The Samba-Bugzilla – Bug 9153
smbd crashed with SIGABRT in rep_strlcpy()/null pointer in connections_fetch_entry
Last modified: 2012-10-16 21:05:59 UTC
We have had > 30 reports of this crash in Ubuntu 12.04 (Samba 3.6.3).
Still trying to identify what causes the name pointer to be NULL.
Stack trace attached.
Ubuntu bug reference: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/913809
Also seen with Samba 3.6.6 from Ubuntu quantal - updating version
Can you please upload all patches that you applied on top of 3.6.3? The stacktrace does not reflect upstream code. smbd/reply.c:5110 is not a call to close_cnum, as the stacktrace indicates, it is a return statement.
The stack trace was actually from 3.6.1 - but we see the same issue right through to 3.6.6.
smbd/reply.c:5110 (in 3.6.1):
Apologies for the confusion.
Stared at code for a couple of hours now, but I do not have a clue how we can end up in that state. In frame 11, it would be interesting to see conn->params and conn->params->service. Then it would be interesting to see the value of the variables iNumService and ServicePtrs. If conn->params->service is >=0 and <iNumService, *ServicePtrs[conn->params->service] would also be very interesting.
Alternatively, do you have a way to reproduce this issue?
I'm unable to reproduce this issue either ATM; I've requested further information from the reporters of this problem to see if we can get enough detail to create a test case.
I have 3 corefiles from 3.6.0 showing this same problem. In each one they had
deleted a share sometime earlier. In all 3 cases conn->params->service was 0.
I looked at all the ServicePtrs entries and *ServicePtrs contained all zeros
while the others were valid for the remaining shares defined in smb.conf. It
is interesting to note also in all 3 cases conn->connectpath was NOT the path
of the deleted share. Unfortunately the logs were only set to debug level 0
and I have not been able to reproduce this problem.