Bug 8908 - ndr_push_spoolss_DeviceMode don't send correct data to ndr_push_charset
Summary: ndr_push_spoolss_DeviceMode don't send correct data to ndr_push_charset
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Printing (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: printing-maintainers
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-30 07:46 UTC by Alejandro Escanero Blanco
Modified: 2013-07-03 09:59 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alejandro Escanero Blanco 2012-04-30 07:46:19 UTC
I have some Samba 3.6.4 printer servers and sometimes queues are frozen, the reason is a strange core. The backtrace is this:

#0  0x00007f23fa3a9a45 in raise () from /lib64/libc.so.6
#1  0x00007f23fa3ab225 in abort () from /lib64/libc.so.6
#2  0x00007f23fd7133e5 in dump_core () at lib/fault.c:391
#3  0x00007f23fd725ad2 in smb_panic (why=0x7f23fdce08f0 "internal error") at lib/util.c:1133
#4  0x00007f23fd712c00 in fault_report (sig=11) at lib/fault.c:53
#5  0x00007f23fd712c15 in sig_fault (sig=11) at lib/fault.c:76
#6 <signal handler called>
#7  0x00007f23fa3f70c2 in __strlen_sse2 () from /lib64/libc.so.6
#8  0x00007f23fd758b8f in ndr_push_charset (ndr=0x7f23fe3336d0, ndr_flags=1, var=0x0, length=32, byte_mul=2 '\002', chset=CH_UTF16LE) at ../librpc/ndr/ndr_string.c:749
#9  0x00007f23fda33348 in ndr_push_spoolss_DeviceMode (ndr=0x7f23fe3336d0, ndr_flags=3, r=0x7f23fe3336d0) at librpc/gen_ndr/ndr_spoolss.c:1358
#10 0x00007f23fd74de23 in ndr_push_struct_blob (blob=0x7fff92cc8fc0, mem_ctx=0x7f23fe0c55a0, p=0x7f23fe3336d0, fn=0x7f23fda332b1 <ndr_push_spoolss_DeviceMode>) at ../librpc/ndr/ndr.c:1000
#11 0x00007f23fd76a962 in pack_devicemode (devmode=0x7f23fe3336d0, buf=0x90 <Address 0x90 out of bounds>, buflen=-144) at printing/printing.c:299
#12 0x00007f23fd76bc65 in pjob_store (ev=0x7f23fe0a7550, msg_ctx=0x7f23fe0a9a40, sharename=0x7fff92cca440 "IMP-CICE-WTC-1SE-01", jobid=103, pjob=0x7fff92cc96f0) at printing/printing.c:756
#13 0x00007f23fd76c697 in traverse_fn_delete (t=0x7f23fe3370a0, key=..., data=..., state=0x7fff92cc9fd0) at printing/printing.c:989
#14 0x00007f23fab3a4d7 in tdb_traverse_internal (tdb=0x7f23fe3370a0, fn=0x7f23fd76c2fd <traverse_fn_delete>, private_data=0x7fff92cc9fd0, tl=0x7fff92cc9d20) at ../lib/tdb/common/traverse.c:190
#15 0x00007f23fab3a711 in tdb_traverse (tdb=0x7f23fe3370a0, fn=0x7f23fd76c2fd <traverse_fn_delete>, private_data=0x7fff92cc9fd0) at ../lib/tdb/common/traverse.c:260
#16 0x00007f23fd76db7f in print_queue_update_internal (ev=0x7f23fe0a7550, msg_ctx=0x7f23fe0a9a40, sharename=0x7fff92cca440 "IMP-CICE-WTC-1SE-01", current_printif=0x7f23fe09d440, lpq_command=0x7f23fe28eee0 "IMP-CICE-WTC-1SE-01",
   lprm_command=0x7f23fe177a20 "/usr/bin/lprm -PIMP-CICE-WTC-1SE-01 %j") at printing/printing.c:1429
#17 0x00007f23fd76e140 in print_queue_update_with_lock (ev=0x7f23fe0a7550, msg_ctx=0x7f23fe0a9a40, sharename=0x7fff92cca440 "IMP-CICE-WTC-1SE-01", current_printif=0x7f23fe09d440, lpq_command=0x7f23fe28eee0 "IMP-CICE-WTC-1SE-01",
