Bug 8593 - net join domain crash if no DCs are present
Summary: net join domain crash if no DCs are present
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8595
  Show dependency treegraph
 
Reported: 2011-11-09 23:02 UTC by Matthieu Patou
Modified: 2012-01-10 20:05 UTC (History)
2 users (show)

See Also:


Attachments
Patch for v3-5-test (1.11 KB, patch)
2011-11-11 01:33 UTC, Stefan Metzmacher
metze: review? (gd)
jra: review+
Details
Patch for v3-6-test (not tested yet) (1.49 KB, patch)
2011-11-11 01:36 UTC, Stefan Metzmacher
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2011-11-09 23:02:59 UTC
The following command :./bin/samba-tool domain join s4.home.matws.net DC --targetdir /home/mat/workspace/samba/s4/ -Uadministrator%totoTATA123

Fails like this if no DC are present:
Finding a writeable DC for domain 's4.home.matws.net'

talloc: access after free error - first free may be at ../libcli/cldap/cldap.c:299
Bad talloc magic value - access after free

Program received signal SIGABRT, Aborted.
0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff69b6b0b in __GI_abort () at abort.c:92
#2  0x00007ffff5a94212 in talloc_abort (reason=0x7ffff5a98ae0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:317
#3  0x00007ffff5a9429e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336
#4  0x00007ffff5a9431b in talloc_chunk_from_ptr (ptr=0xfd6870) at ../lib/talloc/talloc.c:357
#5  0x00007ffff5a96673 in _talloc_free (ptr=0xfd6870, location=0x7ffff0105598 "../libcli/cldap/cldap.c:124") at ../lib/talloc/talloc.c:1348
#6  0x00007ffff0102812 in cldap_socket_destructor (c=0xfd6970) at ../libcli/cldap/cldap.c:124
#7  0x00007ffff5a95173 in _talloc_free_internal (ptr=0xfd6970, location=0x7ffff3690b78 "../source4/libcli/finddcs_cldap.c:276") at ../lib/talloc/talloc.c:826
#8  0x00007ffff5a9673f in _talloc_free (ptr=0xfd6970, location=0x7ffff3690b78 "../source4/libcli/finddcs_cldap.c:276") at ../lib/talloc/talloc.c:1370
#9  0x00007ffff367371b in finddcs_cldap_netlogon_replied (subreq=0x0) at ../source4/libcli/finddcs_cldap.c:276
#10 0x00007ffff40ed4db in _tevent_req_notify_callback (req=0xfd7430, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:101
#11 0x00007ffff40ed50d in tevent_req_finish (req=0xfd7430, state=TEVENT_REQ_USER_ERROR, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:110
#12 0x00007ffff40ed579 in _tevent_req_error (req=0xfd7430, error=10483072397370982581, location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:128
#13 0x00007ffff0cb9c9d in _tevent_req_nterror (req=0xfd7430, status=..., location=0x7ffff0105e6d "../libcli/cldap/cldap.c:989") at ../lib/util/tevent_ntstatus.c:45
#14 0x00007ffff0104bdd in cldap_netlogon_state_done (subreq=0xfd76d0) at ../libcli/cldap/cldap.c:989
#15 0x00007ffff40ed4db in _tevent_req_notify_callback (req=0xfd76d0, location=0x7ffff40f27d0 "tevent_req_timedout") at ../lib/tevent/tevent_req.c:101
#16 0x00007ffff40ed50d in tevent_req_finish (req=0xfd76d0, state=TEVENT_REQ_TIMED_OUT, location=0x7ffff40f27d0 "tevent_req_timedout") at ../lib/tevent/tevent_req.c:110
#17 0x00007ffff40ed84c in tevent_req_timedout (ev=0xfcab40, te=0xfd9670, now=..., private_data=0xfd76d0) at ../lib/tevent/tevent_req.c:242
#18 0x00007ffff40f12ce in tevent_common_loop_timer_delay (ev=0xfcab40) at ../lib/tevent/tevent_timed.c:254
#19 0x00007ffff40f08f4 in std_event_loop_once (ev=0xfcab40, location=0x7ffff40f2710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:558
#20 0x00007ffff40ebc10 in _tevent_loop_once (ev=0xfcab40, location=0x7ffff40f2710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505
#21 0x00007ffff40ed762 in tevent_req_poll (req=0xfd64a0, ev=0xfcab40) at ../lib/tevent/tevent_req.c:210
#22 0x00007ffff3673c22 in finddcs_cldap_recv (req=0xfd64a0, mem_ctx=0xfd12c0, io=0xfd12c0) at ../source4/libcli/finddcs_cldap.c:364
#23 0x00007ffff3673d52 in finddcs_cldap (mem_ctx=0xfd12c0, io=0xfd12c0, resolve_ctx=0xfd13f0, event_ctx=0xfcab40) at ../source4/libcli/finddcs_cldap.c:389
#24 0x00007fffe805e6e5 in py_net_finddc (self=0xf51468, args=0xf4ff38) at ../source4/libnet/py_net.c:597
Comment 1 Matthieu Patou 2011-11-10 13:10:51 UTC
Valgrind part related to this problem:

