Bug 4774 - Signal 11 in push_ascii() lib/charcnv.c:839
Summary: Signal 11 in push_ascii() lib/charcnv.c:839
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.10
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-11 04:49 UTC by Daniel Appleby
Modified: 2007-07-11 05:01 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Appleby 2007-07-11 04:49:03 UTC 
Hi, I have encountered a segv when attempting to do a share listing from smbclient to my samba server. The server only has one share however i get the following in the logs:

[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/substitute.c:alloc_sub_basic(521)
  alloc_sub_basic: NULL source string!  This should not happen
[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(36)
  ===============================================================
[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 1290 (3.0.10-1.4E.12.2a)
  Please read the appendix Bugs of the Samba HOWTO collection
[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(39)
  ===============================================================
[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/util.c:smb_panic2(1504)
  PANIC: internal error
[2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/util.c:smb_panic2(1512)
  BACKTRACE: 14 stack frames:
   #0 smbd(smb_panic2+0x8a) [0xb4f640]
   #1 smbd(smb_panic+0x19) [0xb4f86c]
   #2 smbd [0xb3bd8f]
   #3 /lib/tls/libc.so.6 [0x63d898]
   #4 smbd(push_ascii_fstring+0x28) [0xb39ec1]
   #5 smbd [0x9f1e89]
   #6 smbd(api_reply+0x25e) [0x9f6f5a]
   #7 smbd(reply_trans+0x64f) [0x9ed6a1]
   #8 smbd [0xa385e2]
   #9 smbd(process_smb+0x19b) [0xa38a1c]
   #10 smbd(smbd_process+0x15f) [0xa39744]
   #11 smbd(main+0x875) [0xbcc087]
   #12 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x62ade3]
   #13 smbd [0x9d82d1]

After taking a look at the core I got the following:
(gdb) where
#0  0x00c957a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x006a07d3 in __waitpid_nocancel () from /lib/tls/libc.so.6
#2  0x0064a649 in do_system () from /lib/tls/libc.so.6
#3  0x00b4f736 in smb_panic2 (why=0xfffffe00 <Address 0xfffffe00 out of bounds>, decrement_pid_count=1) at lib/util.c:1495
#4  0x00b4f86c in smb_panic (why=0xfffffe00 <Address 0xfffffe00 out of bounds>) at lib/util.c:1454
#5  0x00b3bd8f in sig_fault (sig=-512) at lib/fault.c:41
#6  <signal handler called>
#7  0x00b39de4 in push_ascii (dest=0x0, src=0x0, dest_len=256, flags=1) at lib/charcnv.c:839
#8  0x00b39ec1 in push_ascii_fstring (dest=0x0, src=0x0) at lib/charcnv.c:860
#9  0x009f1e89 in api_RNetShareEnum (conn=0x8e17868, vuid=100, param=0x8dbd210 "", data=0x0, mdrcnt=0, mprcnt=1024, rdata=0xbfe9180c,
    rparam=0xbfe91810, rdata_len=0xbfe91814, rparam_len=0xbfe91818) at smbd/lanman.c:1504
#10 0x009f6f5a in api_reply (conn=0x8e17868, vuid=100, outbuf=0xb7bad008 "", data=0x0, params=0x8dbd210 "", tdscnt=0, tpscnt=0, mdrcnt=65504,
    mprcnt=1024) at smbd/lanman.c:3610
#11 0x009ed6a1 in reply_trans (conn=0x8e17868, inbuf=0xb7bce008 "", outbuf=0xb7bad008 "", size=113, bufsize=65535) at smbd/ipc.c:336
#12 0x00a385e2 in switch_message (type=37, inbuf=0xb7bce008 "", outbuf=0xb7bad008 "", size=113, bufsize=0) at smbd/process.c:968
#13 0x00a38a1c in process_smb (inbuf=0xb7bce008 "", outbuf=0xb7bad008 "") at smbd/process.c:998
#14 0x00a39744 in smbd_process () at smbd/process.c:1560
#15 0x00bcc087 in main (argc=2, argv=0xbfe92f24) at smbd/server.c:913
....

(gdb) up
#7  0x00b39de4 in push_ascii (dest=0x0, src=0x0, dest_len=256, flags=1) at lib/charcnv.c:839
839             size_t src_len = strlen(src);
(gdb) list
834      * @param dest_len the maximum length in bytes allowed in the
835      * destination.  If @p dest_len is -1 then no maximum is used.
836      **/
837     size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
838     {
839             size_t src_len = strlen(src);
840             pstring tmpbuf;
841
842             /* treat a pstring as "unlimited" length */
843             if (dest_len == (size_t)-1)
(gdb) up
#8  0x00b39ec1 in push_ascii_fstring (dest=0x0, src=0x0) at lib/charcnv.c:860
860             return push_ascii(dest, src, sizeof(fstring), STR_TERMINATE);
(gdb) list
855             return convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
856     }
857
858     size_t push_ascii_fstring(void *dest, const char *src)
859     {
860             return push_ascii(dest, src, sizeof(fstring), STR_TERMINATE);
861     }
862
863     size_t push_ascii_pstring(void *dest, const char *src)
864     {
(gdb)


Seem the line: "size_t src_len = strlen(src);" is causing the segv.
Please let me know if you want a core file.
Comment 1 Volker Lendecke 2007-07-11 05:01:31 UTC 
3.0.10 is *ancient*. Please use a recent version. If you can reproduce the segfault with 3.0.25b, please re-open this bug.

Volker