The Samba-Bugzilla – Bug 12839
cleanup_tmp_files() calling recursive_delete() with path=0x0
Last modified: 2017-06-13 15:07:12 UTC
Created attachment 13272 [details]
In Ubuntu we have been getting panic reports from a large selection of samba versions (4.1.x, 4.3.x, 4.4.x and 4.5.x) where the stacktrace shows (full text attached instead of pasted):
#7 invalid_name (name=0x0) at ../sysdeps/posix/opendir.c:181
#8 __opendir (name=0x0) at ../sysdeps/posix/opendir.c:182
#9 0x0000555e8e0ad565 in recursive_delete (path=0x0) at ../source4/smbd/server.c:55
dir = <optimized out>
de = <optimized out>
__FUNCTION__ = "recursive_delete"
#10 0x0000555e8e0ade51 in cleanup_tmp_files (lp_ctx=<optimized out>) at ../source4/smbd/server.c:101
path = <optimized out>
mem_ctx = 0x555e8f9d31b0
From the code:
static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
TALLOC_CTX *mem_ctx = talloc_new(NULL);
path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
It looks like smbd_tmp_path() returned 0x0 and that was passed on to recursive_delete() as is, resulting in the crash.
We have such reports from versions 4.1.6 all the way up to 4.5.8. I realize 4.5.8 is not the latest, but the code seems to be the same in the current git master tree.
As of this time I have no reproducer case for this.