Bug 3380 - samba panic when I changed windows printer driver.
Summary: samba panic when I changed windows printer driver.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.21a
Hardware: x86 Linux
: P3 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-05 20:32 UTC by Yasuhiro Fujii
Modified: 2006-01-14 06:28 UTC (History)
1 user (show)

See Also:


Attachments
zero printer data pointer after freeing the data (369 bytes, patch)
2006-01-12 20:04 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Fujii 2006-01-05 20:32:50 UTC
I installed canon and epson windows printer driver to samba3.0.20a.
Printing is OK from windows XP.

I changed the printer driver to other printer driver.
After printer driver files copy finished,I clicked OK.
But I can't change it with XP error message.
I checked log.smbd,

[2006/01/06 11:32:30, 0] lib/fault.c:fault_report(40)
  ===============================================================
[2006/01/06 11:32:30, 0] lib/util.c:smb_panic2(1554)
  PANIC: internal error
[2006/01/06 11:32:30, 0] lib/util.c:smb_panic2(1562)
  BACKTRACE: 27 stack frames:
   #0 /usr/local/samba/sbin/smbd(smb_panic2+0x18c) [0x81c9e3a]
   #1 /usr/local/samba/sbin/smbd(smb_panic+0x10) [0x81c9cac]
   #2 /usr/local/samba/sbin/smbd [0x81b96ba]
   #3 /usr/local/samba/sbin/smbd [0x81b970f]
   #4 /lib/tls/libc.so.6 [0x420277b8]
   #5 /usr/local/samba/sbin/smbd(add_printer_data+0x43) [0x81ebeed]
   #6 /usr/local/samba/sbin/smbd(set_printer_dataex+0x27) [0x81294bf]
   #7 /usr/local/samba/sbin/smbd [0x812ffc6]
   #8 /usr/local/samba/sbin/smbd(_spoolss_setprinter+0x11a) [0x813027b]
   #9 /usr/local/samba/sbin/smbd [0x81230d8]
   #10 /usr/local/samba/sbin/smbd(api_rpcTNP+0x1f3) [0x814ffb1]
   #11 /usr/local/samba/sbin/smbd(api_pipe_request+0xed) [0x814fd46]
   #12 /usr/local/samba/sbin/smbd [0x814a3e0]
   #13 /usr/local/samba/sbin/smbd [0x814a583]
   #14 /usr/local/samba/sbin/smbd [0x814ab08]
   #15 /usr/local/samba/sbin/smbd [0x814acbe]
   #16 /usr/local/samba/sbin/smbd(write_to_pipe+0xd9) [0x814ac42]
   #17 /usr/local/samba/sbin/smbd [0x80913f0]
   #18 /usr/local/samba/sbin/smbd [0x80915e0]
   #19 /usr/local/samba/sbin/smbd(reply_trans+0x976) [0x8091fbe]
   #20 /usr/local/samba/sbin/smbd [0x80d0cba]
   #21 /usr/local/samba/sbin/smbd [0x80d0d44]
   #22 /usr/local/samba/sbin/smbd(process_smb+0x1b9) [0x80d103f]
   #23 /usr/local/samba/sbin/smbd(smbd_process+0x136) [0x80d1c9f]
   #24 /usr/local/samba/sbin/smbd(main+0x77d) [0x8242877]
   #25 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x42015704]
   #26 /usr/local/samba/sbin/smbd(chroot+0x31) [0x807e035]

I want to change printer driver.
Please tell me how to fix.
Comment 1 Yasuhiro Fujii 2006-01-05 20:42:44 UTC
Samba OS:redhat9
Client OS:Windows XP SP2 and Windows2000
printer driver:epson and canon windows XP/2000 driver
(not linux printing bug.)
I tried to reinstall printer driver from XP SP2 and 2000,
but failed.
Comment 2 Yasuhiro Fujii 2006-01-05 23:27:08 UTC
added smbd -d 3 log.
I can find STATUS_BUFFER_OVERFLOW message.
----
  api_rpcTNP: rpc command: SPOOLSS_GETPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 1276
[2006/01/06 15:20:30, 3] smbd/error.c:error_packet(146)
  error packet at smbd/ipc.c(97) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 87 of length 63
-----



