Bug 1147 - Segmentation Fault in smbd
Summary: Segmentation Fault in smbd
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.2
Hardware: All Linux
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
: 1192 1209 1231 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-02-29 23:49 UTC by Simone Lazzaris (dead mail address)
Modified: 2021-04-27 22:46 UTC (History)
4 users (show)

See Also:


Attachments
fix pointer cast in get_stored_queue_info() (598 bytes, patch)
2004-03-01 09:00 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simone Lazzaris (dead mail address) 2004-02-29 23:49:32 UTC
We've got a serious problem with our samba installation (samba
3.0.2.a, compiled from sources).

The problem seems to occour when printing a file on a printer connected
to our samba server. Other printers on the same server seems to work
just fine.

At the moment, I can reproduce this bug near-sistematicly,  accessing to
UTHPGL_5 printer.

Here a snippet of the log file:
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(36)
~  ===============================================================
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(37)
~  INTERNAL ERROR: Signal 11 in pid 21341 (3.0.2a)
~  Please read the appendix Bugs of the Samba HOWTO collection
[2004/02/26 14:29:09, 0] lib/fault.c:fault_report(39)
~  ===============================================================
[2004/02/26 14:29:09, 0] lib/util.c:smb_panic(1400)
~  PANIC: internal error
[2004/02/26 14:29:09, 0] lib/util.c:smb_panic(1407)
~  BACKTRACE: 24 stack frames:
~   #0 /usr/local/samba3/sbin/smbd(smb_panic+0x182) [0x818bfae]
~   #1 /usr/local/samba3/sbin/smbd [0x817c3d1]
~   #2 /usr/local/samba3/sbin/smbd [0x817c42a]
~   #3 /lib/libc.so.6 [0x4027e888]
~   #4 /usr/local/samba3/sbin/smbd(print_queue_status+0x139) [0x81a6315]
~   #5 /usr/local/samba3/sbin/smbd(_spoolss_enumjobs+0xe8) [0x810c350]
~   #6 /usr/local/samba3/sbin/smbd [0x80fe2ea]
~   #7 /usr/local/samba3/sbin/smbd(api_rpcTNP+0x200) [0x81295ec]
~   #8 /usr/local/samba3/sbin/smbd(api_pipe_request+0xce) [0x812936e]
~   #9 /usr/local/samba3/sbin/smbd [0x81238d4]
~   #10 /usr/local/samba3/sbin/smbd [0x8123ac1]
~   #11 /usr/local/samba3/sbin/smbd [0x8123d46]
~   #12 /usr/local/samba3/sbin/smbd [0x8123f03]
~   #13 /usr/local/samba3/sbin/smbd(write_to_pipe+0xd7) [0x8123e83]
~   #14 /usr/local/samba3/sbin/smbd [0x8087f5b]
~   #15 /usr/local/samba3/sbin/smbd [0x8088147]
~   #16 /usr/local/samba3/sbin/smbd(reply_trans+0x9ab) [0x8088b5b]
~   #17 /usr/local/samba3/sbin/smbd [0x80bc945]
~   #18 /usr/local/samba3/sbin/smbd [0x80bc9d1]
~   #19 /usr/local/samba3/sbin/smbd(process_smb+0x1c5) [0x80bcce1]
~   #20 /usr/local/samba3/sbin/smbd(smbd_process+0x13d) [0x80bd74d]
~   #21 /usr/local/samba3/sbin/smbd(main+0x72c) [0x81e76d4]
~   #22 /lib/libc.so.6(__libc_start_main+0x8e) [0x4026c306]
~   #23 /usr/local/samba3/sbin/smbd(ldap_msgfree+0x69) [0x8076851]


Here more information obtained with gdb:

Program received signal SIGSEGV, Segmentation fault.
0x082071ab in get_stored_queue_info (pdb=0x8397e68, snum=6,
pcount=0xbffff064,
~    ppqueue=0xbffff1ac) at printing/printing.c:2186
2186                    jobid = IVAL(&cgdata.dptr, i*4);
(gdb) print i
$2 = 1012
(gdb) print extra_count
$3 = 1130
(gdb) print cgdata.dsize
$4 = 4520
(gdb) print cgdata.dsize/4
$5 = 1130
(gdb) print cgdata
$6 = {dptr = 0x83bff20 "~\006", dsize = 4520}
(gdb) l
2181            /* Add in the changed jobids. */
2182            for( i  = 0; i < extra_count; i++) {
2183                    uint32 jobid;
2184                    struct printjob *pjob;
2185
2186                    jobid = IVAL(&cgdata.dptr, i*4);
2187                    DEBUG(5,("get_stored_queue_info: changed job =
%u\n",
(unsigned int)jobid));
2188                    pjob = print_job_find(snum, jobid);
2189                    if (!pjob) {
2190                            DEBUG(5,("get_stored_queue_info: failed to
find changed job = %u\n", (unsigned int)jobid));
(gdb)

