8853 – SIGABRT in source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback/pipe_dead

Bug 8853 - SIGABRT in source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback/pipe_dead

Summary: SIGABRT in source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback/pipe_dead

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.0 alpha 18
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	samba4-qa@samba.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-04-10 13:59 UTC by Arvid Requate
Modified:	2012-06-04 12:55 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
backtrace of the winbind core (4.78 KB, text/plain) 2012-04-10 13:59 UTC, Arvid Requate	no flags	Details
patch proposal to handle smb == NULL in pipe_dead (656 bytes, patch) 2012-04-10 14:01 UTC, Arvid Requate	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate 2012-04-10 13:59:04 UTC

A coredump of the winbind server service shows the attached backtrace in gdb.
The backtrace indicates that the abort occurred due to a NULL-valued (dcecli_connection *)->transport.private_data in the source4/librpc/rpc/dcerpc_smb.c:pipe_dead function, which was called by source4/librpc/rpc/dcerpc_smb.c:smb_trans_callback as a reaction to NT_STATUS_IO_TIMEOUT.

Comment 1 Arvid Requate 2012-04-10 13:59:57 UTC

Created attachment 7447 [details]
backtrace of the winbind core

Maybe it's important to note that the following two patches to winbind were not yet included during compilation of the samba sources:
 * http://gitweb.samba.org/samba.git/?p=samba.git;a=commit;h=692c42c42731b017310e07549489c3ab0bca7d12
 * http://gitweb.samba.org/samba.git/?p=samba.git;a=commit;h=71587285ccf78547ee4830b03d8a1493412504a5

Comment 2 Arvid Requate 2012-04-10 14:01:18 UTC

Created attachment 7448 [details]
patch proposal to handle smb == NULL in pipe_dead

Comment 3 Andrew Bartlett 2012-04-10 20:58:20 UTC

Does it still work if you use talloc_get_type_abort()?

What I'm getting at is: is this a wild (non)talloc pointer, which talloc_get_type() returns NULL for, or is this really a NULL pointer to begin with?

Comment 4 Stefan Metzmacher 2012-04-11 06:05:27 UTC

talloc_get_type_abort() would be correct.

There're so many fixes in master (alpha19), which might fix this problem.

Comment 5 Arvid Requate 2012-04-11 09:23:02 UTC

The backtrace indicates that it was a NULL pointer. I guess that it is supposed to be a talloc pointer, as e.g. smb_read_callback uses talloc_get_type to fetch it. Using talloc_get_type_abort would result in a segfault as well? Anyway..

@Metze: I'm following the commits and looking out for commit sets to pull. We have been publishing a couple of updates for really important ones. I'll check again.

Comment 6 Stefan Metzmacher 2012-06-04 11:07:22 UTC

Arvid, can we close this one? I really think this is fixed in master...

Comment 7 Arvid Requate 2012-06-04 12:45:31 UTC

I'm fine with that, if it would happen again then I would reopen :-)

Comment 8 Stefan Metzmacher 2012-06-04 12:55:15 UTC

Thanks