16017 – Samba and testparm crashes with bad talloc magic value - access after free with smb ports in config

Bug 16017 - Samba and testparm crashes with bad talloc magic value - access after free with smb ports in config

Summary: Samba and testparm crashes with bad talloc magic value - access after free wi...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.22.6
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-03-07 07:27 UTC by Thomas Orgis
Modified:	2026-03-07 08:26 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Orgis 2026-03-07 07:27:49 UTC

Trying to configure samba to use a different port using the old-style syntax

smb ports = tcp:1445

leads to instant crash on samba server and testparm:

$ testparm  /dev/shm/smb-crash.conf 
Load smb config files from /dev/shm/smb-crash.conf
Error loading services.
talloc: access after free error - first free may be at lib/param/loadparm.c:1378
Bad talloc magic value - access after free
===============================================================
INTERNAL ERROR: Bad talloc magic value - access after free in testparm () () pid 3990067 (4.22.6-Debian-4.22.6+dfsg-0+deb13u1)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 3990067): Bad talloc magic value - access after free in 4.22.6-Debian-4.22.6+dfsg-0+deb13u1
BACKTRACE: 8 stack frames:
 #0 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(log_stack_trace+0x2d) [0x7f737aa435bd]
 #1 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(smb_panic+0xd) [0x7f737aa4385d]
 #2 /lib/x86_64-linux-gnu/libtalloc.so.2(+0x3467) [0x7f737b08e467]
 #3 /lib/x86_64-linux-gnu/libsmbconf.so.0(+0x43fc0) [0x7f737b0dbfc0]
 #4 testparm(main+0x6c9) [0x5641631cafd9]
 #5 /lib/x86_64-linux-gnu/libc.so.6(+0x29ca8) [0x7f737adb8ca8]
 #6 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7f737adb8d65]
 #7 testparm(_start+0x21) [0x5641631cc8d1]
Can not dump core: corepath not set up

On Debian trixie with 4.22, it is possible to use the new-style syntax

server smb transports = tcp:1445

which seems to work (did not test actual operation). But on Debian bookworm, that is not supported
and one simply cannot start a samba instance on a different port.

Config to reproduce:

[global]
security = user
map to guest = Bad Password
server role = standalone server
#server smb transports = tcp:1445
smb ports = tcp:1445

Comment 1 Andrew Bartlett 2026-03-07 08:16:49 UTC

We shouldn't crash, so thanks for logging the bug, but to be clear the old syntax would be "smb ports = 1445"

Comment 2 Thomas Orgis 2026-03-07 08:26:41 UTC

Oh, right. It does not crash without the tcp:. I came from the docs for newer samba, noticed that the samba in Debian bookworm doesn't support that and then went on to just replace the key to 'smb ports', as the smb.conf man page said 

This is a synonym for server smb transports.

Of course, I should have referred to the old man page on the very system I was working on, where it says that the values are plain port numbers.

So this is simply a bug in not throwing a nice error message about unsupported syntax for older samba, but maybe also a bug in the man page, as it claims that smb ports is a synonym. So I would assume it takes the same values.

Yeah, the crash should be fixed, obviously, but also a hint in the documentation about the differing syntax for smb ports and server smb transports would be good to avoid the mistake I did.