Bug 299 - Segfault in smbclient when using libnss_wins for name resolution
Summary: Segfault in smbclient when using libnss_wins for name resolution
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P3 critical
Target Milestone: 3.0.0rc3
Assignee: Tim Potter
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-15 00:31 UTC by Marc Kaplan
Modified: 2005-08-24 10:24 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Kaplan 2003-08-15 00:31:58 UTC
Easy to produce this one, and easy to make it go away by taking the wins out of
/etc/nsswitch.conf

Here is what I found running this under valgrind:
[root@ThunderBird root]# more smbclientfault.out 
==27791== valgrind-1.0.4, a memory error detector for x86 GNU/Linux.
==27791== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==27791== Estimated CPU clock rate is 1199 MHz
==27791== For more details, rerun with: -v
==27791== 
INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
added interface ip=129.146.1.239 bcast=129.146.1.255 nmask=255.255.255.0
added interface ip=172.16.153.1 bcast=172.16.153.255 nmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="THUNDERBIRD"
Client started (version 3.0.0beta3).
internal_resolve_name: looking up snap4500#20
Opening cache file at /usr/local/samba/var/locks/gencache.tdb
Cache entry with key = NBT/SNAP4500#20 couldn't be found
no entry for snap4500#20 found.
Deleting cache entry (key = NBT/SNAP4500#20)
resolve_lmhosts: Attempting lmhosts lookup for name snap4500<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No
such file or directory
resolve_wins: Attempting wins lookup for name snap4500<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name snap4500<0x20>
Adding chars 0x0 0x0 (l->u = False) (u->l = False)
Adding chars 0x21 0x0 (l->u = False) (u->l = False)
Adding chars 0x23 0x0 (l->u = False) (u->l = False)
Adding chars 0x24 0x0 (l->u = False) (u->l = False)
Adding chars 0x25 0x0 (l->u = False) (u->l = False)
Adding chars 0x26 0x0 (l->u = False) (u->l = False)
Adding chars 0x27 0x0 (l->u = False) (u->l = False)
Adding chars 0x28 0x0 (l->u = False) (u->l = False)
Adding chars 0x29 0x0 (l->u = False) (u->l = False)
Adding chars 0x2d 0x0 (l->u = False) (u->l = False)
Adding chars 0x2e 0x0 (l->u = False) (u->l = False)
Adding chars 0x30 0x0 (l->u = False) (u->l = False)
Adding chars 0x31 0x0 (l->u = False) (u->l = False)
Adding chars 0x32 0x0 (l->u = False) (u->l = False)
Adding chars 0x33 0x0 (l->u = False) (u->l = False)
Adding chars 0x34 0x0 (l->u = False) (u->l = False)
Adding chars 0x35 0x0 (l->u = False) (u->l = False)
Adding chars 0x36 0x0 (l->u = False) (u->l = False)
Adding chars 0x37 0x0 (l->u = False) (u->l = False)
Adding chars 0x38 0x0 (l->u = False) (u->l = False)
Adding chars 0x39 0x0 (l->u = False) (u->l = False)
Adding chars 0x40 0x0 (l->u = False) (u->l = False)
Adding chars 0x41 0x0 (l->u = False) (u->l = False)
Adding chars 0x42 0x0 (l->u = False) (u->l = False)
Adding chars 0x43 0x0 (l->u = False) (u->l = False)
Adding chars 0x44 0x0 (l->u = False) (u->l = False)
Adding chars 0x45 0x0 (l->u = False) (u->l = False)
Adding chars 0x46 0x0 (l->u = False) (u->l = False)
Adding chars 0x47 0x0 (l->u = False) (u->l = False)
Adding chars 0x48 0x0 (l->u = False) (u->l = False)
Adding chars 0x49 0x0 (l->u = False) (u->l = False)
Adding chars 0x4a 0x0 (l->u = False) (u->l = False)
Adding chars 0x4b 0x0 (l->u = False) (u->l = False)
Adding chars 0x4c 0x0 (l->u = False) (u->l = False)
Adding chars 0x4d 0x0 (l->u = False) (u->l = False)
Adding chars 0x4e 0x0 (l->u = False) (u->l = False)
Adding chars 0x4f 0x0 (l->u = False) (u->l = False)
Adding chars 0x50 0x0 (l->u = False) (u->l = False)
Adding chars 0x51 0x0 (l->u = False) (u->l = False)
Adding chars 0x52 0x0 (l->u = False) (u->l = False)
Adding chars 0x53 0x0 (l->u = False) (u->l = False)
Adding chars 0x54 0x0 (l->u = False) (u->l = False)
