=0x0) at ../libcli/smb/smbXcli_base.c:2074
        req = 0x5555555b53e0
        state = 0x5555555b5570
        status = {v = 0}
        num_pending = 1
        i = 0
        cmd = 43 '+'
        mid = 8
        oplock_break = false
        inhdr = 0x5555555b5b34 "\377SMB+"
        len = 39
        iov = 0x5555555b7430
        num_iov = 3
        chain = 0x0
        num_chained = 0
        num_responses = 0
        __FUNCTION__ = "smb1cli_conn_dispatch_incoming"
Comment 1 Andreas Schneider 2014-09-17 13:41:36 UTC
Created attachment 10292 [details]
proposed patch for master
Comment 2 Andreas Schneider 2014-09-23 07:56:23 UTC
Created attachment 10302 [details]
v4-1-test patch
Comment 3 Jeremy Allison 2014-09-23 20:20:10 UTC
Comment on attachment 10302 [details]
v4-1-test patch

LGTM.
Comment 4 Jeremy Allison 2014-09-23 20:20:46 UTC
Re-assigning to Karolin for inclusion in 4.1.next.
Jeremy.
Comment 5 Karolin Seeger 2014-09-27 17:58:49 UTC
Pushed to autobuild-v4-1-test.
Comment 6 Karolin Seeger 2014-09-29 18:03:42 UTC
Pushed to v4-1-test.
Closing out bug report.

Thanks!