Bug 12839 - cleanup_tmp_files() calling recursive_delete() with path=0x0
cleanup_tmp_files() calling recursive_delete() with path=0x0
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.5.8
All Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 14:06 UTC by Andreas Hasenack
Modified: 2017-06-13 15:07 UTC (History)
2 users (show)

See Also:


Attachments
stacktrace (4.93 KB, text/plain)
2017-06-13 14:06 UTC, Andreas Hasenack
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hasenack 2017-06-13 14:06:11 UTC
Created attachment 13272 [details]
stacktrace

Hello,

In Ubuntu we have been getting panic reports from a large selection of samba versions (4.1.x, 4.3.x, 4.4.x and 4.5.x) where the stacktrace shows (full text attached instead of pasted):
...
#7  invalid_name (name=0x0) at ../sysdeps/posix/opendir.c:181
No locals.
#8  __opendir (name=0x0) at ../sysdeps/posix/opendir.c:182
No locals.
#9  0x0000555e8e0ad565 in recursive_delete (path=0x0) at ../source4/smbd/server.c:55
        dir = <optimized out>
        de = <optimized out>
        __FUNCTION__ = "recursive_delete"
#10 0x0000555e8e0ade51 in cleanup_tmp_files (lp_ctx=<optimized out>) at ../source4/smbd/server.c:101
        path = <optimized out>
        mem_ctx = 0x555e8f9d31b0
...

From the code:
static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
{
    char *path;
    TALLOC_CTX *mem_ctx = talloc_new(NULL);

    path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);

    recursive_delete(path);
    talloc_free(mem_ctx);
}


It looks like smbd_tmp_path() returned 0x0 and that was passed on to recursive_delete() as is, resulting in the crash.

We have such reports from versions 4.1.6 all the way up to 4.5.8. I realize 4.5.8 is not the latest, but the code seems to be the same in the current git master tree.

As of this time I have no reproducer case for this.