Finding a writeable DC for domain 's4.home.matws.net'
==8120== Invalid read of size 4
==8120==    at 0x7B712D6: talloc_chunk_from_ptr (talloc.c:349)
==8120==    by 0x7B73672: _talloc_free (talloc.c:1348)
==8120==    by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120==    by 0x15DAE6E4: py_net_finddc (py_net.c:597)
==8120==    by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==    by 0x448EDE: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x43074D: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x480C72: ??? (in /usr/bin/python2.7)
==8120==    by 0x47C1D0: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==  Address 0x1b50af40 is 64 bytes inside a block of size 120 free'd
==8120==    at 0x4C282E0: free (vg_replace_malloc.c:366)
==8120==    by 0x7B7259E: _talloc_free_internal (talloc.c:876)
==8120==    by 0x7B73345: _talloc_free_children_internal (talloc.c:1255)
==8120==    by 0x7B7231B: _talloc_free_internal (talloc.c:846)
==8120==    by 0x7B7373E: _talloc_free (talloc.c:1370)
==8120==    by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120== 
{
   <insert_a_suppression_name_here>
   Memcheck:Addr4
   fun:talloc_chunk_from_ptr
   fun:_talloc_free
   fun:cldap_socket_recv_dgram
   fun:cldap_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:_tevent_req_error
   fun:tdgram_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:tevent_req_trigger
   fun:tevent_common_loop_immediate
   fun:std_event_loop_once
   fun:_tevent_loop_once
   fun:tevent_req_poll
   fun:finddcs_cldap_recv
   fun:finddcs_cldap
   fun:py_net_finddc
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalCodeEx
   obj:/usr/bin/python2.7
   fun:PyObject_Call
   obj:/usr/bin/python2.7
}
==8120== Invalid read of size 4
==8120==    at 0x7B712F0: talloc_chunk_from_ptr (talloc.c:355)
==8120==    by 0x7B73672: _talloc_free (talloc.c:1348)
==8120==    by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120==    by 0x15DAE6E4: py_net_finddc (py_net.c:597)
==8120==    by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==    by 0x448EDE: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x43074D: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x480C72: ??? (in /usr/bin/python2.7)
==8120==    by 0x47C1D0: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==  Address 0x1b50af40 is 64 bytes inside a block of size 120 free'd
==8120==    at 0x4C282E0: free (vg_replace_malloc.c:366)
==8120==    by 0x7B7259E: _talloc_free_internal (talloc.c:876)
==8120==    by 0x7B73345: _talloc_free_children_internal (talloc.c:1255)
==8120==    by 0x7B7231B: _talloc_free_internal (talloc.c:846)
==8120==    by 0x7B7373E: _talloc_free (talloc.c:1370)
==8120==    by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120== 
{
   <insert_a_suppression_name_here>
   Memcheck:Addr4
   fun:talloc_chunk_from_ptr
   fun:_talloc_free
   fun:cldap_socket_recv_dgram
   fun:cldap_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:_tevent_req_error
   fun:tdgram_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:tevent_req_trigger
   fun:tevent_common_loop_immediate
   fun:std_event_loop_once
   fun:_tevent_loop_once
   fun:tevent_req_poll
   fun:finddcs_cldap_recv
   fun:finddcs_cldap
   fun:py_net_finddc
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalCodeEx
   obj:/usr/bin/python2.7
   fun:PyObject_Call
   obj:/usr/bin/python2.7
}
==8120== Invalid read of size 8
==8120==    at 0x7B712FE: talloc_chunk_from_ptr (talloc.c:356)
==8120==    by 0x7B73672: _talloc_free (talloc.c:1348)
==8120==    by 0xD507DE0: cldap_socket_recv_dgram (cldap.c:299)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120==    by 0x15DAE6E4: py_net_finddc (py_net.c:597)
