Bug 11509 - libsmbclient : crash when the DFS targets are disabled
Summary: libsmbclient : crash when the DFS targets are disabled
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.1.12
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-10 10:45 UTC by hargagan
Modified: 2015-10-12 18:51 UTC (History)
4 users (show)

See Also:

Attachments
screenshot showing number of referrals as zero. (57.84 KB, image/png)
2015-09-10 10:45 UTC, hargagan 		no flags Details
Probable fix for the crash when dfs targets are disabled (901 bytes, patch)
2015-09-10 10:48 UTC, hargagan 		no flags Details
git-am fix for 4.3.x, 4.2.x. (1.16 KB, patch)
2015-09-11 19:22 UTC, Jeremy Allison 		jra: review? (ira)
slow: review+
obnox: review+
Details
Same patch with cherry-pick info. (1.23 KB, patch)
2015-09-17 16:38 UTC, Jeremy Allison 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description hargagan 2015-09-10 10:45:23 UTC 
Created attachment 11423 [details]
screenshot showing number of referrals as zero.

Observing random crashes in smbclient library when the dfs targets are disabled. One of such instance is :

************************************************************
#0  cli_ntcreate (cli=0x0, fname=0x0, CreatFlags=0, DesiredAccess=131072, FileAttributes=0, ShareAccess=3, CreateDisposition=1, CreateOptions=0, SecurityFlags=0 '\000', 
    pfid=0x7f8783df061e, cr=0x0) at ../source3/libsmb/clifile.c:1939
#1  0x00007f87a071348d in cacl_get (context=0x6b9ce0, ctx=0x7f877400e420, srv=0x6a68c0, ipc_cli=0x6b0ac0, pol=0x6a06d4, filename=0x7f8774008410 "\\Target30", 
    attr_name=0x7f87a0934b9d "system.nt_sec_desc.*", buf=0x0, bufsize=0) at ../source3/libsmb/libsmb_xattr.c:908
#2  0x00007f87a07151b9 in SMBC_getxattr_ctx (context=0x6b9ce0, fname=<optimized out>, name=0x7f87a0934b9d "system.nt_sec_desc.*", value=0x0, size=0) at ../source3/libsmb/libsmb_xattr.c:2194
#3 0x00007f87a092ab34 in Testsmb()
#4 0x00007f87a28cb65d in clone () from /lib64/libc.so.6
#5 0x0000000000000000 in ?? ()
************************************************************


Other instance was this :
************************************************************
#0  cli_list (cli=0x0, mask=0x0, attribute=22, fn=0x7f49f3decc70 <dir_list_fn>, state=0x6b40c0) at ../source3/libsmb/clilist.c:944
#1  0x00007f49f3ded96e in SMBC_opendir_ctx (context=0x6b3f50, fname=<optimized out>) at ../source3/libsmb/libsmb_dir.c:870
#2  0x00007f49f40143ed in Testsmb() 
#3  0x00007f49f5fb065d in clone () from /lib64/libc.so.6
#4  0x0000000000000000 in ?? ()
************************************************************

After debugging found that the packet trace is showing the number of referrals are zero. This happens when the dfs targets are disabled. Attaching the screen shot of the packet trace showing that the number of referrals as zero.
Comment 1 hargagan 2015-09-10 10:48:19 UTC 
Created attachment 11424 [details]
Probable fix for the crash when dfs targets are disabled

The crash is seen when the targetcli returned from cli_resolve_path() is null. This is happening as there is failure condition hen the number of referrals are zero. As a result the code doesn't stop processing and continue with cli as null.

The fix is targeting the condition and returning NT_STATUS_NOT_FOUND when number of referrals are coming as zero.
Comment 2 Jeremy Allison 2015-09-11 19:22:00 UTC 
Created attachment 11431 [details]
git-am fix for 4.3.x, 4.2.x.

Fix that went into master. Applies cleanly to 4.3.x, 4.2.x.
Comment 3 Ralph Böhme 2015-09-17 04:38:36 UTC 
Comment on attachment 11431 [details]
git-am fix for 4.3.x, 4.2.x.

Patch is missing cherry-picked-from, besides that: review +.
Comment 4 Michael Adam 2015-09-17 05:33:25 UTC 
Comment on attachment 11431 [details]
git-am fix for 4.3.x, 4.2.x.

As Ralph wrote: cherry-pick tags missing. Apart from that: good.
Comment 5 Jeremy Allison 2015-09-17 16:38:05 UTC 
Created attachment 11448 [details]
Same patch with cherry-pick info.
Comment 6 Jeremy Allison 2015-09-17 16:38:27 UTC 
Re-assigning to Karolin for inclusion in 4.3.next, 4.2.next.
Comment 7 Karolin Seeger 2015-10-05 07:07:52 UTC 
(In reply to Jeremy Allison from comment #6)
Pushed to autobuild-v4-[2|3]-test.
Comment 8 Karolin Seeger 2015-10-12 18:51:32 UTC 
(In reply to Karolin Seeger from comment #7)
Pushed to both branches. 
Closing out bug report.

Thanks!