Hello, With a samba 4.6.2, running in a Debian Jessie (all updated), if you run the following commands to create a DNS zone with an MX (or an NS too): >> samba-tool dns zonecreate 127.0.0.1 testprueba.aspl.es -P ..then add NS or MX record with any of the following examples: >> samba-tool dns add 127.0.0.1 testprueba.aspl.es @ MX 'mail.aspl.es 10' -P >> samba-tool dns add 127.0.0.1 testprueba.aspl.es testprueba MX 'mail.aspl.es 10' -P >> samba-tool dns add 127.0.0.1 testprueba.aspl.es 'testprueba.aspl.es' NS 'ns1.cuentadns.com' -P >> samba-tool dns add 127.0.0.1 testprueba.aspl.es @ NS 'ns1.cuentadns.com' -P ...all of them reporting: Record added successfully (exit 0) Then, you query locally or remotely the server with the following: >> samba-tool dns query 192.168.40.75 testprueba.aspl.es @ ALL -P --additional --authority # also with: >> samba-tool dns query 127.0.0.1 testprueba.aspl.es @ ALL -P --additional --authority You crash the samba internal DNS server with the following error: May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.113275, 0] ../lib/util/fault.c:78(fault_report) May 19 20:55:00 server04 samba[20484]: =============================================================== May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.116269, 0] ../lib/util/fault.c:79(fault_report) May 19 20:55:00 server04 samba[20484]: INTERNAL ERROR: Signal 11 in pid 20484 (4.6.1) May 19 20:55:00 server04 samba[20484]: Please read the Trouble-Shooting section of the Samba HOWTO May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.118832, 0] ../lib/util/fault.c:81(fault_report) May 19 20:55:00 server04 samba[20484]: =============================================================== May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.120235, 0] ../lib/util/fault.c:151(smb_panic_default) May 19 20:55:00 server04 samba[20484]: PANIC: internal error May 19 20:55:00 server04 samba[20465]: [2017/05/19 20:55:00.126508, 0] ../source4/smbd/process_standard.c:127(standard_child_pipe_handler) May 19 20:55:00 server04 samba[20465]: Child 20484 (rpc) terminated with signal 6 The only way to recover from this error is to completely restart Samba: >> /etc/init.d/samba restart I'm investigating the bug to see if it happens the same with Samba 4.6.3 and latest components. Best Regards,
Hello, Just confirm same happens with latest samba 4.6.3 (with tdb 1.3.13, talloc 2.1.9, tevent 0.9.31, ldb 1.1.29). Best Regards,
Here is the backtrace where the segfault happens upon sending zone list request. The process that is failing is the one holding 135/tcp, 1024/tcp and 1025/tcp ports: tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 385/samba <--- tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN 385/samba <--- tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 385/samba <--- Program received signal SIGSEGV, Segmentation fault. 0x00007f71d8de6df9 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 (gdb) thread apply all bt Thread 1 (Thread 0x7f71e8f2d700 (LWP 2019)): #0 0x00007f71d8de6df9 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #1 0x00007f71d8de7dbe in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #2 0x00007f71d8de8798 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #3 0x00007f71d8db1517 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #4 0x00007f71d8db1fa4 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #5 0x00007f71d8db3918 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0 #6 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #7 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #8 0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #9 0x00007f71e39ddaa3 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-binding.so.0 #10 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #11 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #12 0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #13 0x00007f71e3bf7234 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #14 0x00007f71e3bf745e in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #15 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #16 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #17 0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #18 0x00007f71e3bf6784 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #19 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #20 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #21 0x00007f71e6588746 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #22 0x00007f71e658795b in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #23 0x00007f71e6590bce in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #24 0x00007f71e658d971 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #25 0x00007f71e6586805 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #26 0x00007f71e6586b15 in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #27 0x00007f71e658da13 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #28 0x00007f71e6586bb8 in _tevent_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #29 0x00007f71dc40ef1a in ?? () from /usr/lib/x86_64-linux-gnu/samba/process_model/standard.so #30 0x00007f71e7e4e6a0 in task_server_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #31 0x00007f71e7e4cacd in ?? () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #32 0x00007f71e7e4cc10 in server_service_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #33 0x00007f71e8d60d64 in _start ()
