Bug 16081 - winbindd_child_msg_filter: talloc_get_type_abort crashes when winbind max domain connections > 1
Summary: winbindd_child_msg_filter: talloc_get_type_abort crashes when winbind max dom...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.22.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-05-21 09:35 UTC by parag chaudhari
Modified: 2026-05-21 09:36 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description parag chaudhari 2026-05-21 09:35:12 UTC 
winbindd crashes with SIGABRT in winbindd_child_msg_filter() when "winbind max domain connections" is set to a value greater than 1.

Backtrace:
Core was generated by `winbindd: domain child [PANQA-ATL]'.
Program terminated with signal SIGABRT, Aborted.

#0  thr_kill () from /lib/libc.so.7
#1  raise () from /lib/libc.so.7
#2  abort () from /lib/libc.so.7
#3  dump_core () at ../../source3/lib/dumpcore.c:361
#4  smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:778
#5  smb_panic (why="Bad talloc magic value - unknown value") at ../../lib/util/fault.c:209
#6  talloc_chunk_from_ptr (ptr=0x11862667baa8) at ../../lib/talloc/talloc.c:534
#7  __talloc_get_name (ptr=0x11862667baa8) at ../../lib/talloc/talloc.c:1566
#8  _talloc_get_type_abort (ptr=0x11862667baa8, name="struct winbindd_child", location="../../source3/winbindd/winbindd_dual.c:931") at ../../lib/talloc/talloc.c:1623
#9  winbindd_child_msg_filter (rec=0x8206f0a60, private_data=0x0) at ../../source3/winbindd/winbindd_dual.c:930
#10 messaging_dispatch_waiters at ../../source3/lib/messages.c:1378
#11 messaging_dispatch_rec at ../../source3/lib/messages.c:1406
#20 fork_domain_child (child=0x11862667baa8) at ../../source3/winbindd/winbindd_dual.c:1898

Root cause:
In source3/winbindd/winbindd_util.c, domain->children is allocated as:

  domain->children = talloc_zero_array(domain, struct winbindd_child,
                                       lp_winbind_max_domain_connections());

talloc_zero_array allocates a single contiguous block with ONE talloc header
for the base pointer only.

In source3/winbindd/winbindd_domain.c, setup_child() is called with
&domain->children[i] for each child, passing these pointers as private_data
to the messaging subsystem.

In source3/winbindd/winbindd_dual.c, winbindd_child_msg_filter() does:

  struct winbindd_child *child = talloc_get_type_abort(private_data,
                                         struct winbindd_child);

For children[0], this works — it's the base pointer with a valid talloc header.
For children[i] where i > 0, these are mid-array pointers with NO talloc header,
causing talloc_get_type_abort to abort the process.

This bug is latent with the default "winbind max domain connections = 1" since
only children[0] is ever used.

Fix:
Replace talloc_get_type_abort with a direct cast:

  struct winbindd_child *child = (struct winbindd_child *)private_data;

Introduced by commit 8e1f2ee5f7c which added talloc_get_type_abort to this
function. Affects all versions since that commit including current master.

Steps to reproduce:
1. Set "winbind max domain connections = 2" (or higher) in smb.conf
2. Join a domain
3. Restart samba
4. winbindd child processes abort with SIGABRT