Bug 1147 - Segmentation Fault in smbd
Segmentation Fault in smbd
Status: VERIFIED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Printing
3.0.2
All Linux
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
:
: 1192 1209 1231 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-29 23:49 UTC by Simone Lazzaris
Modified: 2005-11-14 09:25 UTC (History)
4 users (show)

See Also:


Attachments
fix pointer cast in get_stored_queue_info() (598 bytes, patch)
2004-03-01 09:00 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simone Lazzaris 2004-02-29 23:49:32 UTC
We've got a serious problem with our samba installation (samba
3.0.2.a, compiled from sources).

The problem seems to occour when printing a file on a printer connected
to our samba server. Other printers on the same server seems to work
just fine.

At the moment, I can reproduce this bug near-sistematicly,  accessing to
UTHPGL_5 printer.

Here a snippet of the log file:
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(36)
~  ===============================================================
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(37)
~  INTERNAL ERROR: Signal 11 in pid 21341 (3.0.2a)
~  Please read the appendix Bugs of the Samba HOWTO collection
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(39)
~  ===============================================================
[2004/02/26 14:29:09, 0] lib/util.c:smb_panic(1400)
~  PANIC: internal error
[2004/02/26 14:29:09, 0] lib/util.c:smb_panic(1407)
~  BACKTRACE: 24 stack frames:
~   #0 /usr/local/samba3/sbin/smbd(smb_panic+0x182) [0x818bfae]
~   #1 /usr/local/samba3/sbin/smbd [0x817c3d1]
~   #2 /usr/local/samba3/sbin/smbd [0x817c42a]
~   #3 /lib/libc.so.6 [0x4027e888]
~   #4 /usr/local/samba3/sbin/smbd(print_queue_status+0x139) [0x81a6315]
~   #5 /usr/local/samba3/sbin/smbd(_spoolss_enumjobs+0xe8) [0x810c350]
~   #6 /usr/local/samba3/sbin/smbd [0x80fe2ea]
~   #7 /usr/local/samba3/sbin/smbd(api_rpcTNP+0x200) [0x81295ec]
~   #8 /usr/local/samba3/sbin/smbd(api_pipe_request+0xce) [0x812936e]
~   #9 /usr/local/samba3/sbin/smbd [0x81238d4]
~   #10 /usr/local/samba3/sbin/smbd [0x8123ac1]
~   #11 /usr/local/samba3/sbin/smbd [0x8123d46]
~   #12 /usr/local/samba3/sbin/smbd [0x8123f03]
~   #13 /usr/local/samba3/sbin/smbd(write_to_pipe+0xd7) [0x8123e83]
~   #14 /usr/local/samba3/sbin/smbd [0x8087f5b]
~   #15 /usr/local/samba3/sbin/smbd [0x8088147]
~   #16 /usr/local/samba3/sbin/smbd(reply_trans+0x9ab) [0x8088b5b]
~   #17 /usr/local/samba3/sbin/smbd [0x80bc945]
~   #18 /usr/local/samba3/sbin/smbd [0x80bc9d1]
~   #19 /usr/local/samba3/sbin/smbd(process_smb+0x1c5) [0x80bcce1]
~   #20 /usr/local/samba3/sbin/smbd(smbd_process+0x13d) [0x80bd74d]
~   #21 /usr/local/samba3/sbin/smbd(main+0x72c) [0x81e76d4]
~   #22 /lib/libc.so.6(__libc_start_main+0x8e) [0x4026c306]
~   #23 /usr/local/samba3/sbin/smbd(ldap_msgfree+0x69) [0x8076851]


Here more information obtained with gdb:

Program received signal SIGSEGV, Segmentation fault.
0x082071ab in get_stored_queue_info (pdb=0x8397e68, snum=6,
pcount=0xbffff064,
~    ppqueue=0xbffff1ac) at printing/printing.c:2186
2186                    jobid = IVAL(&cgdata.dptr, i*4);
(gdb) print i
$2 = 1012
(gdb) print extra_count
$3 = 1130
(gdb) print cgdata.dsize
$4 = 4520
(gdb) print cgdata.dsize/4
$5 = 1130
(gdb) print cgdata
$6 = {dptr = 0x83bff20 "~\006", dsize = 4520}
(gdb) l
2181            /* Add in the changed jobids. */
2182            for( i  = 0; i < extra_count; i++) {
2183                    uint32 jobid;
2184                    struct printjob *pjob;
2185
2186                    jobid = IVAL(&cgdata.dptr, i*4);
2187                    DEBUG(5,("get_stored_queue_info: changed job =
%u\n",
(unsigned int)jobid));
2188                    pjob = print_job_find(snum, jobid);
2189                    if (!pjob) {
2190                            DEBUG(5,("get_stored_queue_info: failed to
find changed job = %u\n", (unsigned int)jobid));
(gdb)

