Bug 16062 - net & winbindd : buffer overflow detected; terminated in 4.24.1 & 4.23.7 but not in 4.23.6
Summary: net & winbindd : buffer overflow detected; terminated in 4.24.1 & 4.23.7 but ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.24.1
Hardware: x64 FreeBSD
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-04-22 20:27 UTC by Peter Eriksson
Modified: 2026-04-24 15:42 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Eriksson 2026-04-22 20:27:29 UTC 
FreeBSD 15.0-RELEASE-p5.

Also occurs in winbindd. Does not occur with Samba 4.23.5.


Stack backtrace from core dump of net:

gdb) bt
#0  0x00000008658b7e2a in kill () from /lib/libsys.so.7
#1  0x00000008418f2be0 in ?? () from /lib/libc.so.7
#2  0x00000008418f2c00 in __chk_fail () from /lib/libc.so.7
#3  0x0000000846205998 in recvfrom (s=<optimized out>, buf=<optimized out>, len=<optimized out>, flags=0, from=<optimized out>, 
    fromlen=<optimized out>) at /usr/include/ssp/socket.h:84
#4  tdgram_bsd_recvfrom_handler (private_data=<optimized out>) at ../../lib/tsocket/tsocket_bsd.c:1072
#5  0x00000008462054c3 in tdgram_bsd_fde_handler (ev=<optimized out>, fde=<optimized out>, flags=1, private_data=<optimized out>)
    at ../../lib/tsocket/tsocket_bsd.c:812
#6  0x00000008236d3886 in tevent_common_invoke_fd_handler (fde=fde@entry=0x33e55f72e260, flags=<optimized out>, removed=removed@entry=0x0)
    at ../../lib/tevent/tevent_fd.c:174
#7  0x00000008236d66fd in poll_event_loop_poll (ev=0x33e55f674660, tvalp=0x8209361d0) at ../../lib/tevent/tevent_poll.c:606
#8  poll_event_loop_once (ev=0x33e55f674660, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:661
#9  0x00000008236d2bd3 in _tevent_loop_once (ev=ev@entry=0x33e55f674660, location=location@entry=0x8236d9e60 "../../lib/tevent/tevent_req.c:342")
    at ../../lib/tevent/tevent.c:860
#10 0x00000008236d4b4b in tevent_req_poll (req=req@entry=0x33e55f683e80, ev=ev@entry=0x33e55f674660) at ../../lib/tevent/tevent_req.c:342
#11 0x0000000829fcf963 in tevent_req_poll_ntstatus (req=req@entry=0x33e55f683e80, ev=ev@entry=0x33e55f674660, status=status@entry=0x8209362e4)
    at ../../lib/util/tevent_ntstatus.c:109
#12 0x00000008260e68da in ads_dns_query_srv (mem_ctx=mem_ctx@entry=0x33e55f609980, async_dns_timeout=<optimized out>, 
    sitename=sitename@entry=0x33e55f61fc20 "LiU", query=query@entry=0x33e55f6d05e0 "_ldap._tcp.dc._msdcs.AD.LIU.SE", srvs=srvs@entry=0x820936360, 
    num_srvs=num_srvs@entry=0x820936368) at ../../lib/addns/dnsquery_srv.c:511
#13 0x000000083df7f93e in resolve_ads (ctx=0x33e55f609980, name=name@entry=0x33e55f61fa60 "AD.LIU.SE", name_type=name_type@entry=28, 
    sitename=sitename@entry=0x33e55f61fc20 "LiU", return_addrs=return_addrs@entry=0x820936458, return_count=return_count@entry=0x820936450)
    at ../../source3/libsmb/namequery.c:2571
#14 0x000000083df83b69 in internal_resolve_name (ctx=ctx@entry=0x33e55f609920, name=name@entry=0x33e55f61fa60 "AD.LIU.SE", 
    name_type=name_type@entry=28, sitename=sitename@entry=0x33e55f61fc20 "LiU", return_salist=return_salist@entry=0x820936628, 
    return_count=return_count@entry=0x820936638, resolve_order=<optimized out>) at ../../source3/libsmb/namequery.c:2846
#15 0x000000083df84667 in get_dc_list (ctx=ctx@entry=0x33e55f6095c0, domain=domain@entry=0x33e55f61fa60 "AD.LIU.SE", 
    sitename=sitename@entry=0x33e55f61fc20 "LiU", sa_list_ret=sa_list_ret@entry=0x820936788, ret_count=ret_count@entry=0x820936790, 
    lookup_type=lookup_type@entry=DC_ADS_ONLY, ordered=0x820936787) at ../../source3/libsmb/namequery.c:3327
#16 0x000000083df857dc in get_sorted_dc_list (ctx=0x33e55f6095c0, domain=domain@entry=0x33e55f61fa60 "AD.LIU.SE", 
    sitename=sitename@entry=0x33e55f61fc20 "LiU", sa_list_ret=sa_list_ret@entry=0x8209367f0, ret_count=ret_count@entry=0x8209367e8, 
    ads_only=ads_only@entry=true) at ../../source3/libsmb/namequery.c:3542
#17 0x0000000830d622b5 in resolve_and_ping_dns (ads=ads@entry=0x33e55f61b260, sitename=sitename@entry=0x33e55f61fc20 "LiU", 
    realm=realm@entry=0x33e55f61fa60 "AD.LIU.SE") at ../../source3/libads/ldap.c:687
#18 0x0000000830d6887a in ads_find_dc (ads=0x33e55f61b260) at ../../source3/libads/ldap.c:790
#19 ads_connect_internal (ads=0x33e55f61b260, creds=creds@entry=0x0) at ../../source3/libads/ldap.c:969
#20 0x0000000830d691ab in ads_connect_cldap_only (ads=<optimized out>) at ../../source3/libads/ldap.c:1149
#21 0x0000000000423adb in ads_startup_int (c=c@entry=0x33e55f6182e0, only_own_domain=only_own_domain@entry=false, auth_flags=auth_flags@entry=2, 
    mem_ctx=mem_ctx@entry=0x33e55f6095c0, ads_ret=ads_ret@entry=0x820936be8) at ../../source3/utils/net_ads.c:701
#22 0x0000000000429e86 in ads_startup_nobind (c=c@entry=0x33e55f6182e0, only_own_domain=only_own_domain@entry=false, 
    mem_ctx=mem_ctx@entry=0x33e55f6095c0, ads=ads@entry=0x820936be8) at ../../source3/utils/net_ads.c:754
#23 0x000000000042ad2f in net_ads_info (c=0x33e55f6182e0, argc=<optimized out>, argv=<optimized out>) at ../../source3/utils/net_ads.c:613
#24 0x0000000000462be1 in net_run_function (c=0x33e55f6182e0, argc=1, argv=0x33e55f60bbd0, whoami=whoami@entry=0x4a54b3 "net ads", 
    table=table@entry=0x820936cf0) at ../../source3/utils/net_util.c:451
#25 0x000000000042b27e in net_ads (c=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../../source3/utils/net_ads.c:3902
#26 0x0000000000462be1 in net_run_function (c=c@entry=0x33e55f6182e0, argc=argc@entry=2, argv=argv@entry=0x33e55f60bbc8, 
    whoami=whoami@entry=0x4a43fc "net", table=table@entry=0x4f7f00 <net_func>) at ../../source3/utils/net_util.c:451
#27 0x00000000004238bb in main (argc=3, argv=0x820937d60) at ../../source3/utils/net.c:1495
(gdb) 


