Bug 6691 - libsmbclient segfault
Summary: libsmbclient segfault
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Derrell Lipman
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-04 11:25 UTC by Chuck Short (mail address dead)
Modified: 2009-09-23 07:53 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chuck Short (mail address dead) 2009-09-04 11:25:06 UTC
This was recently reported in launchpad bug #403235:

Thread 2 (process 5650):
#0  0x00be5422 in __kernel_vsyscall ()
#1  0x00da3667 in *__GI___poll (fds=0x87ea140, nfds=6, timeout=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
	resultvar = <value optimized out>
	oldtype = 0
	result = <value optimized out>
#2  0x0076325b in IA__g_poll (fds=0x87ea140, nfds=6, timeout=-1)
    at /build/buildd/glib2.0-2.21.4/glib/gpoll.c:127
No locals.
#3  0x0075632b in g_main_context_iterate (context=0x86f72a0, 
    block=<value optimized out>, dispatch=1, self=0x86eee00)
    at /build/buildd/glib2.0-2.21.4/glib/gmain.c:2904
	max_priority = 2147483647
	timeout = -1
	some_ready = <value optimized out>
	nfds = 6
	allocated_nfds = <value optimized out>
	fds = <value optimized out>
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#4  0x0075695f in IA__g_main_loop_run (loop=0x86f7990)
    at /build/buildd/glib2.0-2.21.4/glib/gmain.c:2799
	self = (GThread *) 0x86eee00
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#5  0x08052eca in daemon_main (argc=4, argv=0xbfffc994, max_job_threads=1, 
    default_type=0x8066694 "smb-share", mountable_name=0x0, 
    first_type_name=0x8066694 "smb-share") at daemon-main.c:294
	var_args = <value optimized out>
	connection = (DBusConnection *) 0x86f51d8
	loop = (GMainLoop *) 0xfffffdfc
	daemon = <value optimized out>
	derror = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, 
  dummy3 = 0, dummy4 = 1, dummy5 = 0, padding1 = 0x174}
	mount_spec = (GMountSpec *) 0x0
	mount_source = (GMountSource *) 0x86f51d8
	error = (GError *) 0x0
	res = <value optimized out>
	type = <value optimized out>
#6  0x080531d6 in main (argc=4, argv=0xbfffc994) at daemon-main-generic.c:39
No locals.
.
Thread 1 (process 5651):
#0  *__GI_strncpy (s1=0xb7f919dc "", s2=0x0, n=256) at strncpy.c:41
	n4 = 64
	c = <value optimized out>
#1  0x0805068f in auth_callback (context=0x86ff720, 
    server_name=0x87a46e0 "zeroc", share_name=0x877bed8 "c$", 
    domain_out=0xb7f91bdc "ZEROC-NET", domainmaxlen=256, 
    username_out=0xb7f91adc "zeroc", unmaxlen=256, 
    password_out=0xb7f919dc "", pwmaxlen=256)
    at /usr/include/bits/string3.h:122
	in_keyring = <value optimized out>
	backend = (GVfsBackendSmb *) 0x86ff868
	ask_password = 0x0
	ask_user = <value optimized out>
	ask_domain = <value optimized out>
	handled = <value optimized out>
	abort = 2
#2  0x0021c6c7 in SMBC_call_auth_fn (ctx=0x8733650, context=0x86ff720, 
    server=0x87a46e0 "zeroc", share=0x877bed8 "c$", pp_workgroup=0xb7f92128, 
    pp_username=0xb7f92130, pp_password=0xb7f9212c)
    at libsmb/libsmb_server.c:114
	workgroup = "ZEROC-NET\000|\b(\034??\020?\022\000\237??\000h??\000???\000???\000??m\000`\221?\000\211?\000\000p\202|\bp?~\b\214\221?\000\214\221?\000\000\000\000\000\220\221?\000\b\004\000\000h6s\b`\221?\000\005\000\000\000+??\000?\177?\000?\217|\b@\021\002\000?\034?????\000`\221?\000\a\000\000\000\214\221?\000\214\221?\000\000\000\000\000\220\221?\000?\000\000\000\000\220|\b`\221?\000`\221?\000x?~\b\230\034??(\231|\b\020\b\002\000h6s\b`6s\b?\037\023\000\2306s\bh6s\b?\034??\020?\022\000h6s\b"...
	username = "zeroc\000\000\000\000\000\000\000$\000\000\000@\202|\b`\221?\000(u|\b???\000:w\003\000d\034??\000\000\000\000??'\000??m\000?\033??\\\033?????\000`\221?\000@\202|\bx?~\b?\033??`t|\b\200\000\000\000l\034???}|\b`\221?\000\005\000\000\000x?~\bh\033??p~|\b8\000\000\000?\202|\b???\000?\177?\000`\221?\000\000t|\b\210\033?????\000`\221?\000\000t|\bht|\b`\221?\000`\221?\000x?~\b?\033???t|\b@\000\000\000?}|\b?}|\b?\037\023\000(~|\b"...
	password = '\0' <repeats 255 times>
	auth_with_context_fn = (smbc_get_auth_data_with_context_fn) 0x40
#3  0x0021c905 in SMBC_find_server (ctx=0x8733650, context=0x86ff720, 