   lprm_command=0x7f23fe177a20 "/usr/bin/lprm -PIMP-CICE-WTC-1SE-01 %j") at printing/printing.c:1556
#18 0x00007f23fd76e317 in print_queue_receive (msg=0x7f23fe0a9a40, private_data=0x0, msg_type=517, server_id=..., data=0x7f23fe334018) at printing/printing.c:1592
#19 0x00007f23fd6f6c0f in messaging_dispatch_rec (msg_ctx=0x7f23fe0a9a40, rec=0x7f23fe333ff0) at lib/messages.c:376
#20 0x00007f23fd6f98f6 in message_dispatch (msg_ctx=0x7f23fe0a9a40) at lib/messages_local.c:478
#21 0x00007f23fd6f86b6 in messaging_tdb_signal_handler (ev_ctx=0x7f23fe0a7550, se=0x7f23fe0cfb50, signum=10, count=1, _info=0x0, private_data=0x7f23fe0a9840) at lib/messages_local.c:76
#22 0x00007f23fd73cf6e in tevent_common_check_signal (ev=0x7f23fe0a7550) at ../lib/tevent/tevent_signal.c:366
#23 0x00007f23fd738bfe in run_events_poll (ev=0x7f23fe0a7550, pollrtn=-1, pfds=0x7f23fe0d1360, num_pfds=3) at lib/events.c:193
#24 0x00007f23fd739584 in s3_event_loop_once (ev=0x7f23fe0a7550, location=0x7f23fdcf19d4 "printing/printing.c:1704") at lib/events.c:349
#25 0x00007f23fd73a6bf in _tevent_loop_once (ev=0x7f23fe0a7550, location=0x7f23fdcf19d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:494
#26 0x00007f23fd73a8fc in tevent_common_loop_wait (ev=0x7f23fe0a7550, location=0x7f23fdcf19d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:595
#27 0x00007f23fd73a9c7 in _tevent_loop_wait (ev=0x7f23fe0a7550, location=0x7f23fdcf19d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:614
#28 0x00007f23fd76e8e8 in start_background_queue (ev=0x7f23fe0a7550, msg_ctx=0x7f23fe0a9a40) at printing/printing.c:1704
#29 0x00007f23fdb61476 in main (argc=2, argv=0x7fff92ccad78) at smbd/server.c:1270
Comment 1 Alejandro Escanero Blanco 2012-04-30 07:46:40 UTC
Another backtrace:

#0  0x00007f8b24b4ca45 in raise () from /lib64/libc.so.6
#1  0x00007f8b24b4e225 in abort () from /lib64/libc.so.6
#2  0x00007f8b27eb63e5 in dump_core () at lib/fault.c:391
#3  0x00007f8b27ec8ad2 in smb_panic (why=0x7f8b284838f0 "internal error") at lib/util.c:1133
#4  0x00007f8b27eb5c00 in fault_report (sig=11) at lib/fault.c:53
#5  0x00007f8b27eb5c15 in sig_fault (sig=11) at lib/fault.c:76
#6 <signal handler called>
#7  0x00007f8b24b9a0c2 in __strlen_sse2 () from /lib64/libc.so.6
#8  0x00007f8b27efbb8f in ndr_push_charset (ndr=0x7f8b2aa08ae0, ndr_flags=1, var=0x0, length=32, byte_mul=2 '\002', chset=CH_UTF16LE) at ../librpc/ndr/ndr_string.c:749
#9  0x00007f8b281d6348 in ndr_push_spoolss_DeviceMode (ndr=0x7f8b2aa08ae0, ndr_flags=3, r=0x7f8b2aa0eac0) at librpc/gen_ndr/ndr_spoolss.c:1358
#10 0x00007f8b27ef0e23 in ndr_push_struct_blob (blob=0x7fffbdd592d0, mem_ctx=0x7f8b2a624a40, p=0x7f8b2aa0eac0, fn=0x7f8b281d62b1 <ndr_push_spoolss_DeviceMode>) at ../librpc/ndr/ndr.c:1000
#11 0x00007f8b27f0d962 in pack_devicemode (devmode=0x7f8b2aa0eac0, buf=0x85 <Address 0x85 out of bounds>, buflen=-133) at printing/printing.c:299