Stack backtrace of coredump from winbindd:
(gdb) bt
#0  0x0000000863904e2a in kill () from /lib/libsys.so.7
#1  0x0000000841c94be0 in ?? () from /lib/libc.so.7
#2  0x0000000841c94c00 in __chk_fail () from /lib/libc.so.7
#3  0x000000000044db88 in make_internal_dcesrv_connection (mem_ctx=<optimized out>, ndr_table=<optimized out>, ncacn_conn=<optimized out>, 
    _out=<synthetic pointer>) at ../../source3/winbindd/winbindd_dual_ndr.c:431
#4  winbindd_dual_ndrcmd (domain=<optimized out>, state=<optimized out>) at ../../source3/winbindd/winbindd_dual_ndr.c:612
#5  0x0000000000448c63 in winbindd_child_msg_filter (rec=0x820bd1f30, private_data=<optimized out>) at ../../source3/winbindd/winbindd_dual.c:963
#6  0x000000082410d846 in tevent_common_invoke_fd_handler (fde=0x0, fde@entry=0x121c7932d160, flags=<optimized out>, removed=0x121c7921afe0, 
    removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:174
#7  0x00000008241106bd in poll_event_loop_poll (ev=0x121c79274060, tvalp=0x820bd1e60) at ../../lib/tevent/tevent_poll.c:606
#8  poll_event_loop_once (ev=0x121c79274060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:661
#9  0x000000082410cb93 in _tevent_loop_once (ev=0x121c79274060, location=0x497948 "up' mode.\n") at ../../lib/tevent/tevent.c:860
#10 0x000000000044ccb4 in wb_child_request_waited (subreq=0x497948) at ../../source3/winbindd/winbindd_dual.c:286
#11 0x000000000044ce2d in wbint_bh_disconnect_send (mem_ctx=0x121c79284760, ev=0x2, h=0x121c79284580)
    at ../../source3/winbindd/winbindd_dual_ndr.c:257
#12 0x000000082410e85d in _tevent_req_notify_callback (req=req@entry=0x121c79286880, 
    location=location@entry=0x824113ad8 "../../lib/tevent/tevent_queue.c:429") at ../../lib/tevent/tevent_req.c:177
#13 0x000000082410e916 in tevent_req_finish (req=0x121c79286880, state=state@entry=TEVENT_REQ_DONE, 
    location=location@entry=0x824113ad8 "../../lib/tevent/tevent_queue.c:429") at ../../lib/tevent/tevent_req.c:234
#14 0x000000082410e930 in _tevent_req_done (req=<optimized out>, location=location@entry=0x824113ad8 "../../lib/tevent/tevent_queue.c:429")
    at ../../lib/tevent/tevent_req.c:240
#15 0x000000082410dffc in tevent_queue_wait_trigger (req=<optimized out>, private_data=<optimized out>) at ../../lib/tevent/tevent_queue.c:429
#16 0x000000082410e0b2 in tevent_queue_immediate_trigger (ev=ev@entry=0x121c79274060, im=im@entry=0x121c79268f40, 
    private_data=private_data@entry=0x121c79265040) at ../../lib/tevent/tevent_queue.c:167
#17 0x000000082410ddc3 in tevent_common_invoke_immediate_handler (im=0x121c79268f40, removed=removed@entry=0x0)
    at ../../lib/tevent/tevent_immediate.c:190
#18 0x000000082410ddec in tevent_common_loop_immediate (ev=ev@entry=0x121c79274060) at ../../lib/tevent/tevent_immediate.c:236
#19 0x00000008241100bf in poll_event_loop_once (ev=0x121c79274060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:652
#20 0x000000082410cb93 in _tevent_loop_once (ev=0x121c79274060, location=0x4b5588 "../../source3/winbindd/winbindd.c:1114")
    at ../../lib/tevent/tevent.c:860
#21 0x000000000047ae31 in dcerpc_samr_chgpasswd_user (h=0x3088, mem_ctx=0x6, user_handle=0x0, 
    newpassword=0x863904caa <getpid+10> "\017\202x\376\377\377\303", '\314' <repeats 14 times>, "ΜΈ\025", oldpassword=0x0, presult=0x0)
    at ../../source3/rpc_client/cli_samr.c:44
#22 0x0000000841be337f in __libc_start1 () from /lib/libc.so.7
#23 0x000000000041ad24 in register_tm_clones ()
#24 0x0000000000000000 in ?? ()
Comment 1 Peter Eriksson 2026-04-23 21:48:32 UTC 
Ok, now I understand what is happening... 

