when running smbtree more than one time i noticed that nmbd wasn't running anymore - was gone ... Started nmbd inside a root console as: nmbd -i -d3 PANIC (pid 25323): internal error BACKTRACE: 15 stack frames: #0 nmbd(log_stack_trace+0x2b) [0xb756ffdb] #1 nmbd(smb_panic_s3+0x80) [0xb756fe46] #2 nmbd(smb_panic+0x2a) [0xb755ec0a] #3 nmbd(+0x21a8f7) [0xb755e8f7] #4 nmbd(+0x21a914) [0xb755e914] #5 [0xffffe400] #6 nmbd(_tevent_req_notify_callback+0x5c) [0xb75892d3] #7 nmbd(+0x245306) [0xb7589306] #8 nmbd(_tevent_req_error+0x4e) [0xb758937c] #9 nmbd(+0x20f86c) [0xb755386c] #10 nmbd(run_events_poll+0x61b) [0xb75854fb] #11 nmbd(listen_for_packets+0x290) [0xb73b2176] #12 nmbd(+0x59207) [0xb739d207] #13 nmbd(main+0xdda) [0xb739e3c9] #14 /lib/libc.so.6(__libc_start_main+0xfe) [0xb6f8bc2e] ------------- Attaching to the failing process revealed: ./libsmb/unexpected.c static void nb_packet_got_query(struct tevent_req *req) { struct nb_packet_client *client = tevent_req_callback_data( req, struct nb_packet_client); struct nb_packet_query q; uint8_t *buf; ssize_t nread, nwritten; int err; char c; nread = read_packet_recv(req, talloc_tos(), &buf, &err); TALLOC_FREE(req); if (nread < sizeof(struct nb_packet_query)) { DEBUG(10, ("read_packet_recv returned %d (%s)\n", (int)nread, (nread == -1) ? strerror(err) : "wrong length")); TALLOC_FREE(client); return; } /* Take care of alignment */ memcpy(&q, buf, sizeof(q)); <----- segfault ----------------- In the failing case nread got the value -1 assigned and the signed <---> unsigned compare in if (nread < sizeof(struct nb_packet_query)) { is promoted to unsigned compare - and the error path is never taken. Solution: if (nread < (ssize_t)sizeof(struct nb_packet_query)) { ------------------------ Cheers, Günter
Created attachment 6699 [details] git-am fix for 3.6.0 Same as the kukk's fix I pushed to master. Metze please review and re-assign to Karolin. It's a blocker as it's a nmbd crash bug. Jeremy.
Comment on attachment 6699 [details] git-am fix for 3.6.0 Taking this one, it's my code. Sorry for not being faster :-)
Yeah, I thought it was but wasn't sure if you were online and around at the moment. If you want to do the review instead of metze and re-assign if you're happy then please do ! Jeremy.
Pushed to v3-6-test. Closing out bug report. Thanks!