Bug 687 - smbd panic when printing
Summary: smbd panic when printing
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.0
Hardware: Other Windows 98
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
: 853 (view as bug list)
Depends on:
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-10-27 03:46 UTC by spurnelle
Modified: 2006-03-07 11:59 UTC (History)
1 user (show)

See Also:

Attachments
The extract of log file (10.02 KB, text/plain)
2003-10-27 03:48 UTC, spurnelle 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description spurnelle 2003-10-27 03:46:48 UTC 
When a user print, sometimes, samba fail.

Here : the backtrace
#0  0x420ae169 in wait4 () from /lib/i686/libc.so.6
#1  0x4212a2d0 in __DTOR_END__ () from /lib/i686/libc.so.6
#2  0x42041fc4 in do_system () from /lib/i686/libc.so.6
#3  0x08180942 in smb_panic (why=0x8225c3d "internal error") at lib/util.c:1391
#4  0x081722ab in fault_report (sig=11) at lib/fault.c:41
#5  <signal handler called>
#6  0x4207a4f3 in strlen () from /lib/i686/libc.so.6
#7  0x4207a2a5 in strdup () from /lib/i686/libc.so.6
#8  0x08185c5e in alloc_sub_basic (smb_name=0x8266e60 "NVE", str=0x0)
    at lib/substitute.c:494
#9  0x08076cdf in lp_string (s=0x0) at param/loadparm.c:1563
#10 0x080bb51f in make_connection (service_in=0xbfffeb30 "IPC$", password=
      {data = 0x8355948 "", length = 1, free = 0x817ea74 <free_data_blob>},
    pdev=0xbfffea20 "IPC", vuid=100, status=0xbfffe61c) at smbd/service.c:827
#11 0x08094c86 in reply_tcon_and_X (conn=0x0, inbuf=0x404ac008 "",
    outbuf=0x404cd008 "", length=67, bufsize=2920) at smbd/reply.c:268
#12 0x080b8471 in switch_message (type=117, inbuf=0x404ac008 "",
    outbuf=0x404cd008 "", size=67, bufsize=2920) at smbd/process.c:767
#13 0x080b85d1 in construct_reply (inbuf=0x404ac008 "", outbuf=0x404cd008 "",
    size=67, bufsize=2920) at smbd/process.c:797
#14 0x080b8796 in process_smb (inbuf=0x404ac008 "", outbuf=0x404cd008 "")
    at smbd/process.c:897
#15 0x080b925c in smbd_process () at smbd/process.c:1323
#16 0x081d47c8 in main (argc=2, argv=0x1) at smbd/server.c:887
#17 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

* The pathes for DEST null string can be correct this ?
Comment 1 spurnelle 2003-10-27 03:48:03 UTC 
Created attachment 226 [details]
The extract of log file
Comment 2 spurnelle 2003-10-30 07:19:22 UTC 
I think that is only on win9x system when samba reload conf or the client hasn't
make action since long time (sleeping, no action from the user).
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-11-21 21:17:18 UTC 
Can you reproduce this against the latest SAMBA_3_0 cvs code?
I know there were a couple of fixes post 3.0.0 that were 
in code sections related to this backtrace.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-12-07 22:49:53 UTC 
*** Bug 853 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter (dead mail address) 2003-12-08 09:41:38 UTC 
I've added in some protection against this NULL source 
string, but need to figure out the root cause.  At 
least we won't crash now.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-12-12 08:27:51 UTC 
reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2004-01-14 12:59:38 UTC 
I just fixed a crash bug on big endian boxes (e.g. Sparc).
I'm betting this is fixed now.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:20:58 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 9 Jeremy Allison 2006-03-07 11:59:33 UTC 
I think I now have fixed the root cause of this problem - which was found by Coverity. The underlying issue was pointer aliases not being updated after a realloc.
Jeremy.