Bug 8305 - nmbd segfaults - when using "smbtree ..."
Summary: nmbd segfaults - when using "smbtree ..."
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Nmbd (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P5 regression
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-13 03:47 UTC by Guenter Kukkukk
Modified: 2011-07-13 18:50 UTC (History)
0 users

See Also:


Attachments
git-am fix for 3.6.0 (979 bytes, patch)
2011-07-13 13:15 UTC, Jeremy Allison
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guenter Kukkukk 2011-07-13 03:47:52 UTC
when running smbtree more than one time i noticed that nmbd wasn't running anymore - was gone ...

Started nmbd inside a root console as: nmbd -i -d3 

PANIC (pid 25323): internal error
BACKTRACE: 15 stack frames:
 #0 nmbd(log_stack_trace+0x2b) [0xb756ffdb]
 #1 nmbd(smb_panic_s3+0x80) [0xb756fe46]
 #2 nmbd(smb_panic+0x2a) [0xb755ec0a]
 #3 nmbd(+0x21a8f7) [0xb755e8f7]
 #4 nmbd(+0x21a914) [0xb755e914]
 #5 [0xffffe400]
 #6 nmbd(_tevent_req_notify_callback+0x5c) [0xb75892d3]
 #7 nmbd(+0x245306) [0xb7589306]
 #8 nmbd(_tevent_req_error+0x4e) [0xb758937c]
 #9 nmbd(+0x20f86c) [0xb755386c]
 #10 nmbd(run_events_poll+0x61b) [0xb75854fb]
 #11 nmbd(listen_for_packets+0x290) [0xb73b2176]
 #12 nmbd(+0x59207) [0xb739d207]
 #13 nmbd(main+0xdda) [0xb739e3c9]
 #14 /lib/libc.so.6(__libc_start_main+0xfe) [0xb6f8bc2e]
-------------
Attaching to the failing process revealed:

./libsmb/unexpected.c

static void nb_packet_got_query(struct tevent_req *req)
{
	struct nb_packet_client *client = tevent_req_callback_data(
		req, struct nb_packet_client);
	struct nb_packet_query q;
	uint8_t *buf;
	ssize_t nread, nwritten;
	int err;
	char c;

	nread = read_packet_recv(req, talloc_tos(), &buf, &err);
	TALLOC_FREE(req);
	if (nread < sizeof(struct nb_packet_query)) {
		DEBUG(10, ("read_packet_recv returned %d (%s)\n",
			   (int)nread,
			   (nread == -1) ? strerror(err) : "wrong length"));
		TALLOC_FREE(client);
		return;
	}

	/* Take care of alignment */
	memcpy(&q, buf, sizeof(q));    <----- segfault
-----------------
In the failing case nread got the value -1 assigned and the
signed <---> unsigned compare in
    if (nread < sizeof(struct nb_packet_query)) {
is promoted to unsigned compare - and the error path is never taken.

Solution:

      if (nread < (ssize_t)sizeof(struct nb_packet_query)) {

------------------------

Cheers, Günter
Comment 1 Jeremy Allison 2011-07-13 13:15:10 UTC
Created attachment 6699 [details]
git-am fix for 3.6.0

Same as the kukk's fix I pushed to master. Metze please review and re-assign to Karolin. It's a blocker as it's a nmbd crash bug.

Jeremy.
Comment 2 Volker Lendecke 2011-07-13 13:57:18 UTC
Comment on attachment 6699 [details]
git-am fix for 3.6.0

Taking this one, it's my code. Sorry for not being faster :-)
Comment 3 Jeremy Allison 2011-07-13 14:12:25 UTC
Yeah, I thought it was but wasn't sure if you were online and around at the moment. If you want to do the review instead of metze and re-assign if you're happy then please do !

Jeremy.
Comment 4 Karolin Seeger 2011-07-13 18:50:42 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!