We have had > 30 reports of this crash in Ubuntu 12.04 (Samba 3.6.3). Still trying to identify what causes the name pointer to be NULL. Stack trace attached. Ubuntu bug reference: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/913809
Also seen with Samba 3.6.6 from Ubuntu quantal - updating version
Can you please upload all patches that you applied on top of 3.6.3? The stacktrace does not reflect upstream code. smbd/reply.c:5110 is not a call to close_cnum, as the stacktrace indicates, it is a return statement. Thanks, Volker
Volker The stack trace was actually from 3.6.1 - but we see the same issue right through to 3.6.6. smbd/reply.c:5110 (in 3.6.1): close_cnum(conn,req->vuid); Apologies for the confusion.
Stared at code for a couple of hours now, but I do not have a clue how we can end up in that state. In frame 11, it would be interesting to see conn->params and conn->params->service. Then it would be interesting to see the value of the variables iNumService and ServicePtrs. If conn->params->service is >=0 and <iNumService, *ServicePtrs[conn->params->service] would also be very interesting. Alternatively, do you have a way to reproduce this issue?
I'm unable to reproduce this issue either ATM; I've requested further information from the reporters of this problem to see if we can get enough detail to create a test case.
I have 3 corefiles from 3.6.0 showing this same problem. In each one they had deleted a share sometime earlier. In all 3 cases conn->params->service was 0. I looked at all the ServicePtrs entries and *ServicePtrs[0] contained all zeros while the others were valid for the remaining shares defined in smb.conf. It is interesting to note also in all 3 cases conn->connectpath was NOT the path of the deleted share. Unfortunately the logs were only set to debug level 0 and I have not been able to reproduce this problem.