Bug 7034 - vfs_cap causes signal 11 (SIGSEGV)
Summary: vfs_cap causes signal 11 (SIGSEGV)
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: unspecified
Hardware: All All
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-12 19:45 UTC by SASAJIMA Toshihiro
Modified: 2010-01-13 06:26 UTC (History)
0 users

See Also:


Attachments
patch (351 bytes, patch)
2010-01-12 23:12 UTC, SASAJIMA Toshihiro
no flags Details
git-am format patch for 3.5.0. (849 bytes, patch)
2010-01-12 23:47 UTC, Jeremy Allison
no flags Details
git-am format patch for 3.4.5 (849 bytes, patch)
2010-01-12 23:48 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description SASAJIMA Toshihiro 2010-01-12 19:45:55 UTC
I had used Samba-3.0.24 (Debian), and I tried upgrade to Samba-3.4.3 (Debian).
I couldn't access any shares which use vfs module 'cap'.
log.smb logged some errors:

--------
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(40)
  ===============================================================
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 13806 (3.2.5)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(43)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2010/01/12 17:48:07,  0] lib/fault.c:fault_report(44)
  ===============================================================
[2010/01/12 17:48:07,  0] lib/util.c:smb_panic(1663)
  PANIC (pid 13806): internal error
--------

Same error occured by operations following:

--------
# mkdir /tmp/foo
# touch /tmp/foo/aaaa
# vfstest
vfstest $> load cap
load: ok
vfstest $> opendir /tmp/foo/   
opendir: ok
vfstest $> readdir
readdir: .
vfstest $> readdir
readdir: aaaa
*** glibc detected *** vfstest: free(): invalid next size (fast): 0x092b8b70 ***
======= Backtrace: =========   
/lib/i686/nosegneg/libc.so.6[0xf00174]
/lib/i686/nosegneg/libc.so.6(cfree+0x96)[0xf023d6]
/usr/lib/libtalloc.so.1[0x1bd32b]
/usr/lib/libtalloc.so.1(talloc_free+0xe3)[0x1bf3d3]
vfstest[0x80a49d4]
vfstest(main+0x2c6)[0x80a523f] 
/lib/i686/nosegneg/libc.so.6(__libc_start_main+0xe5)[0xea7455]
vfstest[0x80a4211]
...
--------

These errors are memory allocation errors.
I have made a patch, and I agree GPLv3 or later.

--------------------------------
--- samba-3.4.4/source3/modules/vfs_cap.c	2010-01-04 22:01:25.000000000 +0900
+++ vfs_cap.c	2010-01-13 10:34:51.000000000 +0900
@@ -600,12 +600,13 @@
 	size_t len = 0;
 
 	for (p1 = from; *p1; len++) {
-		if (is_hex(from)) {
+		if (is_hex(p1)) {
 			p1 += 3;
 		} else {
 			p1++;
 		}
 	}
+	len++;
 
 	to = TALLOC_ARRAY(ctx, char, len);
 	if (!to) {
--------------------------------
Comment 1 SASAJIMA Toshihiro 2010-01-12 23:12:02 UTC
Created attachment 5162 [details]
patch
Comment 2 Jeremy Allison 2010-01-12 23:43:47 UTC
Thanks a lot for this - obvious good fix !

Jeremy.
Comment 3 Jeremy Allison 2010-01-12 23:47:34 UTC
Created attachment 5163 [details]
git-am format patch for 3.5.0.
Comment 4 Jeremy Allison 2010-01-12 23:48:38 UTC
Created attachment 5164 [details]
git-am format patch for 3.4.5
Comment 5 Jeremy Allison 2010-01-12 23:49:42 UTC
Re-assigning to Karolin for inclusion in 3.4.5 and 3.5.0. Karolin I have reviewed this patch and checked it under valgrind.

Jeremy.
Comment 6 Karolin Seeger 2010-01-13 06:26:16 UTC
Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!