(gdb) backtrace
#0  0x082071ab in get_stored_queue_info (pdb=0x8397e68, snum=6,
~    pcount=0xbffff064, ppqueue=0xbffff1ac) at printing/printing.c:2186
#1  0x0820763a in print_queue_status (snum=6, ppqueue=0xbffff1ac,
~    status=0xbffff1b0) at printing/printing.c:2283
#2  0x0813c149 in _spoolss_enumjobs (p=0x839c530, q_u=0xbffff320,
~    r_u=0xbffff310) at rpc_server/srv_spoolss_nt.c:6517
#3  0x0812a99c in api_spoolss_enumjobs (p=0x839c530)
~    at rpc_server/srv_spoolss.c:693
#4  0x08160654 in api_rpcTNP (p=0x839c530, rpc_name=0x839c53e "spoolss",
~    api_rpc_cmds=0x82dab84, n_cmds=51) at rpc_server/srv_pipe.c:1530
#5  0x081602d3 in api_pipe_request (p=0x839c530) at
rpc_server/srv_pipe.c:1476
#6  0x08159081 in process_request_pdu (p=0x839c530, rpc_in_p=0xbffff530)
~    at rpc_server/srv_pipe_hnd.c:669
#7  0x0815931f in process_complete_pdu (p=0x839c530)
~    at rpc_server/srv_pipe_hnd.c:741
#8  0x08159687 in process_incoming_data (p=0x839c530, data=0x83969b8 "(",
n=48)
~    at rpc_server/srv_pipe_hnd.c:839
#9  0x081598b3 in write_to_internal_pipe (np_conn=0x839c530,
~    data=0x83969b8 "(", n=64) at rpc_server/srv_pipe_hnd.c:878
#10 0x0815981a in write_to_pipe (p=0x839c3f0, data=0x83969a8 "\005", n=64)
~    at rpc_server/srv_pipe_hnd.c:861
#11 0x0808e605 in api_fd_reply (conn=0x8397810, vuid=100,
~    outbuf=0x40547008 "", setup=0x82f5830, data=0x83969a8 "\005",
params=0x0,
~    suwcnt=2, tdscnt=64, tpscnt=0, mdrcnt=1024, mprcnt=0) at smbd/ipc.c:306
#12 0x0808e889 in named_pipe (conn=0x8397810, vuid=100,
outbuf=0x40547008 "",
~    name=0xbffff716 "", setup=0x82f5830, data=0x83969a8 "\005", params=0x0,
~    suwcnt=2, tdscnt=64, tpscnt=0, msrcnt=0, mdrcnt=1024, mprcnt=0)
~    at smbd/ipc.c:350
#13 0x0808f674 in reply_trans (conn=0x8397810, inbuf=0x40526008 "",
~    outbuf=0x40547008 "", size=152, bufsize=16644) at smbd/ipc.c:558
#14 0x080d5a4c in switch_message (type=37, inbuf=0x40526008 "",
~    outbuf=0x40547008 "", size=152, bufsize=16644) at smbd/process.c:767
#15 0x080d5b08 in construct_reply (inbuf=0x40526008 "",
outbuf=0x40547008 "",
~    size=152, bufsize=16644) at smbd/process.c:797
#16 0x080d5eb0 in process_smb (inbuf=0x40526008 "", outbuf=0x40547008 "")
~    at smbd/process.c:897
#17 0x080d6c88 in smbd_process () at smbd/process.c:1328
#18 0x08258e07 in main (argc=2, argv=0xbffffac4) at smbd/server.c:887
#19 0x4026c306 in __libc_start_main (main=0x8258584 <main>, argc=2,
~    ubp_av=0xbffffac4, init=0x80754a0 <_init>, fini=0x8259160 <_fini>,
~    rtld_fini=0x4000d2fc <_dl_fini>, stack_end=0xbffffabc)
~    at ../sysdeps/generic/libc-start.c:129

(gdb) print cgdata
$7 = {dptr = 0x83bff20 "~\006", dsize = 4520}


And finally, my smb.conf file:

[global]
   netbios name = FS5

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   workgroup = Task_84
   server string = Server FS5
   printcap name = /etc/printcap
   load printers = yes

    printing = cups

   guest account = nobody
   map to guest = never
   log file = /var/log/samba/samba3.log

   max log size = 0
   security = user

  encrypt passwords = yes
  passdb backend = tdbsam:/usr/local/samba3/lib/passdb.tdb

  unix password sync = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

  add machine script = /usr/sbin/useradd -d /dev/null -g 800 -s
/bin/false -M %u



   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	interfaces = 10.0.1.32/24

   local master = yes

   os level = 65

   domain master = yes

   preferred master = yes

  domain logons = yes

    logon script = script\%U.bat

    logon home=
    logon path=

   wins server = 10.0.1.34


   dns proxy = no


disable spoolss = no
use client driver = yes



dos filemode = yes

[netlogon]
	path = /var/lib/samba3/netlogon
	comment = Servizio di Logon
	guest ok = yes
	browseable = No
	read only = yes
	write list = root,administrator

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   hide dot files = yes

# NOTE: this printer always works !
[laserjet]
   comment = Stampante in progettazione
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = laserjet

# Also this
[hpdir]
   comment = Stampante in direzione
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = LaserJet4000N

[utprint002]
   comment = Stampante in ufficio tecnico 2
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = utprint002

# THESE are the printer which fails !
[UTHP_PS]
   comment = HP laserjet 5000 PostScript ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

#This printer fails near-sistematicly
[UTHPGL_5]
   comment = HP laserjet 5000 HPGL 5e ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHPGL_6]
   comment = HP laserjet 5000 HPGL 6e ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTEPLAFR]
   comment = HP laserjet 5000 HPGL 5e x Eplan Fronte/Retro ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTEPLA_S]
   comment = HP laserjet 5000 HPGL 5e x Eplan Singolo ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHP_GEN]
   comment = HP laserjet 5000 generica ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHPFAST]
   comment = HP laserjet 5000 prioritaria ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[lav]
   comment = Lavori progrettazione
   path = /home/prg/lavori
   public = no
   writable = yes
   printable = no
   valid users = @amminrete @analogico @lamiera @col_ana @col_lam
   force create mode = 660
   force directory mode = 770

[apps]
   comment = Applicazioni comuni
   path = /home/prg/applicazioni
   public = no
   writable = yes
   printable = no
   valid users = @amminrete @analogico @lamiera @col_ana @col_lam
@direzione @uftec @amministrazione
   force create mode = 660
   force directory mode = 770


[uftec]
   comment = Ufficio Tecnico
   path = /home/gest/ut
   public = no
   writable = yes
   printable = no
   valid users = @uftec
   force create mode = 660
   force directory mode = 770


[direz]
   comment = Direzione
   path = /home/gest/direzione
   public = no
   writable = yes
   printable = no
   valid users = @direzione
   force create mode = 660
   force directory mode = 770

[ammin]
   comment = Amministrazione
   path = /home/gest/amministrazione
   public = no
   writable = yes
   printable = no
   valid users = @amministrazione
   force create mode = 660
   force directory mode = 770

[com]
   comment = cartella con file in comune
   path = /home/gest/comuni
   public = no
   writable = yes
   printable = no
   force create mode = 666
   force directory mode = 770
Comment 1 Gerald (Jerry) Carter 2004-03-01 09:00:22 UTC
Created attachment 420 [details]
fix pointer cast in get_stored_queue_info()
Comment 2 Gerald (Jerry) Carter 2004-03-01 09:01:50 UTC
Looks like a bad pointer cast.  Try this patch.
Comment 3 Simone Lazzaris 2004-03-02 01:35:37 UTC
Patch applied, seems to works so far. I'll wait a bit to test it more extensively.
Comment 4 Gerald (Jerry) Carter 2004-03-16 07:39:32 UTC
*** Bug 1192 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter 2004-03-23 05:13:31 UTC
*** Bug 1209 has been marked as a duplicate of this bug. ***
Comment 6 Gerald (Jerry) Carter 2004-03-31 07:08:35 UTC
*** Bug 1231 has been marked as a duplicate of this bug. ***
Comment 7 Gerald (Jerry) Carter 2004-06-21 14:11:30 UTC
*** Bug 1464 has been marked as a duplicate of this bug. ***
Comment 8 Gerald (Jerry) Carter 2005-11-14 09:25:11 UTC
database cleanup