Bug 9352 - samba crashes with certain RPC calls.
samba crashes with certain RPC calls.
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: DCE-RPCs and pipes
4.0.0rc3
All All
: P5 critical
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-11-02 18:24 UTC by Greg Dickie
Modified: 2012-11-09 10:59 UTC (History)
3 users (show)

See Also:


Attachments
This patch avoids the segfault (986 bytes, patch)
2012-11-02 18:24 UTC, Greg Dickie
abartlet: review+
metze: review+
Details
This patch properly fixes the issue (1.45 KB, patch)
2012-11-02 18:25 UTC, Greg Dickie
abartlet: review+
metze: review+
Details
Cosmetic patch (1.08 KB, patch)
2012-11-03 08:40 UTC, Volker Lendecke
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Dickie 2012-11-02 18:24:08 UTC
Created attachment 8142 [details]
This patch avoids the segfault

From the mailing list:
More info. Looks like replication. I got a core file:
(gdb) bt
#0  0x00007f8e52bdf885 in raise () from /lib64/libc.so.6
#1  0x00007f8e52be1065 in abort () from /lib64/libc.so.6
#2  0x00007f8e5575ac32 in smb_panic_default (why=0x7f8e5576da75 "internal error") at ../lib/util/fault.c:149
#3  0x00007f8e5575ac70 in smb_panic (why=0x7f8e5576da75 "internal error") at ../lib/util/fault.c:162
#4  0x00007f8e5575a97b in fault_report (sig=11) at ../lib/util/fault.c:77
#5  0x00007f8e5575a990 in sig_fault (sig=11) at ../lib/util/fault.c:88
#6  <signal handler called>
#7  0x00007f8e50fa3235 in ndr_push_drsuapi_DsNameInfo1 (ndr=0x28aa5b0, ndr_flags=256, r=0xed) at default/librpc/gen_ndr/ndr_drsuapi.c:6132
#8  0x00007f8e50fa3f5b in ndr_push_drsuapi_DsNameCtr1 (ndr=0x28aa5b0, ndr_flags=768, r=0x2f64d60) at default/librpc/gen_ndr/ndr_drsuapi.c:6250
#9  0x00007f8e50fa484a in ndr_push_drsuapi_DsNameCtr (ndr=0x28aa5b0, ndr_flags=768, r=0x2796030) at default/librpc/gen_ndr/ndr_drsuapi.c:6347
#10 0x00007f8e50fdd1d1 in ndr_push_drsuapi_DsCrackNames (ndr=0x28aa5b0, flags=32, r=0x2965890) at default/librpc/gen_ndr/ndr_drsuapi.c:15633
#11 0x00007f8e42393f30 in drsuapi__op_ndr_push (dce_call=0x2553df0, mem_ctx=0x2553df0, push=0x28aa5b0, r=0x2965890) at default/librpc/gen_ndr/ndr_drsuapi_s.c:705
#12 0x000000000040c9c0 in dcesrv_reply (call=0x2553df0) at ../source4/rpc_server/common/reply.c:175
#13 0x00007f8e423adef6 in dcesrv_request (call=0x2553df0) at ../source4/rpc_server/dcerpc_server.c:981
#14 0x00007f8e423ae37f in dcesrv_process_ncacn_packet (dce_conn=0x268d1a0, pkt=0x2b65530, blob=...) at ../source4/rpc_server/dcerpc_server.c:1110
#15 0x00007f8e423af344 in dcesrv_read_fragment_done (subreq=0x0) at ../source4/rpc_server/dcerpc_server.c:1488
#16 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x23d43a0, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295") at ../lib/tevent/tevent_req.c:101
#17 0x00007f8e555368f9 in tevent_req_finish (req=0x23d43a0, state=TEVENT_REQ_DONE, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295")
    at ../lib/tevent/tevent_req.c:110
#18 0x00007f8e55536920 in _tevent_req_done (req=0x23d43a0, location=0x7f8e53161200 "../librpc/rpc/dcerpc_util.c:295") at ../lib/tevent/tevent_req.c:116
#19 0x00007f8e5315d117 in dcerpc_read_ncacn_packet_done (subreq=0x0) at ../librpc/rpc/dcerpc_util.c:295
#20 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x20bac90, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231") at ../lib/tevent/tevent_req.c:101
#21 0x00007f8e555368f9 in tevent_req_finish (req=0x20bac90, state=TEVENT_REQ_DONE, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231")
    at ../lib/tevent/tevent_req.c:110
#22 0x00007f8e55536920 in _tevent_req_done (req=0x20bac90, location=0x7f8e50313c60 "../lib/tsocket/tsocket_helpers.c:231") at ../lib/tevent/tevent_req.c:116
#23 0x00007f8e5030bc09 in tstream_readv_pdu_ask_for_next_vector (req=0x20bac90) at ../lib/tsocket/tsocket_helpers.c:231
#24 0x00007f8e5030bdfe in tstream_readv_pdu_readv_done (subreq=0x2d34c70) at ../lib/tsocket/tsocket_helpers.c:290
#25 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x2d34c70, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604") at ../lib/tevent/tevent_req.c:101
#26 0x00007f8e555368f9 in tevent_req_finish (req=0x2d34c70, state=TEVENT_REQ_DONE, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604")
    at ../lib/tevent/tevent_req.c:110
#27 0x00007f8e55536920 in _tevent_req_done (req=0x2d34c70, location=0x7f8e50313753 "../lib/tsocket/tsocket.c:604") at ../lib/tevent/tevent_req.c:116
#28 0x00007f8e5030b13d in tstream_readv_done (subreq=0x0) at ../lib/tsocket/tsocket.c:604
#29 0x00007f8e555368c7 in _tevent_req_notify_callback (req=0x32b4950, location=0x7f8e50314da8 "../lib/tsocket/tsocket_bsd.c:1700") at ../lib/tevent/tevent_req.c:101
#30 0x00007f8e555368f9 in tevent_req_finish (req=0x32b4950, state=TEVENT_REQ_DONE, location=0x7f8e50314da8 "../lib/tsocket/tsocket_bsd.c:1700")
    at ../lib/tevent/tevent_req.c:110
#31 0x00007f8e55536a17 in tevent_req_trigger (ev=0x1e6dfa0, im=0x23f79c0, private_data=0x32b4950) at ../lib/tevent/tevent_req.c:166
#32 0x00007f8e55535de4 in tevent_common_loop_immediate (ev=0x1e6dfa0) at ../lib/tevent/tevent_immediate.c:135
#33 0x00007f8e5553a5f1 in std_event_loop_once (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent_standard.c:555
---Type <return> to continue, or q <return> to quit--- 
#34 0x00007f8e55534ee4 in _tevent_loop_once (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:507
#35 0x00007f8e55535121 in tevent_common_loop_wait (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:608
#36 0x00007f8e555351ec in _tevent_loop_wait (ev=0x1e6dfa0, location=0x7f8e49d37880 "../source4/smbd/process_standard.c:186") at ../lib/tevent/tevent.c:627
#37 0x00007f8e49d374cd in standard_new_task (ev=0x1e6dfa0, lp_ctx=0x1e59810, service_name=0x7f8e4263ac75 "rpc", new_task=0x7f8e55daa4b0 <task_server_callback>, 
    private_data=0x201f300) at ../source4/smbd/process_standard.c:186
#38 0x00007f8e55daa65f in task_server_startup (event_ctx=0x1e6dfa0, lp_ctx=0x1e59810, service_name=0x7f8e4263ac75 "rpc", model_ops=0x7f8e49f37b40, 
    task_init=0x7f8e4263aa7c <dcesrv_task_init>) at ../source4/smbd/service_task.c:110
#39 0x00007f8e55da8c5e in server_service_init (name=0x1e5a900 "rpc", event_context=0x1e6dfa0, lp_ctx=0x1e59810, model_ops=0x7f8e49f37b40)
    at ../source4/smbd/service.c:63
#40 0x00007f8e55da8d9f in server_service_startup (event_ctx=0x1e6dfa0, lp_ctx=0x1e59810, model=0x40f415 "standard", server_services=0x1e60cd0)
    at ../source4/smbd/service.c:95
#41 0x000000000040b64a in binary_smbd_main (binary_name=0x40f25b "samba", argc=1, argv=0x7fff023a6548) at ../source4/smbd/server.c:477
#42 0x000000000040b718 in main (argc=1, argv=0x7fff023a6548) at ../source4/smbd/server.c:497