==8120==    by 0x4B6568: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4B6D76: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==    by 0x448EDE: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x43074D: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x480C72: ??? (in /usr/bin/python2.7)
==8120==    by 0x47C1D0: ??? (in /usr/bin/python2.7)
==8120==    by 0x41AD29: PyObject_Call (in /usr/bin/python2.7)
==8120==    by 0x4B6B9D: PyEval_EvalFrameEx (in /usr/bin/python2.7)
==8120==    by 0x4BCD2C: PyEval_EvalCodeEx (in /usr/bin/python2.7)
==8120==  Address 0x1b50af30 is 48 bytes inside a block of size 120 free'd
==8120==    at 0x4C282E0: free (vg_replace_malloc.c:366)
==8120==    by 0x7B7259E: _talloc_free_internal (talloc.c:876)
==8120==    by 0x7B73345: _talloc_free_children_internal (talloc.c:1255)
==8120==    by 0x7B7231B: _talloc_free_internal (talloc.c:846)
==8120==    by 0x7B7373E: _talloc_free (talloc.c:1370)
==8120==    by 0x9F7872B: finddcs_cldap_netlogon_replied (finddcs_cldap.c:276)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD509BDC: cldap_netlogon_state_done (cldap.c:989)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xC950C9C: _tevent_req_nterror (tevent_ntstatus.c:45)
==8120==    by 0xD507DC4: cldap_socket_recv_dgram (cldap.c:297)
==8120==    by 0xD507A2C: cldap_recvfrom_done (cldap.c:203)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B578: _tevent_req_error (tevent_req.c:128)
==8120==    by 0xDA9D45F: tdgram_recvfrom_done (tsocket.c:233)
==8120==    by 0x951B4DA: _tevent_req_notify_callback (tevent_req.c:101)
==8120==    by 0x951B50C: tevent_req_finish (tevent_req.c:110)
==8120==    by 0x951B62A: tevent_req_trigger (tevent_req.c:166)
==8120==    by 0x951AA3F: tevent_common_loop_immediate (tevent_immediate.c:135)
==8120==    by 0x951E8DC: std_event_loop_once (tevent_standard.c:554)
==8120==    by 0x9519C0F: _tevent_loop_once (tevent.c:505)
==8120==    by 0x951B761: tevent_req_poll (tevent_req.c:210)
==8120==    by 0x9F78C32: finddcs_cldap_recv (finddcs_cldap.c:364)
==8120==    by 0x9F78D62: finddcs_cldap (finddcs_cldap.c:389)
==8120== 
{
   <insert_a_suppression_name_here>
   Memcheck:Addr8
   fun:talloc_chunk_from_ptr
   fun:_talloc_free
   fun:cldap_socket_recv_dgram
   fun:cldap_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:_tevent_req_error
   fun:tdgram_recvfrom_done
   fun:_tevent_req_notify_callback
   fun:tevent_req_finish
   fun:tevent_req_trigger
   fun:tevent_common_loop_immediate
   fun:std_event_loop_once
   fun:_tevent_loop_once
   fun:tevent_req_poll
   fun:finddcs_cldap_recv
   fun:finddcs_cldap
   fun:py_net_finddc
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalFrameEx
   fun:PyEval_EvalCodeEx
   obj:/usr/bin/python2.7
   fun:PyObject_Call
   obj:/usr/bin/python2.7
}
talloc: access after free error - first free may be at ../source4/libcli/finddcs_cldap.c:276
Bad talloc magic value - access after free
==8120== 
==8120== HEAP SUMMARY:
==8120==     in use at exit: 8,729,484 bytes in 9,361 blocks
==8120==   total heap usage: 25,384 allocs, 16,023 frees, 20,102,187 bytes allocated
==8120== 
==8120== LEAK SUMMARY:
==8120==    definitely lost: 0 bytes in 0 blocks
==8120==    indirectly lost: 0 bytes in 0 blocks
==8120==      possibly lost: 1,699,201 bytes in 1,200 blocks
==8120==    still reachable: 7,030,283 bytes in 8,161 blocks
==8120==         suppressed: 0 bytes in 0 blocks
==8120== Rerun with --leak-check=full to see details of leaked memory
==8120== 
==8120== For counts of detected and suppressed errors, rerun with: -v
==8120== Use --track-origins=yes to see where uninitialised values come from
==8120== ERROR SUMMARY: 928 errors from 91 contexts (suppressed: 333 from 9)
Aborted
Comment 2 Matthieu Patou 2011-11-10 13:18:00 UTC
Here is two interesting backtraces