#12 0x00007f8b27f0ec65 in pjob_store (ev=0x7f8b2a606550, msg_ctx=0x7f8b2a608a40, sharename=0x7fffbdd5a750 "IMP-CICE-WTC-2SE-01", jobid=1489, pjob=0x7fffbdd59a00) at printing/printing.c:756
#13 0x00007f8b27f0f697 in traverse_fn_delete (t=0x7f8b2aa08be0, key=..., data=..., state=0x7fffbdd5a2e0) at printing/printing.c:989
#14 0x00007f8b252dd4d7 in tdb_traverse_internal (tdb=0x7f8b2aa08be0, fn=0x7f8b27f0f2fd <traverse_fn_delete>, private_data=0x7fffbdd5a2e0, tl=0x7fffbdd5a030) at ../lib/tdb/common/traverse.c:190
#15 0x00007f8b252dd711 in tdb_traverse (tdb=0x7f8b2aa08be0, fn=0x7f8b27f0f2fd <traverse_fn_delete>, private_data=0x7fffbdd5a2e0) at ../lib/tdb/common/traverse.c:260
#16 0x00007f8b27f10b7f in print_queue_update_internal (ev=0x7f8b2a606550, msg_ctx=0x7f8b2a608a40, sharename=0x7fffbdd5a750 "IMP-CICE-WTC-2SE-01", current_printif=0x7f8b28840440, lpq_command=0x7f8b2a644770 "IMP-CICE-WTC-2SE-01",
   lprm_command=0x7f8b2a988d90 "/usr/bin/lprm -PIMP-CICE-WTC-2SE-01 %j") at printing/printing.c:1429
#17 0x00007f8b27f11140 in print_queue_update_with_lock (ev=0x7f8b2a606550, msg_ctx=0x7f8b2a608a40, sharename=0x7fffbdd5a750 "IMP-CICE-WTC-2SE-01", current_printif=0x7f8b28840440, lpq_command=0x7f8b2a644770 "IMP-CICE-WTC-2SE-01",
   lprm_command=0x7f8b2a988d90 "/usr/bin/lprm -PIMP-CICE-WTC-2SE-01 %j") at printing/printing.c:1556
#18 0x00007f8b27f11317 in print_queue_receive (msg=0x7f8b2a608a40, private_data=0x0, msg_type=517, server_id=..., data=0x7f8b2aa08958) at printing/printing.c:1592
#19 0x00007f8b27e99c0f in messaging_dispatch_rec (msg_ctx=0x7f8b2a608a40, rec=0x7f8b2aa08930) at lib/messages.c:376
#20 0x00007f8b27e9c8f6 in message_dispatch (msg_ctx=0x7f8b2a608a40) at lib/messages_local.c:478
#21 0x00007f8b27e9b6b6 in messaging_tdb_signal_handler (ev_ctx=0x7f8b2a606550, se=0x7f8b2a6359a0, signum=10, count=1, _info=0x0, private_data=0x7f8b2a608840) at lib/messages_local.c:76
#22 0x00007f8b27edff6e in tevent_common_check_signal (ev=0x7f8b2a606550) at ../lib/tevent/tevent_signal.c:366
#23 0x00007f8b27edbbfe in run_events_poll (ev=0x7f8b2a606550, pollrtn=-1, pfds=0x7f8b2a631240, num_pfds=3) at lib/events.c:193
#24 0x00007f8b27edc584 in s3_event_loop_once (ev=0x7f8b2a606550, location=0x7f8b284949d4 "printing/printing.c:1704") at lib/events.c:349
#25 0x00007f8b27edd6bf in _tevent_loop_once (ev=0x7f8b2a606550, location=0x7f8b284949d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:494
#26 0x00007f8b27edd8fc in tevent_common_loop_wait (ev=0x7f8b2a606550, location=0x7f8b284949d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:595
#27 0x00007f8b27edd9c7 in _tevent_loop_wait (ev=0x7f8b2a606550, location=0x7f8b284949d4 "printing/printing.c:1704") at ../lib/tevent/tevent.c:614
#28 0x00007f8b27f118e8 in start_background_queue (ev=0x7f8b2a606550, msg_ctx=0x7f8b2a608a40) at printing/printing.c:1704
#29 0x00007f8b28304476 in main (argc=2, argv=0x7fffbdd5b088) at smbd/server.c:1270
Comment 2 Alejandro Escanero Blanco 2013-07-03 09:59:57 UTC
Appear to be resolved at 2.6.15