I've got a report from the user(Konstantin Reznichenko <kot@premierbank.dp.ua>) together with the patch: His smbd was coredumping when adding a user from "User manager for domains" with the signal 11: if ((from->fields_present & ACCT_CALLBACK) && (from->hdr_munged_dial.buffer)) { char *newstr; old_string = pdb_get_munged_dial(to); mung.length = from->hdr_munged_dial.uni_str_len; mung.data = (uint8 *) from->uni_munged_dial.buffer; newstr = base64_encode_data_blob(mung); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ dies here DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr)); if (STRING_CHANGED_NC(old_string, newstr)) pdb_set_munged_dial(to , newstr, PDB_CHANGED); SAFE_FREE(newstr); } It's a bit difficult to trace the problem now, as he was using 3.0.4 at the moment of writing, but his patch fixes at least problem with the insufficient parameters verification in base64_encode_data_blob(). Patch is attached to the bug report. Just for the record, his smb.conf contains: add machine script = /usr/sbin/pw useradd -n%u -cMachines -d/nonexistent -gntmachines -s/sbin/nologin add user script = /usr/sbin/pw useradd -n%u -cUsers -d/nonexistent -gntdomusers -s/sbin/nologin add group script = /usr/sbin/pw groupadd -n%g add user to group script = /usr/sbin/pw groupmod -n%g -m%u delete user from group script = /BIN/delgrpusr %g %u delete user script = /usr/sbin/pw userdel -n%u delete group script = /usr/sbin/pw groupdel -n%g And last record in the log: INFO_23 UNI_UNKNOWN_STR:...
Created attachment 900 [details] Add sanity checks to the input parameters in base64_encode_data_blob()
This crash has already been fixed in the code with .... if ((from->fields_present & ACCT_CALLBACK) && (from->hdr_munged_dial.buffer)) { char *newstr; old_string = pdb_get_munged_dial(to); mung.length = from->hdr_munged_dial.uni_str_len; mung.data = (uint8 *) from->uni_munged_dial.buffer; newstr = (mung.length == 0) ? NULL : base64_encode_data_blob(mung); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr)); if (STRING_CHANGED_NC(old_string, newstr)) pdb_set_munged_dial(to , newstr, PDB_CHANGED); SAFE_FREE(newstr); } } But the patch looks sane (and prevents the caller from having to paranoid. Checking it in.
originally reported against 3.0.11pre1. Moving back to version to 3.0.10 to remove preX and rcX versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.