I haven't been able to reproduce this one, but have received a couple of corefiles from end-users: ``` (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f6198b5c537 in __GI_abort () at abort.c:79 #2 0x00007f6199e63960 in dump_core () at ../../source3/lib/dumpcore.c:338 #3 0x00007f6199e70f01 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:713 #4 0x00007f61993e98ea in smb_panic (why=why@entry=0x7ffdf6039fd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:198 #5 0x00007f61993e9971 in fault_report (sig=11) at ../../lib/util/fault.c:82 #6 sig_fault (sig=11) at ../../lib/util/fault.c:93 #7 <signal handler called> #8 0x00007f6199d55090 in lpcfg_service_ok (service=0x0) at ../../lib/param/loadparm.c:966 #9 0x00007f6199e4488a in lp_do_section (pszSectionName=0x56295345d540 "vr", userdata=userdata@entry=0x0) at ../../source3/param/loadparm.c:2893 #10 0x00007f6199e44ebb in process_smbconf_service (service=0x56295345b530) at ../../source3/param/loadparm.c:2184 #11 process_registry_shares () at ../../source3/param/loadparm.c:2309 #12 0x00007f61998fc9e9 in load_registry_shares () at ../../source3/param/service.c:61 #13 0x0000562952d4b4ca in init_srv_share_info_ctr (p=p@entry=0x5629534620b8, info_ctr=0x562953448f10, resume_handle_p=0x0, total_entries=0x562953462cb0, all_shares=all_shares@entry=true) at ../../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:641 #14 0x0000562952d4d515 in _srvsvc_NetShareEnumAll (p=p@entry=0x5629534620b8, r=r@entry=0x56295345a0f0) at ../../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1720 #15 0x0000562952d5082e in srvsvc__op_dispatch_internal (dce_call=0x5629534474b0, mem_ctx=<optimized out>, r=0x56295345a0f0, dispatch=S3COMPAT_RPC_DISPATCH_EXTERNAL) at ./librpc/gen_ndr/ndr_srvsvc_scompat.c:296 #16 0x00007f6199e09374 in dcesrv_request (call=0x5629534474b0) at ../../librpc/rpc/dcesrv_core.c:1957 #17 dcesrv_process_ncacn_packet (blob=..., pkt=<optimized out>, dce_conn=0x562953455100) at ../../librpc/rpc/dcesrv_core.c:2381 #18 dcesrv_loop_next_packet (dce_conn=0x562953455100, pkt=<optimized out>, buffer=...) at ../../librpc/rpc/dcesrv_core.c:2923 #19 0x00007f6199e0a208 in dcesrv_read_fragment_done (subreq=<optimized out>) at ../../librpc/rpc/dcesrv_core.c:2901 #20 0x00007f61993abde7 in dcerpc_read_ncacn_packet_done (subreq=<optimized out>) at ../../librpc/rpc/dcerpc_util.c:630 #21 0x00007f6199ded1d0 in tstream_readv_pdu_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket_helpers.c:320 #22 0x00007f6199debf6a in tstream_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket.c:604 #23 0x00007f619a0b0a62 in tevent_common_invoke_immediate_handler (im=0x56295343fb40, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190 #24 0x00007f619a0b0a8a in tevent_common_loop_immediate (ev=ev@entry=0x56295341d9a0) at ../../lib/tevent/tevent_immediate.c:236 #25 0x00007f619a0b68bc in epoll_event_loop_once (ev=0x56295341d9a0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:919 #26 0x00007f619a0b4c27 in std_event_loop_once (ev=0x56295341d9a0, location=0x7f6199d1ce00 "../../source3/rpc_server/rpc_worker.c:1199") at ../../lib/tevent/tevent_standard.c:114 #27 0x00007f619a0af8a4 in _tevent_loop_once (ev=ev@entry=0x56295341d9a0, location=location@entry=0x7f6199d1ce00 "../../source3/rpc_server/rpc_worker.c:1199") at ../../lib/tevent/tevent.c:828 #28 0x00007f6199d194ca in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=daemon_config_name@entry=0x562952dae8a1 "rpcd_classic", num_workers=num_workers@entry=5, idle_seconds=idle_seconds@entry=60, get_interfaces=get_interfaces@entry=0x562952d56a50 <classic_interfaces>, get_servers=0x562952d56a60 <classic_servers>, private_data=0x0) at ../../source3/rpc_server/rpc_worker.c:1199 #29 0x0000562952cabcfc in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_classic.c:93 ``` (gdb) p iServiceIndex $1 = 1 (gdb) p ServicePtrs[iServiceIndex] $2 = (struct loadparm_service *) 0x0 ``` So it's pretty clear that the current service slot is NULL. This NULL gets passed to lpcfg_service_ok() and crashes. If we skip this check in case of a NULL slot and move along to `add_a_service()` then the NULL slot will be used appropriately and we should be fine. This ticket is to get a bug number for a merge request.
https://gitlab.com/samba-team/samba/-/merge_requests/2856
This bug was referenced in samba master: 5b19288949e97a5af742ff2719992d56f21e364a
Created attachment 17708 [details] git-am fix for 4.17.next, 4.16.next. Cherry-picked from master.
Reassiging to Jule for inclusion in 4.16 and 4.17.
Pushed to autobuild-v4-{17,16}-test.
This bug was referenced in samba v4-16-test: 810ae90aa6c34694c692015bb9f47f56ada811d2
This bug was referenced in samba v4-17-test: 72e6fff0e5f61ad4f0d636bcd212120805577032
Closing out bug report. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.5): 72e6fff0e5f61ad4f0d636bcd212120805577032
This bug was referenced in samba v4-16-stable (Release samba-4.16.9): 810ae90aa6c34694c692015bb9f47f56ada811d2