Bug 11444 - Crash in notify_remove caused by change notify = no
Crash in notify_remove caused by change notify = no
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-12 07:29 UTC by Ralph Böhme
Modified: 2015-09-01 13:21 UTC (History)
3 users (show)

See Also:


Attachments
Patches for v4-3-test (10.00 KB, patch)
2015-08-31 14:05 UTC, Stefan Metzmacher
obnox: review+
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2015-08-12 07:29:52 UTC
If "change notify = no" is set in smb.conf, notify_ctx is NULL. Then in file_free() we pass notify_ctx (= NULL) to notify_remove() which doesn't check for that and crashes.

SBT:
#5  0x00007f7c104ce0d9 in sig_fault (sig=11) at ../lib/util/fault.c:94
No locals.
#6  <signal handler called>
No locals.
#7  0x00007f7c1009a84a in notify_remove (ctx=0x0, private_data=0x7f7c12492c20) at ../source3/smbd/notify_msg.c:186
        listel = 0x0
        msg = {instance = {creation_time = {tv_sec = 0, tv_nsec = 0}, filter = 0, subdir_filter = 0, private_data = 0x0}, path = 0x7ffecc3faa40 "`\252?\314\376\177"}
        iov = {{iov_base = 0x7ffecc3faa40, iov_len = 140170822468639}, {iov_base = 0x7f7c12492c20, iov_len = 140170859409920}}
        status = {v = 306738544}
        __FUNCTION__ = "notify_remove"
#8  0x00007f7c0ff8f685 in file_free (req=0x7f7c124931a0, fsp=0x7f7c12492c20) at ../source3/smbd/files.c:519
        notify_ctx = 0x0
        sconn = 0x7f7c124770f0
        fnum = 2759414850
        __FUNCTION__ = "file_free"
#9  0x00007f7c1001b0d5 in close_directory (req=0x7f7c124931a0, fsp=0x7f7c12492c20, close_type=NORMAL_CLOSE) at ../source3/smbd/close.c:1195
        self = {pid = 3164, task_id = 0, vnn = 4294967295, unique_id = 4078087674507910988}
        lck = 0x0
        delete_dir = false
        status = {v = 0}
        status1 = {v = 0}
        del_nt_token = 0x0
        del_token = 0x0
        notify_status = {v = 267}
        __FUNCTION__ = "close_directory"
#10 0x00007f7c1001b159 in close_file (req=0x7f7c124931a0, fsp=0x7f7c12492c20, close_type=NORMAL_CLOSE) at ../source3/smbd/close.c:1214
        status = {v = 0}
        base_fsp = 0x0
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "close_file"
#11 0x00007f7c1006b7b5 in smbd_smb2_close (req=0x7f7c12479ec0, fsp=0x7f7c12492c20, in_flags=0, out_flags=0x7f7c12492fe2, out_creation_ts=0x7f7c12492fe8, out_last_access_ts=0x7f7c12492ff8, 
    out_last_write_ts=0x7f7c12493008, out_change_ts=0x7f7c12493018, out_allocation_size=0x7f7c12493028, out_end_of_file=0x7f7c12493030, out_file_attributes=0x7f7c12493038)
    at ../source3/smbd/smb2_close.c:260
        status = {v = 270446609}
        smbreq = 0x7f7c124931a0
        conn = 0x7f7c12485be0
        smb_fname = 0x7f7c12487340
        allocation_size = 0
        file_size = 0
        dos_attrs = 0
        flags = 0
        posix_open = false
        __FUNCTION__ = "smbd_smb2_close"

Patch and selftest pending.
Comment 1 Stefan Metzmacher 2015-08-31 14:05:41 UTC
Created attachment 11384 [details]
Patches for v4-3-test
Comment 2 Ralph Böhme 2015-08-31 15:34:04 UTC
I think we need this in 4.2 as well, don't we?
Comment 3 Stefan Metzmacher 2015-08-31 20:35:03 UTC
Pushed to autobuild-v4-3-test
Comment 4 Stefan Metzmacher 2015-09-01 13:21:45 UTC
Pushed to v4-3-test