-- all -d 3 log --
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 50 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 51 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 52 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 53 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 54 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 55 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 56 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 57 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 58 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 59 of length 4348
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70ea nwritten=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 60 of length 3928
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=3840 params=0 setup=2
[2006/01/06 15:20:29, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:29, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:29, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:29, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_ENUMPRINTERS
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/01/06 15:20:29, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/06 15:20:29, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 22486
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 61 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 62 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 63 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 64 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 65 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 66 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 67 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 68 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 69 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=4280
[2006/01/06 15:20:29, 3] smbd/process.c:process_smb(1194)
  Transaction 70 of length 63
[2006/01/06 15:20:29, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:29, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70ea min=4280 max=4280 nread=3796
[2006/01/06 15:20:29, 3] printing/printing.c:print_queue_update_internal(1144)
  print_queue_update_internal: 0 jobs in queue for PR04F12
[2006/01/06 15:20:29, 3] printing/printing.c:print_queue_update_internal(1144)
  print_queue_update_internal: 0 jobs in queue for PR09F03C
[2006/01/06 15:20:29, 3] printing/printing.c:print_queue_update_internal(1144)
  print_queue_update_internal: 0 jobs in queue for PR08F95C
[2006/01/06 15:20:29, 3] printing/printing.c:print_queue_update_internal(1144)
  print_queue_update_internal: 0 jobs in queue for PR04F11
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 71 of length 304
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=216 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
  checking name: \\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(416)
  Setting printer type=\\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 170
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 72 of length 168
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=80 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_GETPRINTERDATA
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 22
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 73 of length 132
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=44 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_CLOSEPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200)
  Closed policy
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 74 of length 304
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=216 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
  checking name: \\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(416)
  Setting printer type=\\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 170
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 75 of length 132
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=44 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_CLOSEPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200)
  Closed policy
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 76 of length 3696
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=3608 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_GETPRINTER
[2006/01/06 15:20:30, 2] rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(271)
  find_printer_index_by_hnd: Printer handle not found: find_printer_index_by_hnd: Printer handle not found: get_printer_snum: Invalid handle (OTHER:21738:21747)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 52
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 77 of length 132
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=44 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_CLOSEPRINTER
[2006/01/06 15:20:30, 2] rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(271)
  find_printer_index_by_hnd: Printer handle not found: find_printer_index_by_hnd: Printer handle not found: close_printer_handle: Invalid handle (OTHER:21738:21747)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 78 of length 106
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBntcreateX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/nttrans.c:nt_open_pipe(351)
  nt_open_pipe: Known pipe spoolss opening.
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 79 of length 1856
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=1768 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
  checking name: \\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(416)
  Setting printer type=\\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 1734
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 80 of length 140
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBwriteX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(1483)
  api_pipe_bind_req: \PIPE\spoolss -> \PIPE\spoolss
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:check_bind_req(959)
  check_bind_req for \PIPE\spoolss
[2006/01/06 15:20:30, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=70eb nwritten=72
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 81 of length 63
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70eb min=1024 max=1024 nread=68
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 82 of length 1856
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=1768 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70eb)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 71
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
  checking name: \\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(416)
  Setting printer type=\\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 1734
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 83 of length 132
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=44 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_CLOSEPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200)
  Closed policy
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 84 of length 304
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=216 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
  checking name: \\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_spoolss_nt.c:set_printer_hnd_printertype(416)
  Setting printer type=\\printer-server\PRINTER1
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 170
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 85 of length 132
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=44 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_CLOSEPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200)
  Closed policy
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 86 of length 3696
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=3608 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70eb)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_GETPRINTER
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 1276
[2006/01/06 15:20:30, 3] smbd/error.c:error_packet(146)
  error packet at smbd/ipc.c(97) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 87 of length 63
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBreadX (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/pipes.c:reply_pipe_read_and_X(252)
  readX-IPC pnum=70eb min=2564 max=2564 nread=2564
[2006/01/06 15:20:30, 3] smbd/process.c:process_smb(1194)
  Transaction 88 of length 648
[2006/01/06 15:20:30, 3] smbd/process.c:switch_message(993)
  switch message SMBtrans (pid 21747) conn 0x832ae30
[2006/01/06 15:20:30, 3] smbd/ipc.c:reply_trans(539)
  trans <\PIPE\> data=560 params=0 setup=2
[2006/01/06 15:20:30, 3] smbd/ipc.c:named_pipe(334)
  named pipe command on <> name
[2006/01/06 15:20:30, 3] smbd/ipc.c:api_fd_reply(294)
  Got API command 0x26 on pipe "spoolss" (pnum 70ea)
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 0
[2006/01/06 15:20:30, 3] rpc_server/srv_pipe.c:api_rpcTNP(2214)
  api_rpcTNP: rpc command: SPOOLSS_SETPRINTER
[2006/01/06 15:20:30, 0] lib/fault.c:fault_report(36)
  ===============================================================
[2006/01/06 15:20:30, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 21747 (3.0.21a)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/01/06 15:20:30, 0] lib/fault.c:fault_report(39)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/01/06 15:20:30, 0] lib/fault.c:fault_report(40)
  ===============================================================
[2006/01/06 15:20:30, 0] lib/util.c:smb_panic2(1554)
  PANIC: internal error
[2006/01/06 15:20:30, 0] lib/util.c:smb_panic2(1562)
  BACKTRACE: 27 stack frames:
   #0 /usr/local/samba/sbin/smbd(smb_panic2+0x18c) [0x81c9e3a]
   #1 /usr/local/samba/sbin/smbd(smb_panic+0x10) [0x81c9cac]
   #2 /usr/local/samba/sbin/smbd [0x81b96ba]
   #3 /usr/local/samba/sbin/smbd [0x81b970f]
   #4 /lib/tls/libc.so.6 [0x420277b8]
   #5 /usr/local/samba/sbin/smbd(add_printer_data+0x43) [0x81ebeed]
   #6 /usr/local/samba/sbin/smbd(set_printer_dataex+0x27) [0x81294bf]
   #7 /usr/local/samba/sbin/smbd [0x812ffc6]
   #8 /usr/local/samba/sbin/smbd(_spoolss_setprinter+0x11a) [0x813027b]
   #9 /usr/local/samba/sbin/smbd [0x81230d8]
   #10 /usr/local/samba/sbin/smbd(api_rpcTNP+0x1f3) [0x814ffb1]
   #11 /usr/local/samba/sbin/smbd(api_pipe_request+0xed) [0x814fd46]
   #12 /usr/local/samba/sbin/smbd [0x814a3e0]
   #13 /usr/local/samba/sbin/smbd [0x814a583]
   #14 /usr/local/samba/sbin/smbd [0x814ab08]
   #15 /usr/local/samba/sbin/smbd [0x814acbe]
   #16 /usr/local/samba/sbin/smbd(write_to_pipe+0xd9) [0x814ac42]
   #17 /usr/local/samba/sbin/smbd [0x80913f0]
   #18 /usr/local/samba/sbin/smbd [0x80915e0]
   #19 /usr/local/samba/sbin/smbd(reply_trans+0x976) [0x8091fbe]
   #20 /usr/local/samba/sbin/smbd [0x80d0cba]
   #21 /usr/local/samba/sbin/smbd [0x80d0d44]
   #22 /usr/local/samba/sbin/smbd(process_smb+0x1b9) [0x80d103f]
   #23 /usr/local/samba/sbin/smbd(smbd_process+0x136) [0x80d1c9f]
   #24 /usr/local/samba/sbin/smbd(main+0x77d) [0x8242877]
   #25 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x42015704]
   #26 /usr/local/samba/sbin/smbd(chroot+0x31) [0x807e035]
--
Comment 3 Yasuhiro Fujii 2006-01-06 01:37:48 UTC
I checked,samba version down to 3.0.20b has no problem.

