Bug 5088 - Segfault in smbd - "PANIC (pid nnn): push_ascii - dest_len == -1"
Summary: Segfault in smbd - "PANIC (pid nnn): push_ascii - dest_len == -1"
Status: RESOLVED DUPLICATE of bug 5087
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Extended Characters (show other bugs)
Version: 3.0.27
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Alexander Bokovoy
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-16 16:24 UTC by Kris Karas
Modified: 2007-11-16 16:26 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kris Karas 2007-11-16 16:24:24 UTC 
The patch made by Jerry Carter to fix CVE-2007-457 patched source/lib/charcnv.c (git index 8d5fbc8..2341429 100644).  That patch is causing smbd to segfault when a client accesses the mounted filesystem handled by smbd.  In my particular case, here's what happened:

Client machine:
    poltergeist:~# mount -r -t smbfs -o guest //lamppost/slackware /mnt/slack
    Anonymous login successful
    poltergeist:~# cd /mnt/slack
    poltergeist:/mnt/slack# ls
    /bin/ls: reading directory .: Input/output error
    poltergeist:/mnt/slack#

Server machine:
    lamppost:/var/log/samba# smbd -i
    smbd version 3.0.27 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2007
    PANIC (pid 28945): push_ascii - dest_len == -1
    BACKTRACE: 16 stack frames:
     #0 smbd(log_stack_trace+0x26) [0x822daba]
     #1 smbd(smb_panic+0x76) [0x822d953]
     #2 smbd(push_ascii+0x44) [0x8218c7d]
     #3 smbd(push_string_fn+0x4b) [0x8219579]
     #4 smbd(srvstr_push_fn+0x65) [0x80e43bd]
     #5 smbd [0x80cd515]
     #6 smbd [0x80cdfa3]
     #7 smbd(handle_trans2+0xb6) [0x80d7f18]
     #8 smbd(reply_trans2+0x62e) [0x80d87f6]
     #9 smbd [0x80f2033]
     #10 smbd [0x80f20cd]
     #11 smbd [0x80f22f6]
     #12 smbd(smbd_process+0x16e) [0x80f30a5]
     #13 smbd(main+0x8d0) [0x82dbaa9]
     #14 /lib/tls/libc.so.6(__libc_start_main+0xdb) [0xb7af7fcb]
     #15 smbd [0x8089751]
    dumping core in /var/log/samba/cores/smbd
    Aborted
    lamppost:/var/log/samba# ls /var/log/samba/cores/smbd
    lamppost:/var/log/samba# ulimit -c
    unlimited
    lamppost:/var/log/samba#

Samba versions 3.0.26a and previous work just fine.
Comment 1 Jeremy Allison 2007-11-16 16:26:26 UTC 

*** This bug has been marked as a duplicate of 5087 ***