Hi, I have encountered a segv when attempting to do a share listing from smbclient to my samba server. The server only has one share however i get the following in the logs: [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/substitute.c:alloc_sub_basic(521) alloc_sub_basic: NULL source string! This should not happen [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(36) =============================================================== [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 1290 (3.0.10-1.4E.12.2a) Please read the appendix Bugs of the Samba HOWTO collection [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/fault.c:fault_report(39) =============================================================== [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/util.c:smb_panic2(1504) PANIC: internal error [2007/07/11 15:26:00, 0, effective(52393, 52), real(52393, 0)] lib/util.c:smb_panic2(1512) BACKTRACE: 14 stack frames: #0 smbd(smb_panic2+0x8a) [0xb4f640] #1 smbd(smb_panic+0x19) [0xb4f86c] #2 smbd [0xb3bd8f] #3 /lib/tls/libc.so.6 [0x63d898] #4 smbd(push_ascii_fstring+0x28) [0xb39ec1] #5 smbd [0x9f1e89] #6 smbd(api_reply+0x25e) [0x9f6f5a] #7 smbd(reply_trans+0x64f) [0x9ed6a1] #8 smbd [0xa385e2] #9 smbd(process_smb+0x19b) [0xa38a1c] #10 smbd(smbd_process+0x15f) [0xa39744] #11 smbd(main+0x875) [0xbcc087] #12 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x62ade3] #13 smbd [0x9d82d1] After taking a look at the core I got the following: (gdb) where #0 0x00c957a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x006a07d3 in __waitpid_nocancel () from /lib/tls/libc.so.6 #2 0x0064a649 in do_system () from /lib/tls/libc.so.6 #3 0x00b4f736 in smb_panic2 (why=0xfffffe00 <Address 0xfffffe00 out of bounds>, decrement_pid_count=1) at lib/util.c:1495 #4 0x00b4f86c in smb_panic (why=0xfffffe00 <Address 0xfffffe00 out of bounds>) at lib/util.c:1454 #5 0x00b3bd8f in sig_fault (sig=-512) at lib/fault.c:41 #6 <signal handler called> #7 0x00b39de4 in push_ascii (dest=0x0, src=0x0, dest_len=256, flags=1) at lib/charcnv.c:839 #8 0x00b39ec1 in push_ascii_fstring (dest=0x0, src=0x0) at lib/charcnv.c:860 #9 0x009f1e89 in api_RNetShareEnum (conn=0x8e17868, vuid=100, param=0x8dbd210 "", data=0x0, mdrcnt=0, mprcnt=1024, rdata=0xbfe9180c, rparam=0xbfe91810, rdata_len=0xbfe91814, rparam_len=0xbfe91818) at smbd/lanman.c:1504 #10 0x009f6f5a in api_reply (conn=0x8e17868, vuid=100, outbuf=0xb7bad008 "", data=0x0, params=0x8dbd210 "", tdscnt=0, tpscnt=0, mdrcnt=65504, mprcnt=1024) at smbd/lanman.c:3610 #11 0x009ed6a1 in reply_trans (conn=0x8e17868, inbuf=0xb7bce008 "", outbuf=0xb7bad008 "", size=113, bufsize=65535) at smbd/ipc.c:336 #12 0x00a385e2 in switch_message (type=37, inbuf=0xb7bce008 "", outbuf=0xb7bad008 "", size=113, bufsize=0) at smbd/process.c:968 #13 0x00a38a1c in process_smb (inbuf=0xb7bce008 "", outbuf=0xb7bad008 "") at smbd/process.c:998 #14 0x00a39744 in smbd_process () at smbd/process.c:1560 #15 0x00bcc087 in main (argc=2, argv=0xbfe92f24) at smbd/server.c:913 .... (gdb) up #7 0x00b39de4 in push_ascii (dest=0x0, src=0x0, dest_len=256, flags=1) at lib/charcnv.c:839 839 size_t src_len = strlen(src); (gdb) list 834 * @param dest_len the maximum length in bytes allowed in the 835 * destination. If @p dest_len is -1 then no maximum is used. 836 **/ 837 size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) 838 { 839 size_t src_len = strlen(src); 840 pstring tmpbuf; 841 842 /* treat a pstring as "unlimited" length */ 843 if (dest_len == (size_t)-1) (gdb) up #8 0x00b39ec1 in push_ascii_fstring (dest=0x0, src=0x0) at lib/charcnv.c:860 860 return push_ascii(dest, src, sizeof(fstring), STR_TERMINATE); (gdb) list 855 return convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True); 856 } 857 858 size_t push_ascii_fstring(void *dest, const char *src) 859 { 860 return push_ascii(dest, src, sizeof(fstring), STR_TERMINATE); 861 } 862 863 size_t push_ascii_pstring(void *dest, const char *src) 864 { (gdb) Seem the line: "size_t src_len = strlen(src);" is causing the segv. Please let me know if you want a core file.
3.0.10 is *ancient*. Please use a recent version. If you can reproduce the segfault with 3.0.25b, please re-open this bug. Volker