Bug 14367 - smbd panic in smbd_do_query_getinfo_quota
Summary: smbd panic in smbd_do_query_getinfo_quota
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.9.13
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-05 16:34 UTC by Lev
Modified: 2020-05-05 16:34 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2020-05-05 16:34:28 UTC
After upgrade to samba 4.9.13, smbd paniced in smbd_do_query_getinfo_quota on NULL pointer exception. The client application sent request SMB2_OP_GETINFO with in_info_type == SMB2_GETINFO_QUOTA, but fsp->fake_file_handle is NULL:

(gdb) bt
...
#7  <signal handler called>
#8  smbd_do_query_getinfo_quota (mem_ctx=0x556f479c9500, fsp=0x556f47a0b360, restart_scan=true, return_single=false, sid_list_length=0, sid_buf=0x7ffe8408ef60, max_data_count=4096, p_data=0x7ffe8408ef10, p_data_size=0x7ffe8408ef08) at ../source3/smbd/nttrans.c:2503
#9  0x00007f56ad912107 in smbd_smb2_getinfo_send (mem_ctx=0x556f479cb650, ev=0x556f47979020, smb2req=0x556f479cb650, fsp=0x556f47a0b360, in_info_type=4 '\004', in_file_info_class=32 ' ', in_output_buffer_length=4096, in_input_buffer=...,  in_additional_information=0, in_flags=0) at ../source3/smbd/smb2_getinfo.c:600
#10 0x00007f56ad9108a9 in smbd_smb2_request_process_getinfo (req=0x556f479cb650) at ../source3/smbd/smb2_getinfo.c:125
#11 0x00007f56ad8ea4a2 in smbd_smb2_request_dispatch (req=0x556f479cb650) at ../source3/smbd/smb2_server.c:2787
#12 0x00007f56ad8ee991 in smbd_smb2_io_handler (xconn=0x556f479ac0a0, fde_flags=1) at ../source3/smbd/smb2_server.c:4041
#13 0x00007f56ad8eeaab in smbd_smb2_connection_handler (ev=0x556f47979020, fde=0x556f4799dc40, flags=1, private_data=0x556f479ac0a0) at ../source3/smbd/smb2_server.c:4079
#14 0x00007f56ac5c2e04 in tevent_common_invoke_fd_handler (fde=0x556f4799dc40, flags=1, removed=0x0) at ../lib/tevent/tevent_fd.c:137
#15 0x00007f56ac5cd6d9 in epoll_event_loop (epoll_ev=0x556f479a63a0, tvalp=0x7ffe8408f2a0) at ../lib/tevent/tevent_epoll.c:736
#16 0x00007f56ac5cddad in epoll_event_loop_once (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent_epoll.c:937
#17 0x00007f56ac5ca5b9 in std_event_loop_once (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent_standard.c:110
#18 0x00007f56ac5c202f in _tevent_loop_once (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent.c:772
#19 0x00007f56ac5c2381 in tevent_common_loop_wait (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent.c:895
#20 0x00007f56ac5ca65b in std_event_loop_wait (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent_standard.c:141
#21 0x00007f56ac5c2424 in _tevent_loop_wait (ev=0x556f47979020, location=0x7f56ada4f3c0 "../source3/smbd/process.c:4130") at ../lib/tevent/tevent.c:914
#22 0x00007f56ad8cca93 in smbd_process (ev_ctx=0x556f47979020, msg_ctx=0x556f47989810, sock_fd=39, interactive=false) at ../source3/smbd/process.c:4130
...

(gdb) f 8
#8  smbd_do_query_getinfo_quota (mem_ctx=0x556f479c9500, fsp=0x556f47a0b360, restart_scan=true, return_single=false, sid_list_length=0, sid_buf=0x7ffe8408ef60, max_data_count=4096, p_data=0x7ffe8408ef10, p_data_size=0x7ffe8408ef08) at ../source3/smbd/nttrans.c:2503
2503    ../source3/smbd/nttrans.c: No such file or directory.
(gdb) p fsp->fake_file_handle
$1 = (struct fake_file_handle *) 0x0