I got the first one by putting a break point at finddcs_cldap_netlogon_replied.

It shows that this function is called due to an error while receving the cldap response.

#0  finddcs_cldap_netlogon_replied (subreq=0xfdd0a0) at ../source4/libcli/finddcs_cldap.c:272
#1  0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdd0a0, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:101
#2  0x00007ffff40ec50d in tevent_req_finish (req=0xfdd0a0, state=TEVENT_REQ_USER_ERROR, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:110
#3  0x00007ffff40ec579 in _tevent_req_error (req=0xfdd0a0, error=10483072397370982966, location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/tevent/tevent_req.c:128
#4  0x00007ffff0cb8c9d in _tevent_req_nterror (req=0xfdd0a0, status=..., location=0x7ffff0104e6d "../libcli/cldap/cldap.c:989") at ../lib/util/tevent_ntstatus.c:45
#5  0x00007ffff0103bdd in cldap_netlogon_state_done (subreq=0xfdd3b0) at ../libcli/cldap/cldap.c:989
#6  0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdd3b0, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:101
#7  0x00007ffff40ec50d in tevent_req_finish (req=0xfdd3b0, state=TEVENT_REQ_USER_ERROR, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:110
#8  0x00007ffff40ec579 in _tevent_req_error (req=0xfdd3b0, error=10483072397370982966, location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/tevent/tevent_req.c:128
#9  0x00007ffff0cb8c9d in _tevent_req_nterror (req=0xfdd3b0, status=..., location=0x7ffff01046d0 "../libcli/cldap/cldap.c:297") at ../lib/util/tevent_ntstatus.c:45
#10 0x00007ffff0101dc5 in cldap_socket_recv_dgram (c=0xfdc4f0, in=0xfdc860) at ../libcli/cldap/cldap.c:297
#11 0x00007ffff0101a2d in cldap_recvfrom_done (subreq=0x0) at ../libcli/cldap/cldap.c:203
#12 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdc620, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:101
#13 0x00007ffff40ec50d in tevent_req_finish (req=0xfdc620, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:110
#14 0x00007ffff40ec579 in _tevent_req_error (req=0xfdc620, error=111, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:128
#15 0x00007fffefb69460 in tdgram_recvfrom_done (subreq=0xfdcaf0) at ../lib/tsocket/tsocket.c:233
#16 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdcaf0, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:101
#17 0x00007ffff40ec50d in tevent_req_finish (req=0xfdcaf0, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:110
#18 0x00007ffff40ec579 in _tevent_req_error (req=0xfdcaf0, error=111, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:128
#19 0x00007fffefb6c647 in tdgram_bsd_recvfrom_handler (private_data=0xfdcaf0) at ../lib/tsocket/tsocket_bsd.c:888
#20 0x00007fffefb6bfa6 in tdgram_bsd_fde_handler (ev=0xfd3dd0, fde=0xfdeac0, flags=1, private_data=0xfdc590) at ../lib/tsocket/tsocket_bsd.c:681
#21 0x00007ffff40ef202 in epoll_event_loop (std_ev=0xfd36d0, tvalp=0x7fffffffc690) at ../lib/tevent/tevent_standard.c:326
#22 0x00007ffff40ef948 in std_event_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:565
#23 0x00007ffff40eac10 in _tevent_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505
#24 0x00007ffff40ec762 in tevent_req_poll (req=0xfd9e80, ev=0xfd3dd0) at ../lib/tevent/tevent_req.c:210
#25 0x00007ffff3672c33 in finddcs_cldap_recv (req=0xfd9e80, mem_ctx=0xfd5dc0, io=0xfd5dc0) at ../source4/libcli/finddcs_cldap.c:364
#26 0x00007ffff3672d63 in finddcs_cldap (mem_ctx=0xfd5dc0, io=0xfd5dc0, resolve_ctx=0xfd5ef0, event_ctx=0xfd3dd0) at ../source4/libcli/finddcs_cldap.c:389
#27 0x00007fffe805d6e5 in py_net_finddc (self=0xf4f508, args=0xf50f80) at ../source4/libnet/py_net.c:597

