Since upgrading to samba 3.0.24 (Debian etch), I get the following panic logged when my OS/2 box connects to it: Using host libthread_db library "/lib/tls/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread -1212922176 (LWP 25985)] 0xb7c528be in waitpid () from /lib/tls/libc.so.6 #0 0xb7c528be in waitpid () from /lib/tls/libc.so.6 #1 0xb7bfa699 in strtold_l () from /lib/tls/libc.so.6 #2 0xb7d8b56d in system () from /lib/tls/libpthread.so.0 #3 0x0822c07a in smb_panic (why=0x83215c3 "internal error") at lib/util.c:1608 #4 0x0821a49a in sig_fault (sig=11) at lib/fault.c:47 #5 <signal handler called> #6 0xb7c3080b in strlen () from /lib/tls/libc.so.6 #7 0xb7c04114 in vfprintf () from /lib/tls/libc.so.6 #8 0xb7c22211 in vsnprintf () from /lib/tls/libc.so.6 #9 0x082192f3 in dbgtext (format_str=0x834b4a0 "Last message was %s\n") at lib/debug.c:1011 #10 0x082c1efd in exit_server_common (how=<value optimized out>, reason=0x82cf820 "multiple session request not permitted") at smbd/server.c:664 #11 0x082c2003 in exit_server ( explanation=0x82cf820 "multiple session request not permitted") at smbd/server.c:683 #12 0x080b9659 in reply_special (inbuf=0xb7a89008 "\201", outbuf=0xb7a68008 "") at smbd/reply.c:483 #13 0x080eb5ac in smbd_process () at smbd/process.c:1014 #14 0x082c33ff in main (argc=) at smbd/server.c:1024
Please upload a network trace of this connection attempt. Volker
ok, I'll try to figure out how to do that. However, it's pretty clear that there's a potential bad dereference in the code. In smbd/server.c:exit_server_common() is the line DEBUG(0,("Last message was %s\n", LAST_MESSAGE())); where LAST_MESSAGE() is #defined to smb_fn_name(last_message). last_message is a global, initialised to -1. In smb_fn_name(), the passed parameter is used as an array index for smb_messages[]. If last_message has not been changed from its initial value, smb_messages[-1].name will be returned and used as the value of the %s in the debug format string. I would suggest doing some bounds checking in smb_fn_name() (in smbd/process.c).
Fixed for 3.0.28a and beyond. Thanks, Jeremy.