Bug 5664 - Segfault when using Guest account w/o password
Summary: Segfault when using Guest account w/o password
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-02 13:41 UTC by Tom
Modified: 2008-08-08 11:05 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom 2008-08-02 13:41:12 UTC
Hi, when I use samba4 with the following setup:
[globals]
	netbios name	= leto
	workgroup	= localhost
	realm		= localhost
	server role     = standalone
        smb ports = 9445 9139
        web port = 9901
        nbt port = 9137
        null passwords = yes
	
[test]
	path = /tmp	

and setting the Useraccountcontrol for the guest account to 66080, i.e. normal user + no pwd + don't expire I get a segfault whenever I try a login:

Account for user 'Guest' has no password and null passwords are allowed.
authsam_account_ok: Checking SMB password for user Guest
logon_hours_ok: No hours restrictions for user Guest
auth_check_password_recv: sam_ignoredomain authentication for user [LOCALHOST\Guest] succeeded
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INTERNAL ERROR: Signal 11 in pid 1148 (4.0.0alpha4)
Please read the file BUGS.txt in the distribution
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PANIC: internal error
BACKTRACE: 20 stack frames:
 #0 smbd(call_backtrace+0x2b) [0x88b4153]
 #1 smbd(smb_panic+0x2a4) [0x88b44cb]
 #2 smbd [0x88b4666]
 #3 smbd(fault_setup+0) [0x88b469b]
 #4 [0xb7fcc420]
 #5 smbd(_talloc_reference+0x37) [0x891b281]
 #6 smbd [0x85aa8b0]
 #7 smbd(ntlmssp_server_auth+0x14f) [0x85aa4dc]
 #8 smbd [0x85a5c3c]
 #9 smbd(gensec_update+0x3a) [0x88ee976]
 #10 smbd [0x85b15b4]
 #11 smbd [0x88ee9f1]
 #12 smbd(common_event_loop_timer_delay+0x195) [0x89010ea]
 #13 smbd [0x87deb45]
 #14 smbd [0x87debf7]
 #15 smbd(event_loop_wait+0x16) [0x8900cbc]
 #16 smbd [0x80ece83]
 #17 smbd(main+0x38) [0x80ecede]
 #18 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb7cbe450]
 #19 smbd [0x80ec101]
Aborted
Comment 1 Matthias Dieter Wallnöfer 2008-08-07 13:42:11 UTC
Interesting. To help us more, clean up your source tree ("make clean"), reconfigure with "./configure.developer" to enable debug labels and rebuild.
Launch SAMBA using "gdb --args smbd -i -M single". In gdb enable logging command "set logging on" and type "run" (all commands have naturally to be confirmed with enter). Reproduce the fault-case and type on the gdb prompt "bt full". Then kill the program using "quit".
Post us the "gdb.txt" logfile created in your work directory.
Comment 2 Tom 2008-08-07 16:11:14 UTC
> Post us the "gdb.txt" logfile created in your work directory.

ta for the detailed instructions :)

Just a bt dump, I hope formatting doesn't break too hard:

[Thread debugging using libthread_db enabled]
[New Thread 0xb7c756b0 (LWP 22043)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c756b0 (LWP 22043)]
0x089365f9 in talloc_chunk_from_ptr (ptr=0x50) at lib/talloc/talloc.c:148
148		if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) { 
#0  0x089365f9 in talloc_chunk_from_ptr (ptr=0x50) at lib/talloc/talloc.c:148
	pp = 0x50 <Address 0x50 out of bounds>
	tc = (struct talloc_chunk *) 0x20
#1  0x08936a99 in _talloc_reference (context=0x8d3be60, ptr=0x50) at lib/talloc/talloc.c:450
	tc = (struct talloc_chunk *) 0x8d72ba0
	handle = (struct talloc_reference_handle *) 0x8d22838
#2  0x086032f8 in auth_ntlmssp_check_password (gensec_ntlmssp_state=0x8d22868, mem_ctx=0x8d3be60, 
    user_session_key=0xbff1be24, lm_session_key=0xbff1be1c) at auth/ntlmssp/ntlmssp_server.c:694
	nt_status = {v = 0}
	user_info = (struct auth_usersupplied_info *) 0x8e10c88
	__FUNCTION__ = "auth_ntlmssp_check_password"
#3  0x08602f24 in ntlmssp_server_auth (gensec_security=0x8b39308, out_mem_ctx=0x8b9f698, in=
      {data = 0x8d86af0 "NTLMSSP", length = 116}, out=0xbff1bf94) at auth/ntlmssp/ntlmssp_server.c:587
	gensec_ntlmssp_state = (struct gensec_ntlmssp_state *) 0x8d22868
	user_session_key = {data = 0x0, length = 0}
	lm_session_key = {data = 0x0, length = 0}
	nt_status = {v = 0}
	mem_ctx = (TALLOC_CTX *) 0x8d3be60
#4  0x085fe684 in gensec_ntlmssp_update (gensec_security=0x8b39308, out_mem_ctx=0x8b9f698, input=
      {data = 0x8d86af0 "NTLMSSP", length = 116}, out=0xbff1bf94) at auth/ntlmssp/ntlmssp.c:221
	gensec_ntlmssp_state = (struct gensec_ntlmssp_state *) 0x8d22868
	status = {v = 0}
	i = 3
#5  0x085fc162 in gensec_update (gensec_security=0x8b39308, out_mem_ctx=0x8b9f698, in=
      {data = 0x8d86af0 "NTLMSSP", length = 116}, out=0xbff1bf94) at auth/gensec/gensec.c:939
No locals.
#6  0x0862a22c in gensec_spnego_update (gensec_security=0x8df5e50, out_mem_ctx=0x8b9f698, in=
      {data = 0x8d9b9a8 "�z0x�v\004tNTLMSSP", length = 124}, out=0x8b9f6a8) at auth/gensec/spnego.c:859
	nt_status = {v = 146404968}
	spnego_state = (struct spnego_state *) 0x8df5908
	null_data_blob = {data = 0x0, length = 0}
	unwrapped_out = {data = 0x0, length = 0}
	spnego_out = {type = 0, negTokenInit = {mechTypes = 0x0, reqFlags = 0, mechToken = {data = 0x8dda830 "�P�\b", 
      length = 0}, mechListMIC = {data = 0xbff1bf98 "", length = 143881603}, targetPrincipal = 0x8dda860 "\001\001"}, 
  negTokenTarg = {negResult = 88 'X', supportedMech = 0xfe <Address 0xfe out of bounds>, responseToken = {
      data = 0x8839c36 "\017��\211E�\213E���U\211�\203�\030\213E\ff\211E�\203}\b", length = 144514552}, mechListMIC = {
      data = 0x1 <Address 0x1 out of bounds>, length = 3220291528}}}
	spnego = {type = 1, negTokenInit = {mechTypes = 0x0, reqFlags = 0, mechToken = {data = 0x0, length = 0}, 
    mechListMIC = {data = 0x0, length = 0}, targetPrincipal = 0x0}, negTokenTarg = {negResult = 0 '\0', 
    supportedMech = 0x0, responseToken = {data = 0x8d86af0 "NTLMSSP", length = 116}, mechListMIC = {data = 0x0, 
      length = 0}}}
	len = 124
	__FUNCTION__ = "gensec_spnego_update"
#7  0x085fc1dd in gensec_update_async_timed_handler (ev=0x8af8378, te=0x8d2a3c8, t={tv_sec = 0, tv_usec = 0}, ptr=0x8b9f698)
    at auth/gensec/gensec.c:946
	req = (struct gensec_update_request *) 0x8b9f698
#8  0x0883a30f in common_event_loop_timer_delay (ev=0x8af8378) at lib/events/events_timed.c:220
	current_time = {tv_sec = 0, tv_usec = 0}
	te = (struct timed_event *) 0x8d2a3c8
#9  0x0883d6dc in std_event_loop_once (ev=0x8af8378) at lib/events/events_standard.c:559
	std_ev = (struct std_event_context *) 0x8af83c8
	tval = {tv_sec = 30, tv_usec = 0}
#10 0x0883d78e in std_event_loop_wait (ev=0x8af8378) at lib/events/events_standard.c:583
	std_ev = (struct std_event_context *) 0x8af83c8
#11 0x08839d15 in event_loop_wait (ev=0x8af8378) at lib/events/events.c:291
No locals.
#12 0x080ee0e1 in binary_smbd_main (binary_name=0x8942bbb "smbd", argc=4, argv=0xbff1c3d4) at smbd/server.c:360
	opt_daemon = false
	opt_interactive = true
	opt = -1
	pc = (poptContext) 0x8aea008
	static_init = {0x846571b <server_service_wrepl_init>, 0x842fa10 <server_service_kdc_init>, 
  0x842a279 <server_service_ldap_init>, 0x8402b94 <server_service_smb_init>, 0x817d69e <server_service_web_init>, 
  0x817a738 <server_service_drepl_init>, 0x816aa09 <server_service_winbind_init>, 
  0x816a20e <server_service_ntp_signd_init>, 0x80f9f9d <server_service_rpc_init>, 0x80f069f <server_service_nbtd_init>, 
  0x80ee8c8 <server_service_cldapd_init>, 0}
	shared_init = (init_module_fn *) 0x0
	event_ctx = (struct event_context *) 0x8af8378
	stdin_event_flags = 1
	status = {v = 0}
	model = 0x8aeb770 "single"
	max_runtime = 0
	long_options = {{longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x8adfd40, val = 0, 
    descrip = 0x8942932 "Help options:", argDescrip = 0x0}, {longName = 0x8942940 "daemon", shortName = 68 'D', 
    argInfo = 0, arg = 0x0, val = 1000, descrip = 0x8942947 "Become a daemon (default)", argDescrip = 0x0}, {
    longName = 0x8942961 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, 
    descrip = 0x8942970 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x894298f "model", 
    shortName = 77 'M', argInfo = 1, arg = 0x0, val = 1002, descrip = 0x8942995 "Select process model", 
    argDescrip = 0x89429aa "MODEL"}, {longName = 0x89429b0 "maximum-runtime", shortName = 0 '\0', argInfo = 2, 
    arg = 0xbff1c2ec, val = 0, descrip = 0x89429c0 "set maximum runtime of the server process, till autotermination", 
    argDescrip = 0x8942a00 "seconds"}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, arg = 0x8adfbe0, val = 0, 
    descrip = 0x8942a08 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4, 
    arg = 0x8adfce0, val = 0, descrip = 0x8942a08 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, 
    shortName = 0 '\0', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
	__FUNCTION__ = "binary_smbd_main"
#13 0x080ee13c in main (argc=0, argv=0x89) at smbd/server.c:371
No locals.

Comment 3 Matthias Dieter Wallnöfer 2008-08-08 11:05:01 UTC
Andrew should have fixed it now.