Bug 9782 - Panic when running 'smbtorture smb.base'
Summary: Panic when running 'smbtorture smb.base'
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-10 15:24 UTC by Ralph Wuerthner
Modified: 2013-04-17 09:10 UTC (History)
1 user (show)

See Also:

Attachments
[PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard() (1.21 KB, patch)
2013-04-12 08:00 UTC, Ralph Wuerthner 		no flags Details
[PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a function (2.66 KB, patch)
2013-04-12 08:00 UTC, Ralph Wuerthner 		no flags Details
[PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc() (1.01 KB, patch)
2013-04-12 08:01 UTC, Ralph Wuerthner 		no flags Details
Consolidated patch (4.88 KB, patch)
2013-04-12 08:24 UTC, Volker Lendecke 		ambi: review+
vl: review+
Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Wuerthner 2013-04-10 15:24:27 UTC 
When running 'smbtorture smb.base' you get the following panic:

[2013/02/23 19:22:58.524698,  0] lib/util.c:810(smb_panic_s3)
  PANIC (pid 2109097): sec_len == -1 in pull_ucs2_base_talloc
[2013/02/23 19:22:58.563334,  0] lib/util.c:921(log_stack_trace)
  BACKTRACE: 22 stack frames:
   #0 smbd(log_stack_trace+0x1a) [0x7f3dfe84022a]
   #1 smbd(smb_panic_s3+0x25) [0x7f3dfe8402f5]
   #2 smbd(smb_panic+0x1a1) [0x7f3dfe8321a1]
   #3 smbd(+0x466298) [0x7f3dfe82f298]
   #4 smbd(srvstr_get_path_wcard+0x42) [0x7f3dfe51a802]
   #5 smbd(srvstr_get_path_req_wcard+0x3c) [0x7f3dfe51a8cc]
   #6 smbd(srvstr_get_path_req+0x12) [0x7f3dfe51ba22]
   #7 smbd(reply_mkdir+0x53) [0x7f3dfe51bdf3]
   #8 smbd(+0x199a7b) [0x7f3dfe562a7b]
   #9 smbd(+0x19a864) [0x7f3dfe563864]
   #10 smbd(+0x19b709) [0x7f3dfe564709]
   #11 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #12 smbd(+0x486580) [0x7f3dfe84f580]
   #13 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #14 smbd(smbd_process+0xc77) [0x7f3dfe561c07]
   #15 smbd(+0x7202dc) [0x7f3dfeae92dc]
   #16 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #17 smbd(+0x486580) [0x7f3dfe84f580]
   #18 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #19 smbd(main+0x1381) [0x7f3dfeaead11]
   #20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f3dfb396cdd]
   #21 smbd(+0x106a19) [0x7f3dfe4cfa19]
[2013/02/23 19:22:58.563848,  0] lib/dumpcore.c:317(dump_core)
  dumping core in /var/log/samba/cores/smbd

The following patch will fix this issue: https://lists.samba.org/archive/samba-technical/2013-April/091451.html

Please consider to include this patch in an upcomming 4.0.x release.
Comment 1 Ralph Wuerthner 2013-04-12 08:00:08 UTC 
Created attachment 8763 [details]
[PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen  in srvstr_get_path_req_wcard()
Comment 2 Ralph Wuerthner 2013-04-12 08:00:37 UTC 
Created attachment 8764 [details]
[PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a  function
Comment 3 Ralph Wuerthner 2013-04-12 08:01:09 UTC 
Created attachment 8765 [details]
[PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen  in srvstr_pull_req_talloc()
Comment 4 Volker Lendecke 2013-04-12 08:24:02 UTC 
Created attachment 8766 [details]
Consolidated patch

Consolidated patch for easier push
Comment 5 Christian Ambach 2013-04-16 10:31:43 UTC 
Karolin, please pick for v4.0.next
Comment 6 Karolin Seeger 2013-04-17 06:57:44 UTC 
Pushed to autobuild-v4-0-test.
Comment 7 Karolin Seeger 2013-04-17 09:10:37 UTC 
Pushed to v4-0-test.
Closing out bug report.

Thanks!