Andrew forwarded the following patches which tested ok individually:
Comment 1 Greg Dickie 2012-11-02 18:25:01 UTC
Created attachment 8143 [details]
This patch properly fixes the issue
Comment 2 Volker Lendecke 2012-11-03 08:40:08 UTC
Created attachment 8145 [details]
Cosmetic patch

This patch is a cosmetic one over 8143. It makes the code simpler to read for me. We might consider putting that into README.Coding...
Comment 3 Andrew Bartlett 2012-11-04 22:02:51 UTC
Comment on attachment 8142 [details]
This patch avoids the segfault

ack on my own patch.
Comment 4 Andrew Bartlett 2012-11-04 22:03:31 UTC
Comment on attachment 8143 [details]
This patch properly fixes the issue

ack on my own patch
Comment 5 Volker Lendecke 2012-11-05 07:15:13 UTC
Comment on attachment 8145 [details]
Cosmetic patch

Andrew, would you mind to push this patch?

Thanks,

Volker
Comment 6 Stefan Metzmacher 2012-11-08 22:06:44 UTC
Comment on attachment 8142 [details]
This patch avoids the segfault

Looks good
Comment 7 Stefan Metzmacher 2012-11-08 22:10:39 UTC
Comment on attachment 8143 [details]
This patch properly fixes the issue

Looks good
Comment 8 Stefan Metzmacher 2012-11-08 22:11:18 UTC
Karolin, please pick for to v4-0-test
Comment 9 Karolin Seeger 2012-11-09 08:21:48 UTC
(In reply to comment #5)
> Comment on attachment 8145 [details]
> Cosmetic patch
> 
> Andrew, would you mind to push this patch?
> 
> Thanks,
> 
> Volker

Patch has been pushed to master (26faa8fe3a4).
Comment 10 Karolin Seeger 2012-11-09 08:32:54 UTC
Pushed all patches to autobuild-v4-0-test.
Comment 11 Karolin Seeger 2012-11-09 10:59:16 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!