Bug 1540 - Call to memdup() in load_interfaces picks up fn from SNMP
Summary: Call to memdup() in load_interfaces picks up fn from SNMP
Status: RESOLVED DUPLICATE of bug 1539
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P3 minor
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-18 22:56 UTC by Mitch Davis
Modified: 2004-07-19 01:37 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mitch Davis 2004-07-18 22:56:04 UTC
Hello,

Recently, ethereal started crashing on startup.
I traced it down to a memory dereference error in
the samba wins NSS libraries: one argument of strcmp
is bogus.

Program received signal SIGSEGV, Segmentation fault.
0x4207fa78 in strcmp () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207fa78 in strcmp () from /lib/i686/libc.so.6
#1  0x40466a8e in ms_fnmatch_lanman1 (pattern=0xbfffeff0 "eth0",
    string=0xffffffff <Address 0xffffffff out of bounds>)
    at lib/ms_fnmatch.c:117
#2  0x40466b98 in ms_fnmatch (pattern=0xbfffeff0 "eth0",
    string=0xffffffff <Address 0xffffffff out of bounds>)
    at lib/ms_fnmatch.c:145
#3  0x404431d2 in interpret_interface (token=0xbfffeff0 "eth0")
    at lib/interface.c:110
#4  0x40443853 in load_interfaces () at lib/interface.c:212
#5  0x40412b2f in nss_wins_init () at nsswitch/wins.c:89
#6  0x40412c14 in lookup_byname_backend (name=0x882ff78 "eng02",
    count=0xbffff164) at nsswitch/wins.c:124
#7  0x40412d8a in _nss_wins_gethostbyname_r (name=0x882ff78 "eng02",
    he=0x42132dc0, buffer=0x8830ee8 "\n", buflen=1024, errnop=0x42130b60,
    h_errnop=0xbffff1e8) at nsswitch/wins.c:287
#8  0x420f83f1 in gethostbyname_r@@GLIBC_2.1.2 () from /lib/i686/libc.so.6
#9  0x420f7dbd in gethostbyname () from /lib/i686/libc.so.6
#10 0x402f82b4 in XUnlockDisplay () from /usr/X11R6/lib/libX11.so.6
#11 0x402f956e in _X11TransConnect () from /usr/X11R6/lib/libX11.so.6
#12 0x402c06d6 in _X11TransConnectDisplay () from /usr/X11R6/lib/libX11.so.6
#13 0x402cf43b in XOpenDisplay () from /usr/X11R6/lib/libX11.so.6
#14 0x40241b13 in gdk_init_check () from /usr/lib/libgdk-1.2.so.0
#15 0x4019cca2 in gtk_init_check () from /usr/lib/libgtk-1.2.so.0
---Type <return> to continue, or q <return> to quit---q

I traced this further up the stack, and the bogus
value comes from a failed call to memdup in
load_interfaces():  (This is from the 3.0 version of Samba)

  http://samba.org/doxygen/samba/lib_2interface_8c-source.html

00184         /* probe the kernel for interfaces */
00185         total_probed = get_interfaces(ifaces, MAX_INTERFACES);
00186 
00187         if (total_probed > 0) {
>>>>>>>>>>> 00188                 probed_ifaces = memdup(ifaces, sizeof(ifaces
[0])*total_probed);
00189         }
00190 
00191         /* if we don't have a interfaces line then use all broadcast 
capable 
00192            interfaces except loopback */
00193         if (!ptr || !*ptr || !**ptr) {
00194                 if (total_probed <= 0) {
00195                         DEBUG(0,("ERROR: Could not determine network 
interfaces, you must use a interfaces config line\n"));
00196                         exit(1);
00197                 }
00198                 for (i=0;i<total_probed;i++) {
00199                         if (probed_ifaces[i].netmask.s_addr != 
allones_ip.s_addr &&
00200                             probed_ifaces[i].ip.s_addr != 
loopback_ip.s_addr) {

The first problem is that the result of this allocation is not
checked.  (Someone else found this bug in 2001 but it was never fixed:)

  http://lists.samba.org/archive/samba-technical/2001-August/000485.html

The second problem is that on my machine, ethereal is linked against
the SNMP libraries, which also have a memdup() fn.  You can see
from below that something is causing samba to call the SNMP memdup
instead of the lib/util.c memdup.  Since the arguments are different,
the call fails.