(gdb) backtrace
#0  0x082071ab in get_stored_queue_info (pdb=0x8397e68, snum=6,
~    pcount=0xbffff064, ppqueue=0xbffff1ac) at printing/printing.c:2186
#1  0x0820763a in print_queue_status (snum=6, ppqueue=0xbffff1ac,
~    status=0xbffff1b0) at printing/printing.c:2283
#2  0x0813c149 in _spoolss_enumjobs (p=0x839c530, q_u=0xbffff320,
~    r_u=0xbffff310) at rpc_server/srv_spoolss_nt.c:6517
#3  0x0812a99c in api_spoolss_enumjobs (p=0x839c530)
~    at rpc_server/srv_spoolss.c:693
#4  0x08160654 in api_rpcTNP (p=0x839c530, rpc_name=0x839c53e "spoolss",
~    api_rpc_cmds=0x82dab84, n_cmds=51) at rpc_server/srv_pipe.c:1530
#5  0x081602d3 in api_pipe_request (p=0x839c530) at
rpc_server/srv_pipe.c:1476
#6  0x08159081 in process_request_pdu (p=0x839c530, rpc_in_p=0xbffff530)
~    at rpc_server/srv_pipe_hnd.c:669
#7  0x0815931f in process_complete_pdu (p=0x839c530)
~    at rpc_server/srv_pipe_hnd.c:741
#8  0x08159687 in process_incoming_data (p=0x839c530, data=0x83969b8 "(",
n=48)
~    at rpc_server/srv_pipe_hnd.c:839
#9  0x081598b3 in write_to_internal_pipe (np_conn=0x839c530,
~    data=0x83969b8 "(", n=64) at rpc_server/srv_pipe_hnd.c:878
#10 0x0815981a in write_to_pipe (p=0x839c3f0, data=0x83969a8 "\005", n=64)
~    at rpc_server/srv_pipe_hnd.c:861
#11 0x0808e605 in api_fd_reply (conn=0x8397810, vuid=100,
~    outbuf=0x40547008 "", setup=0x82f5830, data=0x83969a8 "\005",
params=0x0,
~    suwcnt=2, tdscnt=64, tpscnt=0, mdrcnt=1024, mprcnt=0) at smbd/ipc.c:306
#12 0x0808e889 in named_pipe (conn=0x8397810, vuid=100,
outbuf=0x40547008 "",
~    name=0xbffff716 "", setup=0x82f5830, data=0x83969a8 "\005", params=0x0,
~    suwcnt=2, tdscnt=64, tpscnt=0, msrcnt=0, mdrcnt=1024, mprcnt=0)
~    at smbd/ipc.c:350
#13 0x0808f674 in reply_trans (conn=0x8397810, inbuf=0x40526008 "",
~    outbuf=0x40547008 "", size=152, bufsize=16644) at smbd/ipc.c:558
#14 0x080d5a4c in switch_message (type=37, inbuf=0x40526008 "",
~    outbuf=0x40547008 "", size=152, bufsize=16644) at smbd/process.c:767
#15 0x080d5b08 in construct_reply (inbuf=0x40526008 "",
outbuf=0x40547008 "",
~    size=152, bufsize=16644) at smbd/process.c:797
#16 0x080d5eb0 in process_smb (inbuf=0x40526008 "", outbuf=0x40547008 "")
~    at smbd/process.c:897
#17 0x080d6c88 in smbd_process () at smbd/process.c:1328
#18 0x08258e07 in main (argc=2, argv=0xbffffac4) at smbd/server.c:887
#19 0x4026c306 in __libc_start_main (main=0x8258584 <main>, argc=2,
~    ubp_av=0xbffffac4, init=0x80754a0 <_init>, fini=0x8259160 <_fini>,
~    rtld_fini=0x4000d2fc <_dl_fini>, stack_end=0xbffffabc)
~    at ../sysdeps/generic/libc-start.c:129

(gdb) print cgdata
$7 = {dptr = 0x83bff20 "~\006", dsize = 4520}


And finally, my smb.conf file:

[global]
   netbios name = FS5

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   workgroup = Task_84
   server string = Server FS5
   printcap name = /etc/printcap
   load printers = yes

    printing = cups

   guest account = nobody
   map to guest = never
   log file = /var/log/samba/samba3.log

   max log size = 0
   security = user

  encrypt passwords = yes
  passdb backend = tdbsam:/usr/local/samba3/lib/passdb.tdb

  unix password sync = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

  add machine script = /usr/sbin/useradd -d /dev/null -g 800 -s
/bin/false -M %u



   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	interfaces = 10.0.1.32/24

   local master = yes

   os level = 65

   domain master = yes

   preferred master = yes

  domain logons = yes

    logon script = script\%U.bat

    logon home=
    logon path=

   wins server = 10.0.1.34


   dns proxy = no


disable spoolss = no
use client driver = yes



dos filemode = yes

[netlogon]
	path = /var/lib/samba3/netlogon
	comment = Servizio di Logon
	guest ok = yes
	browseable = No
	read only = yes
	write list = root,administrator

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   hide dot files = yes

# NOTE: this printer always works !
[laserjet]
   comment = Stampante in progettazione
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = laserjet

# Also this
[hpdir]
   comment = Stampante in direzione
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = LaserJet4000N

[utprint002]
   comment = Stampante in ufficio tecnico 2
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   guest ok = no
   read only = yes
   printer name = utprint002

# THESE are the printer which fails !
[UTHP_PS]
   comment = HP laserjet 5000 PostScript ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

#This printer fails near-sistematicly
[UTHPGL_5]
   comment = HP laserjet 5000 HPGL 5e ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHPGL_6]
   comment = HP laserjet 5000 HPGL 6e ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTEPLAFR]
   comment = HP laserjet 5000 HPGL 5e x Eplan Fronte/Retro ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTEPLA_S]
   comment = HP laserjet 5000 HPGL 5e x Eplan Singolo ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHP_GEN]
   comment = HP laserjet 5000 generica ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[UTHPFAST]
   comment = HP laserjet 5000 prioritaria ufficio tecnico
   directory = /var/spool/samba
   browseable = yes
   public = yes
   printable = yes
   create mode = 0700
   valid users = @uftec
   guest ok = no
   read only = yes
   printer name = utprint

[lav]
   comment = Lavori progrettazione
   path = /home/prg/lavori
   public = no
   writable = yes
   printable = no
   valid users = @amminrete @analogico @lamiera @col_ana @col_lam
   force create mode = 660
   force directory mode = 770

[apps]
   comment = Applicazioni comuni
   path = /home/prg/applicazioni
   public = no
   writable = yes
   printable = no
   valid users = @amminrete @analogico @lamiera @col_ana @col_lam
@direzione @uftec @amministrazione
   force create mode = 660
   force directory mode = 770


[uftec]
   comment = Ufficio Tecnico
   path = /home/gest/ut
   public = no
   writable = yes
   printable = no
   valid users = @uftec
   force create mode = 660
   force directory mode = 770


[direz]
   comment = Direzione
   path = /home/gest/direzione
   public = no
   writable = yes
   printable = no
   valid users = @direzione
   force create mode = 660
   force directory mode = 770

[ammin]
   comment = Amministrazione
   path = /home/gest/amministrazione
   public = no
   writable = yes
   printable = no
   valid users = @amministrazione
   force create mode = 660
   force directory mode = 770

[com]
   comment = cartella con file in comune
   path = /home/gest/comuni
   public = no
   writable = yes
   printable = no
   force create mode = 666
   force directory mode = 770
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-03-01 09:00:22 UTC
Created attachment 420 [details]
fix pointer cast in get_stored_queue_info()
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-03-01 09:01:50 UTC
Looks like a bad pointer cast.  Try this patch.
Comment 3 Simone Lazzaris (dead mail address) 2004-03-02 01:35:37 UTC
Patch applied, seems to works so far. I'll wait a bit to test it more extensively.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2004-03-16 07:39:32 UTC
*** Bug 1192 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-03-23 05:13:31 UTC
*** Bug 1209 has been marked as a duplicate of this bug. ***
Comment 6 Gerald (Jerry) Carter (dead mail address) 2004-03-31 07:08:35 UTC
*** Bug 1231 has been marked as a duplicate of this bug. ***
Comment 7 Gerald (Jerry) Carter (dead mail address) 2004-06-21 14:11:30 UTC
*** Bug 1464 has been marked as a duplicate of this bug. ***
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:25:11 UTC
database cleanup