9352 – samba crashes with certain RPC calls.

Bug 9352 - samba crashes with certain RPC calls.

Summary: samba crashes with certain RPC calls.

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.0.0rc3
Hardware:	All All

Importance:	P5 critical (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	8622
	Show dependency tree / graph

Reported:	2012-11-02 18:24 UTC by Greg Dickie
Modified:	2012-11-09 10:59 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
This patch avoids the segfault (986 bytes, patch) 2012-11-02 18:24 UTC, Greg Dickie	abartlet: review+ metze: review+	Details
This patch properly fixes the issue (1.45 KB, patch) 2012-11-02 18:25 UTC, Greg Dickie	abartlet: review+ metze: review+	Details
Cosmetic patch (1.08 KB, patch) 2012-11-03 08:40 UTC, Volker Lendecke	abartlet: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Greg Dickie 2012-11-02 18:24:08 UTC

Created attachment 8142 [details]
This patch avoids the segfault

From the mailing list:
More info. Looks like replication. I got a core file:
(gdb) bt
#0  0x00007f8e52bdf885 in raise () from /lib64/libc.so.6
#1  0x00007f8e52be1065 in abort () from /lib64/libc.so.6
#2  0x00007f8e5575ac32 in smb_panic_default (why=0x7f8e5576da75 "internal error") at ../lib/util/fault.c:149
#3  0x00007f8e5575ac70 in smb_panic (why=0x7f8e5576da75 "internal error") at ../lib/util/fault.c:162
#4  0x00007f8e5575a97b in fault_report (sig=11) at ../lib/util/fault.c:77
#5  0x00007f8e5575a990 in sig_fault (sig=11) at ../lib/util/fault.c:88
#6  <signal handler called>
#7  0x00007f8e50fa3235 in ndr_push_drsuapi_DsNameInfo1 (ndr=0x28aa5b0, ndr_flags=256, r=0xed) at default/librpc/gen_ndr/ndr_drsuapi.c:6132
#8  0x00007f8e50fa3f5b in ndr_push_drsuapi_DsNameCtr1 (ndr=0x28aa5b0, ndr_flags=768, r=0x2f64d60) at default/librpc/gen_ndr/ndr_drsuapi.c:6250
#9  0x00007f8e50fa484a in ndr_push_drsuapi_DsNameCtr (ndr=0x28aa5b0, ndr_flags=768, r=0x2796030) at default/librpc/gen_ndr/ndr_drsuapi.c:6347
#10 0x00007f8e50fdd1d1 in ndr_push_drsuapi_DsCrackNames (ndr=0x28aa5b0, flags=32, r=0x2965890) at default/librpc/gen_ndr/ndr_drsuapi.c:15633
#11 0x00007f8e42393f30 in drsuapi__op_ndr_push (dce_call=0x2553df0, mem_ctx=0x2553df0, push=0x28aa5b0, r=0x2965890) at default/librpc/gen_ndr/ndr_drsuapi_s.c:705
#12 0x000000000040c9c0 in dcesrv_reply (call=0x2553df0) at ../source4/rpc_server/common/reply.c:175
#13 0x00007f8e423adef6 in dcesrv_request (call=0x2553df0) at ../source4/rpc_server/dcerpc_server.c:981
#14 0x00007f8e423ae37f in dcesrv_process_ncacn_packet (dce_conn=0x268d1a0, pkt=0x2b65530, blob=...) at ../source4/rpc_server/dcerpc_server.c:1110
#15 0x00007f8e423af344 in dcesrv_read_fragment_done (subreq=0x0) at ../source4/rpc_server/dcerpc_server.c:1488
#16 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x23d43a0, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295") at ../lib/tevent/tevent_req.c:101
#17 0x00007f8e555368f9 in tevent_req_finish (req=0x23d43a0, state=TEVENT_REQ_DONE, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295")
    at ../lib/tevent/tevent_req.c:110
#18 0x00007f8e55536920 in _tevent_req_done (req=0x23d43a0, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295") at ../lib/tevent/tevent_req.c:116
#19 0x00007f8e5315d117 in dcerpc_read_ncacn_packet_done (subreq=0x0) at ../librpc/rpc/dcerpc_util.c:295
#20 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x20bac90, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231") at ../lib/tevent/tevent_req.c:101
#21 0x00007f8e555368f9 in tevent_req_finish (req=0x20bac90, state=TEVENT_REQ_DONE, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231")
    at ../lib/tevent/tevent_req.c:110
#22 0x00007f8e55536920 in _tevent_req_done (req=0x20bac90, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231") at ../lib/tevent/tevent_req.c:116
#23 0x00007f8e5030bc09 in tstream_readv_pdu_ask_for_next_vector (req=0x20bac90) at ../lib/tsocket/tsocket_helpers.c:231
#24 0x00007f8e5030bdfe in tstream_readv_pdu_readv_done (subreq=0x2d34c70) at ../lib/tsocket/tsocket_helpers.c:290
#25 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x2d34c70, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604") at ../lib/tevent/tevent_req.c:101
#26 0x00007f8e555368f9 in tevent_req_finish (req=0x2d34c70, state=TEVENT_REQ_DONE, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604")
    at ../lib/tevent/tevent_req.c:110
#27 0x00007f8e55536920 in _tevent_req_done (req=0x2d34c70, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604") at ../lib/tevent/tevent_req.c:116
#28 0x00007f8e5030b13d in tstream_readv_done (subreq=0x0) at ../lib/tsocket/tsocket.c:604
#29 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x32b4950, location=0x7f8e50314da8 "../lib/tsocket/tsocket_bsd.c:1700") at ../lib/tevent/tevent_req.c:101
#30 0x00007f8e555368f9 in tevent_req_finish (req=0x32b4950, state=TEVENT_REQ_DONE, location=0x7f8e50314da8 "../lib/tsocket/tsocket_bsd.c:1700")
    at ../lib/tevent/tevent_req.c:110
#31 0x00007f8e55536a17 in tevent_req_trigger (ev=0x1e6dfa0, im=0x23f79c0, private_data=0x32b4950) at ../lib/tevent/tevent_req.c:166
#32 0x00007f8e55535de4 in tevent_common_loop_immediate (ev=0x1e6dfa0) at ../lib/tevent/tevent_immediate.c:135
#33 0x00007f8e5553a5f1 in std_event_loop_once (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent_standard.c:555
---Type <return> to continue, or q <return> to quit--- 
#34 0x00007f8e55534ee4 in _tevent_loop_once (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:507
#35 0x00007f8e55535121 in tevent_common_loop_wait (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:608
#36 0x00007f8e555351ec in _tevent_loop_wait (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:627
#37 0x00007f8e49d374cd in standard_new_task (ev=0x1e6dfa0, lp_ctx=0x1e59810, service_name=0x7f8e4263ac75 "rpc", new_task=0x7f8e55daa4b0 <task_server_callback>, 
    private_data=0x201f300) at ../source4/smbd/process_standard.c:186
#38 0x00007f8e55daa65f in task_server_startup (event_ctx=0x1e6dfa0, lp_ctx=0x1e59810, service_name=0x7f8e4263ac75 "rpc", model_ops=0x7f8e49f37b40, 
    task_init=0x7f8e4263aa7c <dcesrv_task_init>) at ../source4/smbd/service_task.c:110
#39 0x00007f8e55da8c5e in server_service_init (name=0x1e5a900 "rpc", event_context=0x1e6dfa0, lp_ctx=0x1e59810, model_ops=0x7f8e49f37b40)
    at ../source4/smbd/service.c:63
#40 0x00007f8e55da8d9f in server_service_startup (event_ctx=0x1e6dfa0, lp_ctx=0x1e59810, model=0x40f415 "standard", server_services=0x1e60cd0)
    at ../source4/smbd/service.c:95
#41 0x000000000040b64a in binary_smbd_main (binary_name=0x40f25b "samba", argc=1, argv=0x7fff023a6548) at ../source4/smbd/server.c:477
#42 0x000000000040b718 in main (argc=1, argv=0x7fff023a6548) at ../source4/smbd/server.c:497

