Reported by a vendor. Patch to follow. Backtrace. 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843136, 0] lib/ fault.c:47(fault_report) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: INTERNAL ERROR: Signal 11 in pid 6682 (3.5.3-7.1-2381-SUSE-CODE10) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: Please read the Trouble-Shooting section of the Samba3-HOWTO 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843214, 0] lib/ fault.c:49(fault_report) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: From: http://www.samba.org/samba/ docs/Samba3-HOWTO.pdf 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843268, 0] lib/ fault.c:50(fault_report) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: =================================== ============================ 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.843303, 0] lib/ util.c:1465(smb_panic) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: PANIC (pid 6682): internal error 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: [2010/08/11 14:41:24.846535, 0] lib/ util.c:1569(log_stack_trace) 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: BACKTRACE: 25 stack frames: 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #0 smbd(log_stack_trace+0x1c) [0x5555558b623c] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #1 smbd(smb_panic+0x2b) [0x5555558b630b] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #2 smbd [0x5555558a680e] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #3 /lib64/libc.so.6 [0x2ade651d8c30] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #4 /lib64/libc.so.6 (__libc_free+0x25) [0x2ade65215d35] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #5 smbd(_winreg_QueryValue+0x2fc) [0x5555557afbbc] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #6 smbd [0x5555557b43ea] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #7 smbd(api_pipe_request+0x23a) [0x555555840daa] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #8 smbd [0x55555583ca24] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #9 smbd(np_write_send+0x678) [0x55555583d0c8] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #10 smbd [0x555555658377] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #11 smbd [0x5555556587eb] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #12 smbd(reply_trans+0x5aa) [0x55555565964a] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #13 smbd [0x5555556b6093] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #14 smbd [0x5555556b8f89] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #15 smbd [0x5555556b939d] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #16 smbd(run_events+0x181) [0x5555558c5341] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #17 smbd(smbd_process+0x85a) [0x5555556b875a] 2010 Aug 11 14:41:24 sfs55_01 smbd[6682]: #18 smbd [0x555555ba101e]
Here is the issue: In file rpc_server.c, function _winreg_QueryValue() Uint8_t *outbuf Should be uint8_t *outbuf = NULL; As it is later freed by if (free_buf) SAFE_FREE(outbuf); in some cases, this frees the unintialized outbuf, which caused coredump.
Created attachment 5900 [details] git-am format patch for 3.5.x. Guenther, please review and re-assign to Karolin once you've ok'ed this. Jeremy.
Comment on attachment 5900 [details] git-am format patch for 3.5.x. looks good
Jeremy, an issue in 3.4 as well ?
Karolin, please pick for 3.5 (maybe for 3.4 as well, lets see what jeremys says)
Yes, this should go into 3.4.x also. Jeremy.
Pushed to v3-5-test and v3-4-test. Closing out bug report. Thanks!
*** Bug 7831 has been marked as a duplicate of this bug. ***