When called with msg == NULL in: queue_msg() : /source3/lib/unix_msg/unix_msg.c:474 474 msghdrlen = msghdr_copy(NULL, 0, NULL, 0, iov, iovcnt, 475 fds_copy, num_fds); msghdr_copy() indirects the first parameter (msg) in: 207 fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds); which (should) crash. Currently on 64-bit Linux it passes an invalid pointer: msghdr_prep_fds (msg=0x0, buf=0xc8 <error: Cannot access memory at address 0xc8>, bufsize=0, ...) which as we never indirect inside msghdr_prep_fds() allows the code to continue. This may crash on other platforms. Fix proposed to master to follow.
Created attachment 12165 [details] Proposed fix for master. Once this gets accepted I'll autobuild with this bug report added to the commit message, then back-port for 4.4.x, 4.3.x.
Created attachment 12167 [details] Fix for 4.4.next, 4.3.next. Cherry-picked from master + bug report ref. added to commit message. Applies cleanly to 4.4.next, 4.3.next.
Karolin please apply to 4.4.next, 4.3.next. Thanks ! Jeremy.
(In reply to Jeremy Allison from comment #3) Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!