smbtorture accesses not initialised memory in the raw-acls test. The subtest is test_nttrans_create. When I comment the line torture/raw/acls.c:228 //NDR_PRINT_DEBUG(security_descriptor, sd); out, the error disapears. Here is the first error from the valgrind output (there are some more, if wished I can post them): ==28989== Use of uninitialised value of size 4 ==28989== at 0x43DA518: (within /lib/i686/cmov/libc-2.7.so) ==28989== by 0x43DDC9B: vfprintf (in /lib/i686/cmov/libc-2.7.so) ==28989== by 0x4402FFB: vasprintf (in /lib/i686/cmov/libc-2.7.so) ==28989== by 0x8A49A71: ndr_print_debug_helper (ndr.c:174) ==28989== by 0x8A480CE: ndr_print_uint16 (ndr_basic.c:654) ==28989== by 0x8A38CCE: ndr_print_security_ace (ndr_security.c:439) ==28989== by 0x8A39557: ndr_print_security_acl (ndr_security.c:536) ==28989== by 0x8A3AA14: ndr_print_security_descriptor (ndr_security.c:765) ==28989== by 0x8A49C6D: ndr_print_debug (ndr.c:221) ==28989== by 0x87355F0: test_nttrans_create (acls.c:228) ==28989== by 0x8741D2B: torture_raw_acls (acls.c:1998) ==28989== by 0x874F293: wrap_simple_1smb_test (util_smb.c:808)
Are you able to investigate a bit more this issue? But it could also be that the error is located in the "libc". A test on another machine would help to find it out.
It's probably not libc, but if you look at ndr_security.c:439 on your build, and report which member of the structure is being printed (and is uninitialised), it will make this bug more useful.
At the moment I'm on a business trip. I will look into it on the weekend.
Created attachment 4302 [details] Patch Looking in "ndr_security.c" line 439 it turns out, that the problem is caused by the attribute "size" of a "struct security_ace". We've missed to initialise new aces with "talloc_zero" in one place. It is a small error - and hard to find.
Fixed