Andrew forwarded the following patches which tested ok individually:

Comment 1 Greg Dickie 2012-11-02 18:25:01 UTC

Created attachment 8143 [details]
This patch properly fixes the issue

Comment 2 Volker Lendecke 2012-11-03 08:40:08 UTC

Created attachment 8145 [details]
Cosmetic patch

This patch is a cosmetic one over 8143. It makes the code simpler to read for me. We might consider putting that into README.Coding...

Comment 3 Andrew Bartlett 2012-11-04 22:02:51 UTC

Comment on attachment 8142 [details]
This patch avoids the segfault

ack on my own patch.

Comment 4 Andrew Bartlett 2012-11-04 22:03:31 UTC

Comment on attachment 8143 [details]
This patch properly fixes the issue

ack on my own patch

Comment 5 Volker Lendecke 2012-11-05 07:15:13 UTC

Comment on attachment 8145 [details]
Cosmetic patch

Andrew, would you mind to push this patch?

Thanks,

Volker

Comment 6 Stefan Metzmacher 2012-11-08 22:06:44 UTC

Comment on attachment 8142 [details]
This patch avoids the segfault

Looks good

Comment 7 Stefan Metzmacher 2012-11-08 22:10:39 UTC

Comment on attachment 8143 [details]
This patch properly fixes the issue

Looks good

Comment 8 Stefan Metzmacher 2012-11-08 22:11:18 UTC

Karolin, please pick for to v4-0-test

Comment 9 Karolin Seeger 2012-11-09 08:21:48 UTC

(In reply to comment #5)
> Comment on attachment 8145 [details]
> Cosmetic patch
> 
> Andrew, would you mind to push this patch?
> 
> Thanks,
> 
> Volker

Patch has been pushed to master (26faa8fe3a4).

Comment 10 Karolin Seeger 2012-11-09 08:32:54 UTC

Pushed all patches to autobuild-v4-0-test.

Comment 11 Karolin Seeger 2012-11-09 10:59:16 UTC

Pushed to v4-0-test.
Closing out bug report.

Thanks!