7034 – vfs_cap causes signal 11 (SIGSEGV)

Bug 7034 - vfs_cap causes signal 11 (SIGSEGV)

Summary: vfs_cap causes signal 11 (SIGSEGV)

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-12 19:45 UTC by SASAJIMA Toshihiro
Modified:	2010-01-13 06:26 UTC (History)
CC List:	0 users

See Also:

Attachments
patch (351 bytes, patch) 2010-01-12 23:12 UTC, SASAJIMA Toshihiro	no flags	Details
git-am format patch for 3.5.0. (849 bytes, patch) 2010-01-12 23:47 UTC, Jeremy Allison	no flags	Details
git-am format patch for 3.4.5 (849 bytes, patch) 2010-01-12 23:48 UTC, Jeremy Allison	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SASAJIMA Toshihiro 2010-01-12 19:45:55 UTC

I had used Samba-3.0.24 (Debian), and I tried upgrade to Samba-3.4.3 (Debian).
I couldn't access any shares which use vfs module 'cap'.
log.smb logged some errors:

--------
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(40)
  ===============================================================
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 13806 (3.2.5)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(43)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(44)
  ===============================================================
[2010/01/12 17:48:07,  0] lib/util.c:smb_panic(1663)
  PANIC (pid 13806): internal error
--------

Same error occured by operations following:

--------
# mkdir /tmp/foo
# touch /tmp/foo/aaaa
# vfstest
vfstest $> load cap
load: ok
vfstest $> opendir /tmp/foo/   
opendir: ok
vfstest $> readdir
readdir: .
vfstest $> readdir
readdir: aaaa
*** glibc detected *** vfstest: free(): invalid next size (fast): 0x092b8b70 ***
======= Backtrace: =========   
/lib/i686/nosegneg/libc.so.6[0xf00174]
/lib/i686/nosegneg/libc.so.6(cfree+0x96)[0xf023d6]
/usr/lib/libtalloc.so.1[0x1bd32b]
/usr/lib/libtalloc.so.1(talloc_free+0xe3)[0x1bf3d3]
vfstest[0x80a49d4]
vfstest(main+0x2c6)[0x80a523f] 
/lib/i686/nosegneg/libc.so.6(__libc_start_main+0xe5)[0xea7455]
vfstest[0x80a4211]
...
--------

These errors are memory allocation errors.
I have made a patch, and I agree GPLv3 or later.

--------------------------------
--- samba-3.4.4/source3/modules/vfs_cap.c	2010-01-04 22:01:25.000000000 +0900
+++ vfs_cap.c	2010-01-13 10:34:51.000000000 +0900
@@ -600,12 +600,13 @@
 	size_t len = 0;
 
 	for (p1 = from; *p1; len++) {
-		if (is_hex(from)) {
+		if (is_hex(p1)) {
 			p1 += 3;
 		} else {
 			p1++;
 		}
 	}
+	len++;
 
 	to = TALLOC_ARRAY(ctx, char, len);
 	if (!to) {
--------------------------------

Comment 1 SASAJIMA Toshihiro 2010-01-12 23:12:02 UTC

Created attachment 5162 [details]
patch

Comment 2 Jeremy Allison 2010-01-12 23:43:47 UTC

Thanks a lot for this - obvious good fix !

Jeremy.

Comment 3 Jeremy Allison 2010-01-12 23:47:34 UTC

Created attachment 5163 [details]
git-am format patch for 3.5.0.

Comment 4 Jeremy Allison 2010-01-12 23:48:38 UTC

Created attachment 5164 [details]
git-am format patch for 3.4.5

Comment 5 Jeremy Allison 2010-01-12 23:49:42 UTC

Re-assigning to Karolin for inclusion in 3.4.5 and 3.5.0. Karolin I have reviewed this patch and checked it under valgrind.

Jeremy.

Comment 6 Karolin Seeger 2010-01-13 06:26:16 UTC

Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!