This backtrace is obtained due to the abort in GDB, it shows the poll function has been called a second time even if the first was in error.

#0  0x00007ffff69b33a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff69b6b0b in __GI_abort () at abort.c:92
#2  0x00007ffff5a94212 in talloc_abort (reason=0x7ffff5a98ae0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:317
#3  0x00007ffff5a9429e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336
#4  0x00007ffff5a9431b in talloc_chunk_from_ptr (ptr=0xfdc860) at ../lib/talloc/talloc.c:357
#5  0x00007ffff5a96673 in _talloc_free (ptr=0xfdc860, location=0x7ffff01046ec "../libcli/cldap/cldap.c:299") at ../lib/talloc/talloc.c:1348
#6  0x00007ffff0101de1 in cldap_socket_recv_dgram (c=0xfdc4f0, in=0xfdc860) at ../libcli/cldap/cldap.c:299
#7  0x00007ffff0101a2d in cldap_recvfrom_done (subreq=0x0) at ../libcli/cldap/cldap.c:203
#8  0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdc620, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:101
#9  0x00007ffff40ec50d in tevent_req_finish (req=0xfdc620, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:110
#10 0x00007ffff40ec579 in _tevent_req_error (req=0xfdc620, error=111, location=0x7fffefb71f14 "../lib/tsocket/tsocket.c:233") at ../lib/tevent/tevent_req.c:128
#11 0x00007fffefb69460 in tdgram_recvfrom_done (subreq=0xfdcaf0) at ../lib/tsocket/tsocket.c:233
#12 0x00007ffff40ec4db in _tevent_req_notify_callback (req=0xfdcaf0, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:101
#13 0x00007ffff40ec50d in tevent_req_finish (req=0xfdcaf0, state=TEVENT_REQ_USER_ERROR, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:110
#14 0x00007ffff40ec579 in _tevent_req_error (req=0xfdcaf0, error=111, location=0x7fffefb73010 "../lib/tsocket/tsocket_bsd.c:888") at ../lib/tevent/tevent_req.c:128
#15 0x00007fffefb6c647 in tdgram_bsd_recvfrom_handler (private_data=0xfdcaf0) at ../lib/tsocket/tsocket_bsd.c:888
#16 0x00007fffefb6bfa6 in tdgram_bsd_fde_handler (ev=0xfd3dd0, fde=0xfdeac0, flags=1, private_data=0xfdc590) at ../lib/tsocket/tsocket_bsd.c:681
#17 0x00007ffff40ef202 in epoll_event_loop (std_ev=0xfd36d0, tvalp=0x7fffffffc690) at ../lib/tevent/tevent_standard.c:326
#18 0x00007ffff40ef948 in std_event_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent_standard.c:565
#19 0x00007ffff40eac10 in _tevent_loop_once (ev=0xfd3dd0, location=0x7ffff40f1710 "../lib/tevent/tevent_req.c:210") at ../lib/tevent/tevent.c:505
#20 0x00007ffff40ec762 in tevent_req_poll (req=0xfd9e80, ev=0xfd3dd0) at ../lib/tevent/tevent_req.c:210
#21 0x00007ffff3672c33 in finddcs_cldap_recv (req=0xfd9e80, mem_ctx=0xfd5dc0, io=0xfd5dc0) at ../source4/libcli/finddcs_cldap.c:364
#22 0x00007ffff3672d63 in finddcs_cldap (mem_ctx=0xfd5dc0, io=0xfd5dc0, resolve_ctx=0xfd5ef0, event_ctx=0xfd3dd0) at ../source4/libcli/finddcs_cldap.c:389
#23 0x00007fffe805d6e5 in py_net_finddc (self=0xf4f508, args=0xf50f80) at ../source4/libnet/py_net.c:597
Comment 3 Matthias Dieter Wallnöfer 2011-11-10 15:53:45 UTC
Please retry, could have been fixed!
Comment 4 Stefan Metzmacher 2011-11-10 16:03:27 UTC
This could also happen in 3.6.x and maybe in 3.5.x
Comment 5 Stefan Metzmacher 2011-11-11 01:27:17 UTC
The problem happened in cldap_socket_recv_dgram() between the lines
297 and 299.

