When running 'smbtorture smb.base' you get the following panic: [2013/02/23 19:22:58.524698, 0] lib/util.c:810(smb_panic_s3) PANIC (pid 2109097): sec_len == -1 in pull_ucs2_base_talloc [2013/02/23 19:22:58.563334, 0] lib/util.c:921(log_stack_trace) BACKTRACE: 22 stack frames: #0 smbd(log_stack_trace+0x1a) [0x7f3dfe84022a] #1 smbd(smb_panic_s3+0x25) [0x7f3dfe8402f5] #2 smbd(smb_panic+0x1a1) [0x7f3dfe8321a1] #3 smbd(+0x466298) [0x7f3dfe82f298] #4 smbd(srvstr_get_path_wcard+0x42) [0x7f3dfe51a802] #5 smbd(srvstr_get_path_req_wcard+0x3c) [0x7f3dfe51a8cc] #6 smbd(srvstr_get_path_req+0x12) [0x7f3dfe51ba22] #7 smbd(reply_mkdir+0x53) [0x7f3dfe51bdf3] #8 smbd(+0x199a7b) [0x7f3dfe562a7b] #9 smbd(+0x19a864) [0x7f3dfe563864] #10 smbd(+0x19b709) [0x7f3dfe564709] #11 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6] #12 smbd(+0x486580) [0x7f3dfe84f580] #13 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900] #14 smbd(smbd_process+0xc77) [0x7f3dfe561c07] #15 smbd(+0x7202dc) [0x7f3dfeae92dc] #16 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6] #17 smbd(+0x486580) [0x7f3dfe84f580] #18 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900] #19 smbd(main+0x1381) [0x7f3dfeaead11] #20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f3dfb396cdd] #21 smbd(+0x106a19) [0x7f3dfe4cfa19] [2013/02/23 19:22:58.563848, 0] lib/dumpcore.c:317(dump_core) dumping core in /var/log/samba/cores/smbd The following patch will fix this issue: https://lists.samba.org/archive/samba-technical/2013-April/091451.html Please consider to include this patch in an upcomming 4.0.x release.
Created attachment 8763 [details] [PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard()
Created attachment 8764 [details] [PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a function
Created attachment 8765 [details] [PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc()
Created attachment 8766 [details] Consolidated patch Consolidated patch for easier push
Karolin, please pick for v4.0.next
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!