Bug 15267 - Crash during share enumeration
Summary: Crash during share enumeration
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.17.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-20 15:51 UTC by Andrew Walker
Modified: 2023-02-16 16:37 UTC (History)
3 users (show)

See Also:


Attachments
git-am fix for 4.17.next, 4.16.next. (1.48 KB, patch)
2022-12-20 19:14 UTC, Jeremy Allison
jra: review? (awalker)
slow: review+
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2022-12-20 15:51:45 UTC
I haven't been able to reproduce this one, but have received a couple of corefiles from end-users:

```
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f6198b5c537 in __GI_abort () at abort.c:79
#2  0x00007f6199e63960 in dump_core () at ../../source3/lib/dumpcore.c:338
#3  0x00007f6199e70f01 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:713
#4  0x00007f61993e98ea in smb_panic (why=why@entry=0x7ffdf6039fd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:198
#5  0x00007f61993e9971 in fault_report (sig=11) at ../../lib/util/fault.c:82
#6  sig_fault (sig=11) at ../../lib/util/fault.c:93
#7  <signal handler called>
#8  0x00007f6199d55090 in lpcfg_service_ok (service=0x0) at ../../lib/param/loadparm.c:966
#9  0x00007f6199e4488a in lp_do_section (pszSectionName=0x56295345d540 "vr", userdata=userdata@entry=0x0) at ../../source3/param/loadparm.c:2893
#10 0x00007f6199e44ebb in process_smbconf_service (service=0x56295345b530) at ../../source3/param/loadparm.c:2184
#11 process_registry_shares () at ../../source3/param/loadparm.c:2309
#12 0x00007f61998fc9e9 in load_registry_shares () at ../../source3/param/service.c:61
#13 0x0000562952d4b4ca in init_srv_share_info_ctr (p=p@entry=0x5629534620b8, info_ctr=0x562953448f10, resume_handle_p=0x0, total_entries=0x562953462cb0, all_shares=all_shares@entry=true)
    at ../../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:641
#14 0x0000562952d4d515 in _srvsvc_NetShareEnumAll (p=p@entry=0x5629534620b8, r=r@entry=0x56295345a0f0) at ../../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1720
#15 0x0000562952d5082e in srvsvc__op_dispatch_internal (dce_call=0x5629534474b0, mem_ctx=<optimized out>, r=0x56295345a0f0, dispatch=S3COMPAT_RPC_DISPATCH_EXTERNAL)
    at ./librpc/gen_ndr/ndr_srvsvc_scompat.c:296
#16 0x00007f6199e09374 in dcesrv_request (call=0x5629534474b0) at ../../librpc/rpc/dcesrv_core.c:1957
#17 dcesrv_process_ncacn_packet (blob=..., pkt=<optimized out>, dce_conn=0x562953455100) at ../../librpc/rpc/dcesrv_core.c:2381
#18 dcesrv_loop_next_packet (dce_conn=0x562953455100, pkt=<optimized out>, buffer=...) at ../../librpc/rpc/dcesrv_core.c:2923
#19 0x00007f6199e0a208 in dcesrv_read_fragment_done (subreq=<optimized out>) at ../../librpc/rpc/dcesrv_core.c:2901
#20 0x00007f61993abde7 in dcerpc_read_ncacn_packet_done (subreq=<optimized out>) at ../../librpc/rpc/dcerpc_util.c:630
#21 0x00007f6199ded1d0 in tstream_readv_pdu_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket_helpers.c:320
#22 0x00007f6199debf6a in tstream_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket.c:604
#23 0x00007f619a0b0a62 in tevent_common_invoke_immediate_handler (im=0x56295343fb40, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190
#24 0x00007f619a0b0a8a in tevent_common_loop_immediate (ev=ev@entry=0x56295341d9a0) at ../../lib/tevent/tevent_immediate.c:236
#25 0x00007f619a0b68bc in epoll_event_loop_once (ev=0x56295341d9a0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:919
#26 0x00007f619a0b4c27 in std_event_loop_once (ev=0x56295341d9a0, location=0x7f6199d1ce00 "../../source3/rpc_server/rpc_worker.c:1199") at ../../lib/tevent/tevent_standard.c:114
#27 0x00007f619a0af8a4 in _tevent_loop_once (ev=ev@entry=0x56295341d9a0, location=location@entry=0x7f6199d1ce00 "../../source3/rpc_server/rpc_worker.c:1199") at ../../lib/tevent/tevent.c:828
#28 0x00007f6199d194ca in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=daemon_config_name@entry=0x562952dae8a1 "rpcd_classic", num_workers=num_workers@entry=5, 
    idle_seconds=idle_seconds@entry=60, get_interfaces=get_interfaces@entry=0x562952d56a50 <classic_interfaces>, get_servers=0x562952d56a60 <classic_servers>, private_data=0x0)
    at ../../source3/rpc_server/rpc_worker.c:1199
#29 0x0000562952cabcfc in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_classic.c:93

```
(gdb) p iServiceIndex
$1 = 1
(gdb) p ServicePtrs[iServiceIndex]
$2 = (struct loadparm_service *) 0x0
```

So it's pretty clear that the current service slot is NULL. This NULL gets passed to lpcfg_service_ok() and crashes.

If we skip this check in case of a NULL slot and move along to `add_a_service()` then the NULL slot will be used appropriately and we should be fine.

This ticket is to get a bug number for a merge request.
Comment 2 Samba QA Contact 2022-12-20 18:50:03 UTC
This bug was referenced in samba master:

5b19288949e97a5af742ff2719992d56f21e364a
Comment 3 Jeremy Allison 2022-12-20 19:14:56 UTC
Created attachment 17708 [details]
git-am fix for 4.17.next, 4.16.next.

Cherry-picked from master.
Comment 4 Ralph Böhme 2023-01-01 17:59:46 UTC
Reassiging to Jule for inclusion in 4.16 and 4.17.
Comment 5 Jule Anger 2023-01-03 17:44:43 UTC
Pushed to autobuild-v4-{17,16}-test.
Comment 6 Samba QA Contact 2023-01-03 19:20:04 UTC
This bug was referenced in samba v4-16-test:

810ae90aa6c34694c692015bb9f47f56ada811d2
Comment 7 Samba QA Contact 2023-01-04 21:24:27 UTC
This bug was referenced in samba v4-17-test:

72e6fff0e5f61ad4f0d636bcd212120805577032
Comment 8 Jule Anger 2023-01-05 09:04:26 UTC
Closing out bug report.

Thanks!
Comment 9 Samba QA Contact 2023-01-26 17:51:18 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

72e6fff0e5f61ad4f0d636bcd212120805577032
Comment 10 Samba QA Contact 2023-02-16 16:37:57 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.9):

810ae90aa6c34694c692015bb9f47f56ada811d2