    tevent_req_nterror(....);
done:
    talloc_free(in);
}

tevent_req_nterror() triggers the callback finddcs_cldap_netlogon_replied(),
which invalidates the data 'in' points to.

15:08 < metze> tevent_req_nterror() calls the callback function
15:08 < metze> which calls TALLOC_FREE(state->cldap)
15:09 < metze> and also other things
15:09 < metze> which implicitly free the memory 'in' points to
15:10 < metze> then the next cldap socket gets the same memory
15:10 < metze> so 'in' points to the new cldap socket
15:10 < metze> and calls talloc_free on it
15:10 < metze> got it?
Comment 6 Stefan Metzmacher 2011-11-11 01:33:54 UTC
Created attachment 7086 [details]
Patch for v3-5-test
Comment 7 Stefan Metzmacher 2011-11-11 01:36:14 UTC
Created attachment 7087 [details]
Patch for v3-6-test (not tested yet)
Comment 8 Stefan Metzmacher 2011-11-15 10:25:51 UTC
Matthieu or Jeremy could you please test the 3.6 fix?
Comment 9 Stefan Metzmacher 2011-11-15 10:26:48 UTC
Comment on attachment 7087 [details]
Patch for v3-6-test (not tested yet)

Jeremy, please test and review, thanks
Comment 10 Karolin Seeger 2012-01-08 19:53:39 UTC
Jeremy, is there a chance to get the review done until Thursday?
Or to re-assign to another developer for patch review (not sure whether it makes sense or not in this case)?

The fix could be included in 3.6.2 then.

Thanks,
Karolin
Comment 11 Jeremy Allison 2012-01-09 21:44:54 UTC
Comment on attachment 7087 [details]
Patch for v3-6-test (not tested yet)

Checked this over carefully (can't test exactly as reporter as samba-tool doesn't exist in 3.6.x) and it fixes an obvious use-after-free.

talloc_move nulls out the &in parameter so the TALLOC_FREE change from talloc_free is obviously correct.
Comment 12 Jeremy Allison 2012-01-09 23:03:10 UTC
Comment on attachment 7086 [details]
Patch for v3-5-test

As the 3.6.x patch, this is correct.
Comment 13 Jeremy Allison 2012-01-09 23:03:34 UTC
Re-assigning to Karolin for inclusion in 3.5.next and 3.6.next.
Jeremy.
Comment 14 Karolin Seeger 2012-01-10 20:05:00 UTC
Pushed to both branches.
Closing out bug report.

Thanks!