Bug 4100 - random segfault in smb_io_notify_info_data_strings
Summary: random segfault in smb_io_notify_info_data_strings
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.23c
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-09-14 01:56 UTC by Udo Eberhardt
Modified: 2006-09-25 11:25 UTC (History)
0 users

See Also:

level 10 log file of panic (bottom part) (245.48 KB, text/plain)
2006-09-14 02:01 UTC, Udo Eberhardt
no flags Details
patch for spoolss_notify_devmode (497 bytes, patch)
2006-09-25 06:28 UTC, Udo Eberhardt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Udo Eberhardt 2006-09-14 01:56:50 UTC
When spooling a print job we get a panic in the samba log file. This does not happen consistently and is not easy to reproduce. If it happens then at smb_io_notify_info_data_strings+0x133. 

The problem is neither tied to a specific client machine nor to a specific client OS. It has been observed with Windows 2000 SP3 and SP4, and Windows XP SP2 clients.

smbd is running on x86 Debian Linux Etch (testing).

The stack trace is shown below. I will attach the bottom part of a level 10 log. The complete log is available here: www.thesycon.de/ftp_temp/temp/smbd_pid9485_segfault.log.gz

[2006/09/13 10:16:18, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 9485 (3.0.23c)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/09/13 10:16:18, 0] lib/fault.c:fault_report(44)
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/09/13 10:16:18, 0] lib/fault.c:fault_report(45)
[2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1592)
  PANIC (pid 9485): internal error
[2006/09/13 10:16:18, 0] lib/util.c:log_stack_trace(1699)
  BACKTRACE: 19 stack frames:
   #0 /usr/sbin/smbd(log_stack_trace+0x23) [0x822b763]
   #1 /usr/sbin/smbd(smb_panic+0x46) [0x822b856]
   #2 /usr/sbin/smbd [0x8219f0a]
   #3 [0xffffe420]
   #4 /usr/sbin/smbd(smb_io_notify_info_data_strings+0x133) [0x81cafb3]
   #5 /usr/sbin/smbd [0x81cb393]
   #6 /usr/sbin/smbd(spoolss_io_r_rfnpcnex+0x7f) [0x81cb66f]
   #7 /usr/sbin/smbd [0x8155010]
   #8 /usr/sbin/smbd(api_rpcTNP+0x15f) [0x818b05f]
   #9 /usr/sbin/smbd(api_pipe_request+0x183) [0x818b643]
   #10 /usr/sbin/smbd [0x818597e]
   #11 /usr/sbin/smbd [0x809bb9d]
   #12 /usr/sbin/smbd [0x809c08c]
   #13 /usr/sbin/smbd(reply_trans+0x56f) [0x809ccff]
   #14 /usr/sbin/smbd [0x80ea2f4]
   #15 /usr/sbin/smbd(smbd_process+0x6f8) [0x80eb4b8]
   #16 /usr/sbin/smbd(main+0x10df) [0x82c281f]
   #17 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xd0) [0xb7b73eb0]
   #18 /usr/sbin/smbd [0x8082a31]
[2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1600)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 9485]
[2006/09/13 10:16:18, 0] lib/util.c:smb_panic(1608)
  smb_panic(): action returned status 0
[2006/09/13 10:16:18, 0] lib/fault.c:dump_core(168)
  unable to change to /var/log/samba/cores/smbdrefusing to dump core
Comment 1 Udo Eberhardt 2006-09-14 02:01:05 UTC
Created attachment 2136 [details]
level 10 log file of panic (bottom part)

Complete log file available for download at:
Comment 2 Udo Eberhardt 2006-09-25 06:28:54 UTC
Created attachment 2159 [details]
patch for spoolss_notify_devmode

We have been able to reproduce and debug the problem. The segfault happens because spoolss_notify_devmode is an empty function. At a minimum, the function should set the fields SPOOL_NOTIFY_INFO_DATA.notify_data.data.length and .string to zero. Otherwise, these contain random values (struct was returned by malloc). These random values cause smb_io_notify_info_data_strings to crash.
Comment 3 Jeremy Allison 2006-09-25 11:25:14 UTC
Great catch ! Applied, will be in the next release. Thanks a lot.