The Samba-Bugzilla – Bug 4612
smbd panic when connecting from OS/2
Last modified: 2007-12-18 20:09:14 UTC
Since upgrading to samba 3.0.24 (Debian etch), I get the following panic logged when my OS/2 box connects to it:
Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1212922176 (LWP 25985)]
0xb7c528be in waitpid () from /lib/tls/libc.so.6
#0 0xb7c528be in waitpid () from /lib/tls/libc.so.6
#1 0xb7bfa699 in strtold_l () from /lib/tls/libc.so.6
#2 0xb7d8b56d in system () from /lib/tls/libpthread.so.0
#3 0x0822c07a in smb_panic (why=0x83215c3 "internal error") at lib/util.c:1608
#4 0x0821a49a in sig_fault (sig=11) at lib/fault.c:47
#5 <signal handler called>
#6 0xb7c3080b in strlen () from /lib/tls/libc.so.6
#7 0xb7c04114 in vfprintf () from /lib/tls/libc.so.6
#8 0xb7c22211 in vsnprintf () from /lib/tls/libc.so.6
#9 0x082192f3 in dbgtext (format_str=0x834b4a0 "Last message was %s\n")
#10 0x082c1efd in exit_server_common (how=<value optimized out>,
reason=0x82cf820 "multiple session request not permitted")
#11 0x082c2003 in exit_server (
explanation=0x82cf820 "multiple session request not permitted")
#12 0x080b9659 in reply_special (inbuf=0xb7a89008 "\201", outbuf=0xb7a68008 "")
#13 0x080eb5ac in smbd_process () at smbd/process.c:1014
#14 0x082c33ff in main (argc=) at smbd/server.c:1024
Please upload a network trace of this connection attempt.
ok, I'll try to figure out how to do that.
However, it's pretty clear that there's a potential bad dereference in the code.
In smbd/server.c:exit_server_common() is the line
DEBUG(0,("Last message was %s\n", LAST_MESSAGE()));
where LAST_MESSAGE() is #defined to smb_fn_name(last_message).
last_message is a global, initialised to -1.
In smb_fn_name(), the passed parameter is used as an array index for smb_messages.
If last_message has not been changed from its initial value, smb_messages[-1].name will be returned and used as the value of the %s in the debug format string.
I would suggest doing some bounds checking in smb_fn_name() (in smbd/process.c).
Fixed for 3.0.28a and beyond.