Bug 7617 - smbd coredump due to uninitialized variables in the performance counter code.
Summary: smbd coredump due to uninitialized variables in the performance counter code.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 3.5.4
Hardware: All All
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 7831 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-08-12 16:28 UTC by Jeremy Allison
Modified: 2010-11-29 17:30 UTC (History)
1 user (show)

See Also:


Attachments
git-am format patch for 3.5.x. (1.20 KB, patch)
2010-08-12 17:42 UTC, Jeremy Allison
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2010-08-12 16:28:35 UTC
Reported by a vendor. Patch to follow.

Backtrace.

2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843136,  0] lib/
fault.c:47(fault_report)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   INTERNAL ERROR: Signal 11 in pid
6682 (3.5.3-7.1-2381-SUSE-CODE10)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   Please read the Trouble-Shooting
section of the Samba3-HOWTO
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843214,  0] lib/
fault.c:49(fault_report)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   From: http://www.samba.org/samba/
docs/Samba3-HOWTO.pdf
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843268,  0] lib/
fault.c:50(fault_report)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   ===================================
============================
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843303,  0] lib/
util.c:1465(smb_panic)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   PANIC (pid 6682): internal error
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.846535,  0] lib/
util.c:1569(log_stack_trace)
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:   BACKTRACE: 25 stack frames:
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #0 smbd(log_stack_trace+0x1c)
[0x5555558b623c]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #1 smbd(smb_panic+0x2b)
[0x5555558b630b]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #2 smbd [0x5555558a680e]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #3 /lib64/libc.so.6
[0x2ade651d8c30]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #4 /lib64/libc.so.6
(__libc_free+0x25) [0x2ade65215d35]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #5 smbd(_winreg_QueryValue+0x2fc)
[0x5555557afbbc]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #6 smbd [0x5555557b43ea]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #7 smbd(api_pipe_request+0x23a)
[0x555555840daa]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #8 smbd [0x55555583ca24]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #9 smbd(np_write_send+0x678)
[0x55555583d0c8]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #10 smbd [0x555555658377]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #11 smbd [0x5555556587eb]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #12 smbd(reply_trans+0x5aa)
[0x55555565964a]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #13 smbd [0x5555556b6093]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #14 smbd [0x5555556b8f89]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #15 smbd [0x5555556b939d]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #16 smbd(run_events+0x181)
[0x5555558c5341]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #17 smbd(smbd_process+0x85a)
[0x5555556b875a]
2010 Aug 11 14:41:24 sfs55_01 smbd[6682]:    #18 smbd [0x555555ba101e]
Comment 1 Jeremy Allison 2010-08-12 17:15:36 UTC
Here is the issue:

In file rpc_server.c, function _winreg_QueryValue()

Uint8_t *outbuf

Should be uint8_t *outbuf = NULL;

As it is later freed by

      if (free_buf) SAFE_FREE(outbuf);

in some cases, this frees the unintialized outbuf, which caused coredump.

Comment 2 Jeremy Allison 2010-08-12 17:42:56 UTC
Created attachment 5900 [details]
git-am format patch for 3.5.x.

Guenther, please review and re-assign to Karolin once you've ok'ed this.

Jeremy.
Comment 3 Guenther Deschner 2010-08-13 09:51:33 UTC
Comment on attachment 5900 [details]
git-am format patch for 3.5.x.

looks good
Comment 4 Guenther Deschner 2010-08-13 09:52:27 UTC
Jeremy, an issue in 3.4 as well ?
Comment 5 Guenther Deschner 2010-08-13 09:59:48 UTC
Karolin, please pick for 3.5 (maybe for 3.4 as well, lets see what jeremys says)
Comment 6 Jeremy Allison 2010-08-13 18:12:22 UTC
Yes, this should go into 3.4.x also.
Jeremy.
Comment 7 Karolin Seeger 2010-08-16 00:21:17 UTC
Pushed to v3-5-test and v3-4-test.
Closing out bug report.

Thanks!
Comment 8 Michael Adam 2010-11-29 17:30:20 UTC
*** Bug 7831 has been marked as a duplicate of this bug. ***