The Samba-Bugzilla – Bug 6397
use of unintialised data in smbtorture
Last modified: 2009-06-19 01:34:55 UTC
smbtorture accesses not initialised memory in the raw-acls test.
The subtest is test_nttrans_create.
When I comment the line torture/raw/acls.c:228
out, the error disapears.
Here is the first error from the valgrind output (there are some more, if wished I can post them):
==28989== Use of uninitialised value of size 4
==28989== at 0x43DA518: (within /lib/i686/cmov/libc-2.7.so)
==28989== by 0x43DDC9B: vfprintf (in /lib/i686/cmov/libc-2.7.so)
==28989== by 0x4402FFB: vasprintf (in /lib/i686/cmov/libc-2.7.so)
==28989== by 0x8A49A71: ndr_print_debug_helper (ndr.c:174)
==28989== by 0x8A480CE: ndr_print_uint16 (ndr_basic.c:654)
==28989== by 0x8A38CCE: ndr_print_security_ace (ndr_security.c:439)
==28989== by 0x8A39557: ndr_print_security_acl (ndr_security.c:536)
==28989== by 0x8A3AA14: ndr_print_security_descriptor (ndr_security.c:765)
==28989== by 0x8A49C6D: ndr_print_debug (ndr.c:221)
==28989== by 0x87355F0: test_nttrans_create (acls.c:228)
==28989== by 0x8741D2B: torture_raw_acls (acls.c:1998)
==28989== by 0x874F293: wrap_simple_1smb_test (util_smb.c:808)
Are you able to investigate a bit more this issue?
But it could also be that the error is located in the "libc". A test on another machine would help to find it out.
It's probably not libc, but if you look at ndr_security.c:439 on your build, and report which member of the structure is being printed (and is uninitialised), it will make this bug more useful.
At the moment I'm on a business trip. I will look into it on the weekend.
Created attachment 4302 [details]
Looking in "ndr_security.c" line 439 it turns out, that the problem is caused by the attribute "size" of a "struct security_ace".
We've missed to initialise new aces with "talloc_zero" in one place. It is a small error - and hard to find.