Adding chars 0x55 0x0 (l->u = False) (u->l = False)
Adding chars 0x56 0x0 (l->u = False) (u->l = False)
Adding chars 0x57 0x0 (l->u = False) (u->l = False)
Adding chars 0x58 0x0 (l->u = False) (u->l = False)
Adding chars 0x59 0x0 (l->u = False) (u->l = False)
Adding chars 0x5a 0x0 (l->u = False) (u->l = False)
Adding chars 0x5e 0x0 (l->u = False) (u->l = False)
Adding chars 0x5f 0x0 (l->u = False) (u->l = False)
Adding chars 0x60 0x0 (l->u = False) (u->l = False)
Adding chars 0x61 0x0 (l->u = False) (u->l = False)
Adding chars 0x62 0x0 (l->u = False) (u->l = False)
Adding chars 0x63 0x0 (l->u = False) (u->l = False)
Adding chars 0x64 0x0 (l->u = False) (u->l = False)
Adding chars 0x65 0x0 (l->u = False) (u->l = False)
Adding chars 0x66 0x0 (l->u = False) (u->l = False)
Adding chars 0x67 0x0 (l->u = False) (u->l = False)
Adding chars 0x68 0x0 (l->u = False) (u->l = False)
Adding chars 0x69 0x0 (l->u = False) (u->l = False)
Adding chars 0x6a 0x0 (l->u = False) (u->l = False)
Adding chars 0x6b 0x0 (l->u = False) (u->l = False)
Adding chars 0x6c 0x0 (l->u = False) (u->l = False)
Adding chars 0x6d 0x0 (l->u = False) (u->l = False)
Adding chars 0x6e 0x0 (l->u = False) (u->l = False)
Adding chars 0x6f 0x0 (l->u = False) (u->l = False)
Adding chars 0x70 0x0 (l->u = False) (u->l = False)
Adding chars 0x71 0x0 (l->u = False) (u->l = False)
Adding chars 0x72 0x0 (l->u = False) (u->l = False)
Adding chars 0x73 0x0 (l->u = False) (u->l = False)
Adding chars 0x74 0x0 (l->u = False) (u->l = False)
Adding chars 0x75 0x0 (l->u = False) (u->l = False)
Adding chars 0x76 0x0 (l->u = False) (u->l = False)
Adding chars 0x77 0x0 (l->u = False) (u->l = False)
Adding chars 0x78 0x0 (l->u = False) (u->l = False)
Adding chars 0x79 0x0 (l->u = False) (u->l = False)
Adding chars 0x7a 0x0 (l->u = False) (u->l = False)
Adding chars 0x7b 0x0 (l->u = False) (u->l = False)
Adding chars 0x7d 0x0 (l->u = False) (u->l = False)
Adding chars 0x7e 0x0 (l->u = False) (u->l = False)
==27791== Conditional jump or move depends on uninitialised value(s)
==27791==    at 0x80A9333: talloc_init (lib/talloc.c:147)
==27791==    by 0x418D3651: lp_string (in /lib/libnss_wins.so)
==27791==    by 0x418D4038: lp_codepagedir (in /lib/libnss_wins.so)
==27791==    by 0x418F5C06: load_client_codepage (in /lib/libnss_wins.so)
==27791== 
==27791== Conditional jump or move depends on uninitialised value(s)
==27791==    at 0x42050410: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x42072D25: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x80A934F: talloc_init (lib/talloc.c:156)
==27791==    by 0x418D3651: lp_string (in /lib/libnss_wins.so)
==27791== 
==27791== Use of uninitialised value of size 4
==27791==    at 0x42050486: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x42072D25: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x80A934F: talloc_init (lib/talloc.c:156)
==27791==    by 0x418D3651: lp_string (in /lib/libnss_wins.so)
==27791== 
==27791== Invalid read of size 1
==27791==    at 0x42050486: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x42072D25: (within /lib/i686/libc-2.2.5.so)
==27791==    by 0x80A934F: talloc_init (lib/talloc.c:156)
==27791==    by 0x418D3651: lp_string (in /lib/libnss_wins.so)
==27791==    Address 0x2004 is not stack'd, malloc'd or free'd
Comment 1 Tim Potter 2003-09-07 22:51:16 UTC
Fixed in CVS.  There was some confusion over dynamically allocated lists of
pointers (i.e you have to make space for the list of pointers and what they are
pointing too) in the memory buffer passed in from libc.

Valgrind is much happer now and there is no segfault.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:41:35 UTC
originally reported against 3.0.0beta3.  CLeaning out 
non-production release versions.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:24:05 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.