I'm getting this specific crash on an embedded ARM system (we're using libsmbclient directly), though I can reproduce a similar segfault (not sure if it's the same one as I don't have a debug build to run through gdb) on x86 using the smbclient app. This occurs when connecting to Windows Server 2003: it is an Active Directory domain controller, and the 'guest' account is enabled. If the guest account is disabled, the crash goes away. Backtrace (ARM): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1026] 0x93b3b5f0 in set_sequence_can_delete_flag (list=0x10, mid=7, can_delete_entry=1) at libsmb/smb_signing.c:97 97 if (t->mid == mid) { (gdb) bt #0 0x93b3b5f0 in set_sequence_can_delete_flag (list=0x10, mid=7, can_delete_entry=1) at libsmb/smb_signing.c:97 #1 0x93b3ceb0 in client_set_trans_sign_state_off (cli=0x92d81010, mid=7) at libsmb/smb_signing.c:644 #2 0x93b8ea8c in cli_receive_trans (cli=0x92d81010, trans=37, param=0x92f9311c, param_len=0x92f93110, data=0x92f93118, data_len=0x92f93114) at libsmb/clitrans.c:324 #3 0x93b84800 in cli_api (cli=0x92d81010, param=0x92f92d0c "h", prcnt=30, mprcnt=8, data=0x0, drcnt=0, mdrcnt=65535, rparam=0x92f9311c, rprcnt=0x92f93110, rdata=0x92f93118, rdrcnt=0x92f93114) at libsmb/clirap.c:64 #4 0x93b854e8 in cli_NetServerEnum (cli=0x92d81010, workgroup=0x92f94ab0 "BAR", stype=65534, fn=0x93b63100 <list_fn>, state=0x92da2c48) at libsmb/clirap.c:239 #5 0x93b64554 in smbc_opendir_ctx (context=0x91088008, fname=0x92fa56a4 "smb://:@BAR") at libsmb/libsmbclient.c:2864 #6 0x93af1ad4 in smbc_opendir (durl=0x92fa56a4 "smb://:@BAR") at libsmb/libsmb_compat.c:316 #7 0x93af0378 in smbc_dispatch_msg (msg=0x92f94c60, ack_info=0x92f94c60) at main.c:139 #8 0x93af0614 in smbc_message_loop (fd=4) at main.c:254 #9 0x93bf8fd4 in pthread_start_thread () #10 0x93bf9020 in pthread_start_thread_event () Patch coming in a minute...
Created attachment 2189 [details] fix-win2k3-crash.diff I'm not sure if this is the correct fix, if returning False or True is the proper response here, or if there's something that needs to be fixed farther up in the call stack. The bug appears in both client_set_trans_sign_state_off() and client_set_trans_sign_state_on(). Local var 'data' is set to si->signing_context, which is NULL. Later in both functions, 'data' is dereferenced as an argument to set_sequence_can_delete_flag().
Should be fixed for 3.0.23d thanks. Jeremy.