4612 – smbd panic when connecting from OS/2

Bug 4612 - smbd panic when connecting from OS/2

Summary: smbd panic when connecting from OS/2

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	File Services (show other bugs)
Version:	3.0.24
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-05-10 18:05 UTC by Brian Havard
Modified:	2007-12-18 20:09 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Havard 2007-05-10 18:05:56 UTC

Since upgrading to samba 3.0.24 (Debian etch), I get the following panic logged when my OS/2 box connects to it:

Using host libthread_db library "/lib/tls/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1212922176 (LWP 25985)]
0xb7c528be in waitpid () from /lib/tls/libc.so.6
#0  0xb7c528be in waitpid () from /lib/tls/libc.so.6
#1  0xb7bfa699 in strtold_l () from /lib/tls/libc.so.6
#2  0xb7d8b56d in system () from /lib/tls/libpthread.so.0
#3  0x0822c07a in smb_panic (why=0x83215c3 "internal error") at lib/util.c:1608
#4  0x0821a49a in sig_fault (sig=11) at lib/fault.c:47
#5  <signal handler called>
#6  0xb7c3080b in strlen () from /lib/tls/libc.so.6
#7  0xb7c04114 in vfprintf () from /lib/tls/libc.so.6
#8  0xb7c22211 in vsnprintf () from /lib/tls/libc.so.6
#9  0x082192f3 in dbgtext (format_str=0x834b4a0 "Last message was %s\n")
    at lib/debug.c:1011
#10 0x082c1efd in exit_server_common (how=<value optimized out>, 
    reason=0x82cf820 "multiple session request not permitted")
    at smbd/server.c:664
#11 0x082c2003 in exit_server (
    explanation=0x82cf820 "multiple session request not permitted")
    at smbd/server.c:683
#12 0x080b9659 in reply_special (inbuf=0xb7a89008 "\201", outbuf=0xb7a68008 "")
    at smbd/reply.c:483
#13 0x080eb5ac in smbd_process () at smbd/process.c:1014
#14 0x082c33ff in main (argc=) at smbd/server.c:1024

Comment 1 Volker Lendecke 2007-05-11 02:12:27 UTC

Please upload a network trace of this connection attempt.

Volker

Comment 2 Brian Havard 2007-12-03 16:23:51 UTC

ok, I'll try to figure out how to do that.
However, it's pretty clear that there's a potential bad dereference in the code.

In smbd/server.c:exit_server_common() is the line
  DEBUG(0,("Last message was %s\n", LAST_MESSAGE()));

where LAST_MESSAGE() is #defined to smb_fn_name(last_message).

last_message is a global, initialised to -1.

In smb_fn_name(), the passed parameter is used as an array index for smb_messages[].
If last_message has not been changed from its initial value, smb_messages[-1].name will be returned and used as the value of the %s in the debug format string.

I would suggest doing some bounds checking in smb_fn_name() (in smbd/process.c).

Comment 3 Jeremy Allison 2007-12-18 20:09:14 UTC

Fixed for 3.0.28a and beyond.
Thanks,
Jeremy.