It's the enabling of _FORTIFY_SOURCE=3 in 4.24.1 and 4.23.7 (buildtools/wafsamba/samba_autoconf.py) that is causing havoc on FreeBSD. 

FreeBSD has an implementation of FORTIFY_SOURCE, however it does not seem to support level 3, and thus handles this the same as level 2. Which doesn't work...

Forcing _FORTIFY_SOURCE=1 seems to work but I'm not sure how useful that is compared to just disabling it...
Comment 2 Andreas Schneider 2026-04-24 11:56:53 UTC 
This sounds more like a FreeBSD bug. Their header files should handle it and set 1 if it is the only one they support.
Comment 3 Andreas Schneider 2026-04-24 12:23:50 UTC 
You should be able to override it with CFLAGS=
Comment 4 Peter Eriksson 2026-04-24 15:42:13 UTC 
(In reply to Andreas Schneider from comment #2)

They do support 1 or >1 (=2). However, with 2 it uses hardcoded sizes..

The reason for the crash in recvfrom() is that on FreeBSD the 'struct sockaddr' definition is the old classical one:

struct sockaddr {
        unsigned char   sa_len;         /* total length */
        sa_family_t     sa_family;      /* address family */
        char            sa_data[14];    /* actually longer; address value */
};

whereas Linux uses:

struct sockaddr {
        sa_family_t     sa_family;      /* address family, AF_xxx       */
        union {
                char sa_data_min[14];           /* Minimum 14 bytes of protocol address */
                DECLARE_FLEX_ARRAY(char, sa_data);
        };
};


and the code in lib/tsocket/tsocket_bsd.c:tdgram_bsd_recvfrom_handler() uses:

       ZERO_STRUCTP(bsda);
        bsda->sa_socklen = sizeof(bsda->u.ss);
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
        bsda->u.sa.sa_len = bsda->sa_socklen;
#endif

        ret = recvfrom(bsds->fd, state->buf, state->len, 0,
                       &bsda->u.sa, &bsda->sa_socklen);


and thus if will fail due to sizeof(bsda->u.sa < bsda->sa_socklen)...

One could fix this with addding a 'char dummy[]' array to the definition of struct sockaddr in BSD's header files probably.

Or use (struct sockaddr *) &bsda->u.ss instead of ->u.sa probably...

Hmm.. :-)