Here are the startup libraries for ethereal.  Note,
libnss_wins.so does not appear here - the NSS routines
bring them in later.  I think might be why memcmp is
coming from the SNMP libs in preference to libnss_wins.so.

[root@p26 samba]# ldd /usr/sbin/ethereal
        libsnmp.so.0 => /usr/lib/libsnmp.so.0 (0x4002a000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x40085000)
        libpcap.so.0.6.2 => /usr/lib/libpcap.so.0.6.2 (0x40148000)
        libgtk-1.2.so.0 => /usr/lib/libgtk-1.2.so.0 (0x40163000)
        libgdk-1.2.so.0 => /usr/lib/libgdk-1.2.so.0 (0x40291000)
        libgmodule-1.2.so.0 => /usr/lib/libgmodule-1.2.so.0 (0x402c6000)
        libglib-1.2.so.0 => /usr/lib/libglib-1.2.so.0 (0x402c9000)
        libdl.so.2 => /lib/libdl.so.2 (0x402ee000)
        libXi.so.6 => /usr/X11R6/lib/libXi.so.6 (0x402f1000)
        libXext.so.6 => /usr/X11R6/lib/libXext.so.6 (0x402f9000)
        libX11.so.6 => /usr/X11R6/lib/libX11.so.6 (0x40306000)
        libm.so.6 => /lib/i686/libm.so.6 (0x403db000)
        libz.so.1 => /usr/lib/libz.so.1 (0x403fd000)
        libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@p26 samba]#

p26 [~/rpms] nm /usr/lib/libsnmp.so.0 | grep memdup
0003b240 T memdup
p26 [~/rpms] nm /lib/libnss_wins.so | grep memdup
00063254 T memdup
00063168 T smb_xmemdup
0006772c T talloc_memdup

This computer is running Red Hat 7.2, and the version of Samba is
2.2.9 from Red Hat: "samba-2.2.7-3.7.3.src.rpm", but I believe the
problem would exist on a more modern version of Linux, and with
Samba v3.  We use winbind etc to allow users to log in with their
windows usernames.

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/EXTEL.COM.AU/mitch_davis/rpms/BUILD/ethereal-
0.9.16/ethereal

Breakpoint 9, load_interfaces () at lib/interface.c:191
191                     probed_ifaces = memdup(ifaces, sizeof(ifaces[0])
*total_probed);
(gdb) s
memdup (to=0xbfffe3e0, from=0x48 <Address 0x48 out of bounds>, size=3221221640)
    at /home/users/r/rs/rstory/src/net-snmp-5.0.7/snmplib/tools.c:210
210     /home/users/r/rs/rstory/src/net-snmp-5.0.7/snmplib/tools.c: No such 
file or directory.
        in /home/users/r/rs/rstory/src/net-snmp-5.0.7/snmplib/tools.c
(gdb)

Although I don't think it's the correct fix, I can make the problem
go away with this patch:

--- samba-2.2.7/source/include/proto.h.memdup   Mon Jul 19 14:32:29 2004
+++ samba-2.2.7/source/include/proto.h  Mon Jul 19 14:33:20 2004
@@ -552,7 +552,8 @@
 void *smb_xmemdup(const void *p, size_t size);
 char *smb_xstrdup(const char *s);
 int smb_xvasprintf(char **ptr, const char *format, va_list ap);
-void *memdup(void *p, size_t size);
+void *samba_memdup(void *p, size_t size);
+#define memdup(p, size) samba_memdup(p, size)
 char *myhostname(void);
 char *lock_path(char *name);
 char *pid_path(char *name);

This disambiguates the memdup reference, without
altering the calling code.

Hope this helps,

Mitch.
Comment 1 Mitch Davis 2004-07-18 23:05:57 UTC
Oops, duplicate of 1539.  Don't know what happened.. :-(
Comment 2 Guenther Deschner 2004-07-19 01:37:59 UTC

*** This bug has been marked as a duplicate of 1539 ***