Adding full stack trace with debugging symbols where the crash happens: Program received signal SIGSEGV, Segmentation fault. dnsserver_enumerate_records (dsstate=0x7f863a066fa0, mem_ctx=0x7f8639a00320, z=0x7f863a2626c0, client_version=458752, node_name=0x7f8639d25e00 "@", start_child=0x0, record_type=DNS_TYPE_ALL, select_flag=17, filter_start=0x0, filter_stop=0x0, buffer_length=0x7f8639deadb0, buffer=0x7f8639efad10) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1844 1844 ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c: No existe el fichero o el directorio. (gdb) thread apply all bt Thread 1 (Thread 0x7f8637fd0700 (LWP 26768)): #0 dnsserver_enumerate_records (dsstate=0x7f863a066fa0, mem_ctx=0x7f8639a00320, z=0x7f863a2626c0, client_version=458752, node_name=0x7f8639d25e00 "@", start_child=0x0, record_type=DNS_TYPE_ALL, select_flag=17, filter_start=0x0, filter_stop=0x0, buffer_length=0x7f8639deadb0, buffer=0x7f8639efad10) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1844 #1 0x00007f8627e8bd9e in dcesrv_DnssrvEnumRecords2 (dce_call=0x7f8639a00320, mem_ctx=0x7f8639a00320, r=0x7f863a0440d0) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:2285 #2 0x00007f8627e8c778 in dnsserver__op_dispatch (dce_call=0x7f8639a00320, mem_ctx=0x7f8639a00320, r=0x7f863a0440d0) at default/librpc/gen_ndr/ndr_dnsserver_s.c:157 #3 0x00007f8627e554f7 in dcesrv_request (call=0x7f8639a00320) at ../source4/rpc_server/dcerpc_server.c:1648 #4 0x00007f8627e55f84 in dcesrv_process_ncacn_packet (dce_conn=0x7f863a1f2960, pkt=0x7f863a560730, blob=...) at ../source4/rpc_server/dcerpc_server.c:1970 #5 0x00007f8627e578f8 in dcesrv_read_fragment_done (subreq=0x0) at ../source4/rpc_server/dcerpc_server.c:2542 #6 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #7 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #8 0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #9 0x00007f8632a81aa3 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-binding.so.0 #10 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #11 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #12 0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #13 0x00007f8632c9b234 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #14 0x00007f8632c9b45e in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #15 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #16 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #17 0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #18 0x00007f8632c9a784 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so #19 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #20 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #21 0x00007f863562c746 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #22 0x00007f863562b95b in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #23 0x00007f8635634bce in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #24 0x00007f8635631971 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #25 0x00007f863562a805 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #26 0x00007f863562ab15 in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #27 0x00007f8635631a13 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #28 0x00007f863562abb8 in _tevent_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #29 0x00007f862b4b1f1a in ?? () from /usr/lib/x86_64-linux-gnu/samba/process_model/standard.so #30 0x00007f8636ef26a0 in task_server_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #31 0x00007f8636ef0acd in ?? () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #32 0x00007f8636ef0c10 in server_service_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so #33 0x00007f8637e04d64 in _start () (gdb)
Created attachment 13228 [details] Patch to fix the problem and make it work MX and NS records Patch against ./source4/rpc_server/dnsserver/dcerpc_dnsserver.c as released by Samba 4.6.3
Hello, I've attached a patch that fixes reported issue. In short, dnsserver_enumarate_records () implementation has several bugs around res variable usage. It calls in several places to: talloc_free (res); ..but without nullifying it. This causes that next iterations or usages of res reference causes double deallocation or wrong memory access reference. Patch only nullifies after talloc_free (): talloc_free (res); res = NULL; ..and also, makes sure dns_fill_records_array () does not receive a pointer to unavailable records by changing: res->msgs[0], 0, recs, by: (res && res->count > 0) ? res->msgs[0] : NULL, 0, recs, I can confirm after applying this patch, you can create NS and MX records and the call to: >> samba-tool dns query 127.0.0.1 testprueba.aspl.es @ ALL -P --additional --authority ...and it reports all records without breaking samba. Best Regards,
Created attachment 13229 [details] git-am fix for master. We already have a macro, TALLOC_FREE(x) which calls talloc_free(x) and sets x to NULL. Can you test the attached patch and let me know if it also fixes your bug ? If so I'll get it into master and get it back ported to supported releases. Thanks, Jeremy.
