Bug 2449 - nmbd dies because wrong free() operation
Summary: nmbd dies because wrong free() operation
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: nmbd (show other bugs)
Version: 3.0.10
Hardware: All Windows 98
: P3 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL: https://bugzilla.redhat.com/bugzilla/...
Depends on:
Reported: 2005-03-15 02:32 UTC by Milan Kerslager
Modified: 2006-04-09 12:16 UTC (History)
0 users

See Also:

nmbd.log (14.71 KB, text/plain)
2005-11-08 09:33 UTC, Adam Thompson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Milan Kerslager 2005-03-15 02:32:28 UTC
See bug #150582 in Red Hat Bugzilla (URL filled). The nmbd dies right after few
logins to Samba PDC on Red Hat Enterprise Linux 4 (samba-3.0.10-1.4E from
initial RHEL4 release with glibc-2.3.4-2). The nmbd log contains:

*** glibc detected *** free(): invalid next size (fast): 0x08bfc970 ***

The same configuration works under RHEL3 (samba-3.0.9-1.3E.2), but RHEL3 has
older glibc (glibc-2.3.2-95.30) which is unable to detect this sort of bugs.

See bug #150647 in RH Bugzilla and Release notes for RHEL4 for more info about
new glibc features

The machine with Samba is Dell with P4 CPU, no HW issuses so far. The server
works well after downgrading to RHEL3.

I set critical severity as this could be possible security bug. I tryed to
compile latest 3.0.11 Samba with no luck. I did not tested older version of
Samba on those RHEL4 machine.
Comment 1 Adam Thompson 2005-11-08 09:30:06 UTC
Same problem here.  RHEL4 with samba-3.0.10-1.4E.2
Attaching nmbd.log
Comment 2 Adam Thompson 2005-11-08 09:33:18 UTC
Created attachment 1566 [details]

contains multiple nmbd deaths including some normal shutdowns
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-11-08 09:58:29 UTC
3.0.10 is really old from our perspective.  Unless you 
can (a) reproduce this against 3.0.20b, or (b) get a full 
backtrace with debugging symbols, or (c) get a valigrind log,
it will be extremely hard to track down.  

If we have already fixed the bug in a later release,
you will need to contact RedHat to get a patch for 
your platform.
Comment 4 Adam Thompson 2005-11-09 10:30:32 UTC
Confirmed that on RHEL4, using current RPM from www.samba.org does seem to fix
the problem.

I do have a valgrind log, however... can be found at
Comment 5 Volker Lendecke 2006-04-09 12:16:49 UTC
Adam says it's fixed. Closing.