New windows printer driver install is OK,
changed to listed installed printer driver is OK.

samba-3.0.21a has this problem.
I don't know samba-3.0.21 has same problem.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-01-09 10:14:13 UTC
The STATUS_BUFFER_OVERFLOW is a normal message when fragmenting rpc
pdus.  I'll try to reproduce it.
Comment 5 Yasuhiro Fujii 2006-01-09 19:36:25 UTC
Thank you for the reply. 
This problem is expected to be fix. 
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-01-09 19:50:26 UTC
The crash is not fixed yet.  but when I have a patch I will post 
it here for you to test.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2006-01-12 16:33:47 UTC
do you have a link to the specific print driver you are using?
Comment 8 Gerald (Jerry) Carter (dead mail address) 2006-01-12 17:18:24 UTC
reproduced it.  working on a fix.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2006-01-12 20:04:58 UTC
Created attachment 1678 [details]
zero printer data pointer after freeing the data
Comment 10 Gerald (Jerry) Carter (dead mail address) 2006-01-12 20:05:30 UTC
This patch fixes the crash on my box.  Please test.
Checking it in for 3.0.21b
Comment 11 Yasuhiro Fujii 2006-01-13 22:32:30 UTC
I will try today or tomorrow.
And I will report again.

Thank you very much.
Comment 12 Yasuhiro Fujii 2006-01-14 02:02:13 UTC
I patched to samba-3.0.21b and rebuild.

1) No probrem to installing new printer driver.(bug fixed)
2) No probrem to changing installed drivers. (bug fixed)

Thank you.
Comment 13 Yasuhiro Fujii 2006-01-14 02:05:45 UTC
Well,I have a question.
will this patch be included main source tree or
next new samba-3.0.x include this patch?
Comment 14 Gerald (Jerry) Carter (dead mail address) 2006-01-14 06:28:22 UTC
Yes.  This patch will be in 3.0.21b