Ping. Francis, can you confirm this fixes your problem ? Thanks. Jeremy.
Hello Jeremy, Sorry for the delay. I'll check proposed patch to let you know if it fixes the issue. I'll keep you updated, Best Regards,
Ping ! Can you confirm this, I'd like to get this fixed and pushed into release versions. Thanks, Jeremy.
Hello, Sorry for the delay. Just confirm last patch proposed does not work. It misses the following that was included in the first patch: 1848c1846 < (res && res->count > 0) ? res->msgs[0] : NULL, 0, recs, --- > res->msgs[0], 0, recs, In essense, current code assumes res->msgs[0] is always present and has a valid reference to "res", but that's not the case as described (it might be NULL or might have res->count == 0). I'm attaching updated patch based on latest proposed (git-am fix for master) that includes this fix too. Best Regargs,
Created attachment 13290 [details] Latest patch fixing res->msgs[0] reference
Sorry, I'm attaching updated patch with the right direction (orig -> modified), Best Regards,
Created attachment 13291 [details] Latest patch fixing res->msgs[0] reference (Right direction)
to reproduce in a testenv: $ bin/samba-tool dns zonecreate $SERVER_IP test.$DNSNAME -P -U$USERNAME%$PASSWORD $ bin/samba-tool dns add $SERVER_IP test.$DNSNAME @ MX "mail.$DNSNAME 10" -U$USERNAME%$PASSWORD $ bin/samba-tool dns query $SERVER_IP test.$DNSNAME @ ALL -P --additional --authority -U$USERNAME%$PASSWORD
Created attachment 16179 [details] updated patch The existing patches have bit-rotted due to other DNS fixes. Francis was correct to say Jeremy's patch was insufficient.
Comment on attachment 16179 [details] updated patch woops too much history!
Created attachment 16180 [details] the correct patch
Comment on attachment 16180 [details] the correct patch LGTM.
This bug was referenced in samba v4-13-stable (Release samba-4.13.1): 4cbf95e731b39b2dbfec02f33fd6b195d0b0f7a8 862d6fb6f3235126c96683516c12a284bcf84901
This bug was referenced in samba v4-12-stable (Release samba-4.12.9): 2d7d1dff7d20d5b06ff50452e7f714af9f6a109e 425c31a599bb96c7d01273fc50b682bc42dbed57
This bug was referenced in samba v4-11-stable (Release samba-4.11.15): 2632e8ebae826a7305fe7d3948ee28b77d2ffbc0 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281
This bug was referenced in samba v4-13-test: 4cbf95e731b39b2dbfec02f33fd6b195d0b0f7a8 862d6fb6f3235126c96683516c12a284bcf84901
This bug was referenced in samba v4-12-test: 2d7d1dff7d20d5b06ff50452e7f714af9f6a109e 425c31a599bb96c7d01273fc50b682bc42dbed57
This bug was referenced in samba v4-11-test: 2632e8ebae826a7305fe7d3948ee28b77d2ffbc0 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281