Bug 4612 - smbd panic when connecting from OS/2
smbd panic when connecting from OS/2
Product: Samba 3.0
Classification: Unclassified
Component: File Services
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2007-05-10 18:05 UTC by Brian Havard
Modified: 2007-12-18 20:09 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brian Havard 2007-05-10 18:05:56 UTC
Since upgrading to samba 3.0.24 (Debian etch), I get the following panic logged when my OS/2 box connects to it:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1212922176 (LWP 25985)]
0xb7c528be in waitpid () from /lib/tls/libc.so.6
#0  0xb7c528be in waitpid () from /lib/tls/libc.so.6
#1  0xb7bfa699 in strtold_l () from /lib/tls/libc.so.6
#2  0xb7d8b56d in system () from /lib/tls/libpthread.so.0
#3  0x0822c07a in smb_panic (why=0x83215c3 "internal error") at lib/util.c:1608
#4  0x0821a49a in sig_fault (sig=11) at lib/fault.c:47
#5  <signal handler called>
#6  0xb7c3080b in strlen () from /lib/tls/libc.so.6
#7  0xb7c04114 in vfprintf () from /lib/tls/libc.so.6
#8  0xb7c22211 in vsnprintf () from /lib/tls/libc.so.6
#9  0x082192f3 in dbgtext (format_str=0x834b4a0 "Last message was %s\n")
    at lib/debug.c:1011
#10 0x082c1efd in exit_server_common (how=<value optimized out>, 
    reason=0x82cf820 "multiple session request not permitted")
    at smbd/server.c:664
#11 0x082c2003 in exit_server (
    explanation=0x82cf820 "multiple session request not permitted")
    at smbd/server.c:683
#12 0x080b9659 in reply_special (inbuf=0xb7a89008 "\201", outbuf=0xb7a68008 "")
    at smbd/reply.c:483
#13 0x080eb5ac in smbd_process () at smbd/process.c:1014
#14 0x082c33ff in main (argc=) at smbd/server.c:1024
Comment 1 Volker Lendecke 2007-05-11 02:12:27 UTC
Please upload a network trace of this connection attempt.

Comment 2 Brian Havard 2007-12-03 16:23:51 UTC
ok, I'll try to figure out how to do that.
However, it's pretty clear that there's a potential bad dereference in the code.

In smbd/server.c:exit_server_common() is the line
  DEBUG(0,("Last message was %s\n", LAST_MESSAGE()));

where LAST_MESSAGE() is #defined to smb_fn_name(last_message).

last_message is a global, initialised to -1.

In smb_fn_name(), the passed parameter is used as an array index for smb_messages[].
If last_message has not been changed from its initial value, smb_messages[-1].name will be returned and used as the value of the %s in the debug format string.

I would suggest doing some bounds checking in smb_fn_name() (in smbd/process.c).
Comment 3 Jeremy Allison 2007-12-18 20:09:14 UTC
Fixed for 3.0.28a and beyond.