After FORTIFY_SOURCE was added for bug 16040, which landed in Samba 4.23.7, the FreeBSD net/samba423 port started crashing quite soon after startup: #0 kill () at kill.S:4 #1 0x0000000800ccb121 in __fail (msg=0x800bd0a20 "buffer overflow detected; terminated") at /usr/src/lib/libc/secure/libc_stack_protector.c:119 #2 0x0000000800ccb140 in __chk_fail () at /usr/src/lib/libc/secure/libc_stack_protector.c:132 #3 0x0000000800ccaf03 in __strncpy_chk (dst=0x217a <error: Cannot access memory at address 0x217a>, src=0x6 <error: Cannot access memory at address 0x6>, len=0, slen=<optimized out>) at /usr/src/lib/libc/secure/strncpy_chk.c:50 #4 0x0000000800586825 in __strncpy_ichk (dst=0x7fffffffc2d5 "", src=0x7fffffffc2db "org.netatalk.Metadata$org.netatalk.has-Extended-Attributes", len=21) at /usr/include/ssp/string.h:120 #5 bsd_attr_list (type=0, arg=..., list=0x7fffffffc2d5 "", size=1024) at ../../lib/replace/xattr.c:284 #6 0x00000008005863df in rep_listxattr (path=0x7fffffffc0a5 "/var/run/samba4/fd/28", list=0x7fffffffc2d0 "user.", size=1024) at ../../lib/replace/xattr.c:379 #7 0x0000000800653de6 in vfswrap_flistxattr (handle=0x803874940, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/modules/vfs_default.c:3897 #8 0x00000008006d04a9 in smb_vfs_call_flistxattr (handle=0x803874940, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/smbd/vfs.c:2651 #9 0x00000008157d5808 in streams_xattr_flistxattr (handle=0x803874a80, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/modules/vfs_streams_xattr.c:1433 #10 0x00000008006d04a9 in smb_vfs_call_flistxattr (handle=0x803874a80, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/smbd/vfs.c:2651 #11 0x000000081580fa50 in catia_flistxattr (handle=0x8038748a0, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/modules/vfs_catia.c:1155 #12 0x00000008006d04a9 in smb_vfs_call_flistxattr (handle=0x8038748a0, fsp=0x803885ca0, list=0x7fffffffc2d0 "user.", size=1024) at ../../source3/smbd/vfs.c:2651 #13 0x000000080068781e in get_ea_names_from_fsp (mem_ctx=0x80bb26200, fsp=0x803885ca0, pnames=0x7fffffffc758, pnum_names=0x7fffffffc760) at ../../source3/smbd/smb2_trans2.c:275 #14 0x000000080068809a in get_ea_list_from_fsp (mem_ctx=0x80bb26200, fsp=0x803885ca0, pea_total_len=0x7fffffffc8d0, ea_list=0x7fffffffc8c8) at ../../source3/smbd/smb2_trans2.c:397 #15 0x0000000800687e9f in estimate_ea_size (fsp=0x803885ca0) at ../../source3/smbd/smb2_trans2.c:647 #16 0x000000080069878d in smbd_do_qfilepathinfo (conn=0x803882ae0, mem_ctx=0x803898160, req=0x80387da60, info_level=65298, fsp=0x803885ca0, smb_fname=0x80381ba00, delete_pending=false, ea_list=0x0, flags2=8, max_data_bytes=1124, fixed_portion=0x7fffffffd0f8, ppdata=0x7fffffffd120, pdata_size=0x7fffffffd11c) at ../../source3/smbd/smb2_trans2.c:3464 #17 0x00000008007380b7 in smbd_smb2_getinfo_send (mem_ctx=0x803898d60, ev=0x803882060, smb2req=0x803898d60, fsp=0x803885ca0, in_info_type=1 '\001', in_file_info_class=18 '\022', in_output_buffer_length=1124, in_input_buffer=..., in_additional_information=0, in_flags=0) at ../../source3/smbd/smb2_getinfo.c:412 #18 0x0000000800737723 in smbd_smb2_request_process_getinfo (req=0x803898d60) at ../../source3/smbd/smb2_getinfo.c:125 #19 0x000000080070349e in smbd_smb2_request_dispatch (req=0x803898d60) at ../../source3/smbd/smb2_server.c:3665 #20 0x00000008007050b8 in smbd_smb2_request_dispatch_immediate (ctx=0x803882060, im=0x0, private_data=0x803898d60) at ../../source3/smbd/smb2_server.c:4009 #21 0x0000000800b6b4ae in tevent_common_invoke_immediate_handler () from /usr/local/lib/libtevent.so.0 #22 0x0000000800b6b579 in tevent_common_loop_immediate () from /usr/local/lib/libtevent.so.0 #23 0x0000000800b6dc63 in poll_event_loop_once () from /usr/local/lib/libtevent.so.0 #24 0x0000000800b69c9a in _tevent_loop_once () from /usr/local/lib/libtevent.so.0 #25 0x0000000800b69f22 in tevent_common_loop_wait () from /usr/local/lib/libtevent.so.0 #26 0x00000008006e5d22 in smbd_process (ev_ctx=0x803882060, msg_ctx=0x803876140, sock_fd=27, interactive=true, transport_type=SMB_TRANSPORT_TYPE_TCP) at ../../source3/smbd/smb2_process.c:2178 #27 0x000000000040e3b1 in smbd_accept_connection (ev=0x803882060, fde=0x803901e60, flags=1, private_data=0x803873540) at ../../source3/smbd/server.c:1080 #28 0x0000000800b6afbe in tevent_common_invoke_fd_handler () from /usr/local/lib/libtevent.so.0 #29 0x0000000800b6e3fc in poll_event_loop_once () from /usr/local/lib/libtevent.so.0 #30 0x0000000800b69c9a in _tevent_loop_once () from /usr/local/lib/libtevent.so.0 #31 0x0000000800b69f22 in tevent_common_loop_wait () from /usr/local/lib/libtevent.so.0 #32 0x000000000040b16b in smbd_parent_loop (ev_ctx=0x803882060, parent=0x80387d060) at ../../source3/smbd/server.c:1555 #33 0x00000000004089b9 in main (argc=2, argv=0x7fffffffe7b0) at ../../source3/smbd/server.c:2582 It turns out that bsd_attr_list() does a number of overlapping strncpy() calls, and this is undefined behavior, according to the C standard: > 7.24.2.4 The strncpy function ... > The strncpy function copies not more than n characters (characters that follow a null character are not copied) from the array pointed to by s2 to the array pointed to by s1. If copying takes place between objects that overlap, the behavior is undefined. The FreeBSD version of FORTIFY_SOURCE now catches this, and aborts the program a SIGABRT. Some people in the FreeBSD IRC channel said it might be better to completely rewrite bsd_attr_list() to avoid overlapping copies altogether, but I chose the easier approach, and replaced the strncpy calls with memmove, which are equivalent in this case. Merge request will be linked here.
https://gitlab.com/samba-team/samba/-/merge_requests/4519