Bug 6397 - use of unintialised data in smbtorture
use of unintialised data in smbtorture
Product: Samba 4.0
Classification: Unclassified
Component: Other
x86 Linux
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2009-05-22 20:18 UTC by bugventing
Modified: 2009-06-19 01:34 UTC (History)
1 user (show)

See Also:

Patch (559 bytes, patch)
2009-06-17 15:53 UTC, Matthias Dieter Wallnöfer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description bugventing 2009-05-22 20:18:35 UTC
smbtorture accesses not initialised memory in the raw-acls test.
The subtest is test_nttrans_create.
When I comment the line torture/raw/acls.c:228
 //NDR_PRINT_DEBUG(security_descriptor, sd);
out, the error disapears.

Here is the first error from the valgrind output (there are some more, if wished I can post them):
==28989== Use of uninitialised value of size 4
==28989==    at 0x43DA518: (within /lib/i686/cmov/libc-2.7.so)
==28989==    by 0x43DDC9B: vfprintf (in /lib/i686/cmov/libc-2.7.so)
==28989==    by 0x4402FFB: vasprintf (in /lib/i686/cmov/libc-2.7.so)
==28989==    by 0x8A49A71: ndr_print_debug_helper (ndr.c:174)
==28989==    by 0x8A480CE: ndr_print_uint16 (ndr_basic.c:654)
==28989==    by 0x8A38CCE: ndr_print_security_ace (ndr_security.c:439)
==28989==    by 0x8A39557: ndr_print_security_acl (ndr_security.c:536)
==28989==    by 0x8A3AA14: ndr_print_security_descriptor (ndr_security.c:765)
==28989==    by 0x8A49C6D: ndr_print_debug (ndr.c:221)
==28989==    by 0x87355F0: test_nttrans_create (acls.c:228)
==28989==    by 0x8741D2B: torture_raw_acls (acls.c:1998)
==28989==    by 0x874F293: wrap_simple_1smb_test (util_smb.c:808)
Comment 1 Matthias Dieter Wallnöfer 2009-06-12 14:49:23 UTC
Are you able to investigate a bit more this issue?
But it could also be that the error is located in the "libc". A test on another machine would help to find it out.
Comment 2 Andrew Bartlett 2009-06-14 17:17:37 UTC
It's probably not libc, but if you look at ndr_security.c:439 on your build, and report which member of the structure is being printed (and is uninitialised), it will make this bug more useful.
Comment 3 bugventing 2009-06-15 06:57:18 UTC
At the moment I'm on a business trip. I will look into it on the weekend.
Comment 4 Matthias Dieter Wallnöfer 2009-06-17 15:53:28 UTC
Created attachment 4302 [details]

Looking in "ndr_security.c" line 439 it turns out, that the problem is caused by the attribute "size" of a "struct security_ace".
We've missed to initialise new aces with "talloc_zero" in one place. It is a small error - and hard to find.
Comment 5 Matthias Dieter Wallnöfer 2009-06-19 01:34:55 UTC