Relevant area - samba 4.12: /* extract filename and path */ base = strrchr(smb_fname->base_name, '/'); if (base == NULL) { base = smb_fname->base_name; path_name = SMB_STRDUP("/"); ALLOC_CHECK(path_name, done); } else { path_name = SMB_STRDUP(smb_fname->base_name); ALLOC_CHECK(path_name, done); path_name[base - smb_fname->base_name] = '\0'; base++; } Samba 4.15: /* extract filename and path */ base = strrchr(full_fname->base_name, '/'); if (base == NULL) { base = full_fname->base_name; path_name = SMB_STRDUP("/"); ALLOC_CHECK(path_name, done); } else { path_name = SMB_STRDUP(full_fname->base_name); ALLOC_CHECK(path_name, done); path_name[base - smb_fname->base_name] = '\0'; base++; } So between versions we switched from ``` base = strrchr(smb_fname->base_name, '/'); ``` to ``` base = strrchr(full_fname->base_name, '/'); ``` which is return from full_path_from_dirfsp_atname(talloc_tos(), dirfsp, smb_fname); Hence crash now (potentially) in: ``` path_name[base - smb_fname->base_name] = '\0'; ``` the stacktrace: ``` #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f0273914537 in __GI_abort () at abort.c:79 #2 0x00007f0273bb97e0 in dump_core () at ../../source3/lib/dumpcore.c:338 #3 0x00007f0273bac711 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704 #4 0x00007f0273e9ccaa in smb_panic (why=why@entry=0x7ffcf4120ed0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197 #5 0x00007f0273e9cd31 in fault_report (sig=11) at ../../lib/util/fault.c:81 #6 sig_fault (sig=11) at ../../lib/util/fault.c:92 #7 <signal handler called> #8 0x00007f02718eeace in recycle_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180af0) at ../../source3/modules/vfs_recycle.c:583 #9 recycle_unlinkat (handle=0x561c2b180af0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_recycle.c:741 #10 0x00007f027163f521 in streams_xattr_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180d70) at ../../source3/modules/vfs_streams_xattr.c:504 #11 streams_xattr_unlinkat (handle=0x561c2b180d70, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_streams_xattr.c:546 #12 0x00007f027160ecb5 in catia_unlinkat (handle=0x561c2b1839e0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a8ad0, flags=0) at ../../source3/modules/vfs_catia.c:694 #13 0x00007f0274078d20 in close_remove_share_mode (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90) at ../../source3/smbd/close.c:479 #14 close_normal_file (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90, req=0x561c2b197360) at ../../source3/smbd/close.c:804 #15 close_file (req=req@entry=0x561c2b197360, fsp=fsp@entry=0x561c2b19bb90, close_type=close_type@entry=NORMAL_CLOSE) at ../../source3/smbd/close.c:1509 #16 0x00007f02740b213b in smbd_smb2_close (req=req@entry=0x561c2b18cd80, fsp=fsp@entry=0x561c2b19bb90, in_flags=in_flags@entry=0, out_flags=0x561c2b0969b2, out_creation_ts=0x561c2b0969b8, out_last_access_ts=0x561c2b0969c8, out_last_write_ts=0x561c2b0969d8, out_change_ts=0x561c2b0969e8, out_allocation_size=0x561c2b0969f8, out_end_of_file=0x561c2b096a00, out_file_attributes=0x561c2b096a08) at ../../source3/smbd/smb2_close.c:277 #17 0x00007f02740b28f2 in smbd_smb2_close_send (in_flags=<optimized out>, in_fsp=<optimized out>, smb2req=0x561c2b18cd80, ev=0x561c2b0acad0, mem_ctx=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:393 #18 smbd_smb2_request_process_close (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:72 #19 0x00007f02740a6cb0 in smbd_smb2_request_dispatch (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3400 #20 0x00007f02740a7d8d in smbd_smb2_request_dispatch_immediate (ctx=ctx@entry=0x561c2b0acad0, im=<optimized out>, im@entry=0x561c2b1a7c70, private_data=private_data@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3809 #21 0x00007f0273c2d952 in tevent_common_invoke_immediate_handler (im=0x561c2b1a7c70, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190 #22 0x00007f0273c2d97a in tevent_common_loop_immediate (ev=ev@entry=0x561c2b0acad0) at ../../lib/tevent/tevent_immediate.c:236 #23 0x00007f0273c3371c in epoll_event_loop_once (ev=0x561c2b0acad0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:918 #24 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:110 #25 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:790 #26 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:913 #27 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:141 #28 0x00007f0274094b50 in smbd_process (ev_ctx=ev_ctx@entry=0x561c2b0acad0, msg_ctx=msg_ctx@entry=0x561c2b091de0, dce_ctx=dce_ctx@entry=0x561c2b0a8590, sock_fd=sock_fd@entry=51, interactive=interactive@entry=false) at ../../source3/smbd/process.c:4246 #29 0x0000561c29f22885 in smbd_accept_connection (ev=0x561c2b0acad0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1021 #30 0x00007f0273c2d3e1 in tevent_common_invoke_fd_handler (fde=fde@entry=0x561c2b0d15e0, flags=1, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:142 #31 0x00007f0273c33947 in epoll_event_loop (tvalp=0x7ffcf4122640, epoll_ev=0x561c2b0b3aa0) at ../../lib/tevent/tevent_epoll.c:736 #32 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:937 #33 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:110 #34 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:790 #35 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:913 #36 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:141 #37 0x0000561c29f1db5f in smbd_parent_loop (parent=0x561c2b0b7060, ev_ctx=0x561c2b0acad0) at ../../source3/smbd/server.c:1365 #38 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2190 ```
https://gitlab.com/samba-team/samba/-/merge_requests/2232
Ah, thanks Andrew ! That (smb_fname -> full_fname) was the change I was missing :-). Thanks !
This bug was referenced in samba master: be3a47e22ad6be204f4a7d6070f82f990c17e6fb
Created attachment 16904 [details] git-am fix for 4.15.next. Cherry-pick from master.
Reassigning to Jule for inclusion in 4.15.
Pushed to autobuild-v4-15-test.
This bug was referenced in samba v4-15-test: 4d68d797f187358e6b328550999ddff5bf755df0
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): 4d68d797f187358e6b328550999ddff5bf755df0