    server=0x87a46e0 "zeroc", share=0x877bed8 "c$", pp_workgroup=0xb7f92128, 
    pp_username=0xb7f92130, pp_password=0xb7f9212c)
    at libsmb/libsmb_server.c:174
	srv = (SMBCSRV *) 0x0
	auth_called = 0
#4  0x0021d0b6 in SMBC_server (ctx=0x8733650, context=0x86ff720, 
    connect_if_not_found=true, server=0x87a46e0 "zeroc", 
    share=0x877bed8 "c$", pp_workgroup=0xb7f92128, pp_username=0xb7f92130, 
    pp_password=0xb7f9212c) at libsmb/libsmb_server.c:263
	srv = <value optimized out>
	workgroup = <value optimized out>
	c = <value optimized out>
	called = {name = "?\177?\000p?\024?6\000\000\000X ??", 
  scope = "%??\000`\221?\0006\000\000\000`\221?\000\230 ???\037\023\000p?\024? 6s\b\220?{\b\177?\022\000\220?{\b\210\037p\b\005\000\000\000u\001]\000P6s\b\005\000\000", name_type = 142264312}
	calling = {name = "`?{\b?\177?\000??m\000??z\b", 
  scope = "?8o\b\b ??/$'\000\b7s\b\024\000\000\000?\t^\000?\037\023\000\t$'\000??m\000H ???G!\000\000\000\000\000?\027p\b\t\000\000\000,!??P6s\b", 
  name_type = 9}
	ss = {ss_family = 2, __ss_align = 0, 
  __ss_padding = '\0' <repeats 119 times>}
	tried_reverse = 0
	port_try_first = <value optimized out>
	port_try_next = <value optimized out>
	is_ipc = 0
	fs_attrs = 0
	username_used = 0xb7f91f54 "\002"
	status = <value optimized out>
	__FUNCTION__ = "SMBC_server"
#5  0x0021ea4b in SMBC_stat_ctx (context=0x86ff720, 
    fname=0x8794290 "smb://zeroc/c%24", st=0xb7f921a0)
    at libsmb/libsmb_stat.c:168
	srv = <value optimized out>
	server = 0x87a46e0 "zeroc"
	share = 0x877bed8 "c$"
	user = 0x87bcb90 "zeroc"
	password = 0x8763c10 ""
	workgroup = 0x8794348 "ZEROC-NET"
	path = 0x876bd48 ""
	write_time_ts = {tv_sec = 134530335, tv_nsec = 3}
	access_time_ts = {tv_sec = 5, tv_nsec = 0}
	change_time_ts = {tv_sec = -1208114848, tv_nsec = 1}
	size = 0
	mode = 0
	ino = 0
	frame = (TALLOC_CTX *) 0x8733650
	__FUNCTION__ = "SMBC_stat_ctx"
#6  0x080522be in do_mount (backend=0x86ff868, job=0x8700020, 
    mount_spec=0x86f58d8, mount_source=0x86efd48, is_automount=0)
    at gvfsbackendsmb.c:575
	smb_context = <value optimized out>
	st = {st_dev = 607994745929525376, __pad1 = 8740, 
  __st_ino = 13004789, st_mode = 0, st_nlink = 0, st_uid = 0, st_gid = 8, 
  st_rdev = 56134913321074688, __pad2 = 8688, st_size = -6322348441334710272, 
  st_blksize = 127, st_blocks = 0, st_atim = {tv_sec = 2, tv_nsec = 1}, 
  st_mtim = {tv_sec = 16, tv_nsec = 15118772}, st_ctim = {tv_sec = 0, 
    tv_nsec = 0}, st_ino = 4294967301}
	uri = 0x8794290 "smb://zeroc/c%24"
	res = <value optimized out>
	debug = <value optimized out>
	debug_val = <value optimized out>
	smb_mount_spec = (GMountSpec *) 0x86f2ff8
	smbc_stat = (smbc_stat_fn) 0x40
#7  0x080597e8 in run (job=0x8700020) at gvfsjobmount.c:113
	backend = (GVfsBackend *) 0x0
#8  0x0805867d in g_vfs_job_run (job=0x8700020) at gvfsjob.c:198
	class = (GVfsJobClass *) 0x86ff3f0
#9  0x080544be in job_handler_callback (data=0x8700020, user_data=0x86f0720)
    at gvfsdaemon.c:144
No locals.
#10 0x0077e84f in g_thread_pool_thread_proxy (data=0x86f7ac8)
    at /build/buildd/glib2.0-2.21.4/glib/gthreadpool.c:265
	task = (gpointer) 0x8700020
	pool = (GRealThreadPool *) 0x86f7ac8
#11 0x0077d21f in g_thread_create_proxy (data=0x86ff600)
    at /build/buildd/glib2.0-2.21.4/glib/gthread.c:635
	__PRETTY_FUNCTION__ = "g_thread_create_proxy"
#12 0x001164df in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#13 0x00dadf3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Comment 1 Derrell Lipman 2009-09-23 07:53:17 UTC
A couple of comments:

1. The backtrace shows multiple threads. libsmbclient is not thread-safe yet, so that could be a root cause of your problem.

2. It seems to be crashing inside of the authentication callback function (auth_callback) which is provided by the application, not part of libsmbclient.

I'll close this for now since it seems to be either a misuse of the library (threaded environment) or in client code. Feel free to re-open if I've misunderstood something, or if you can track this down to libsmbclient-specific code in a single-threaded application.

Derrell