Bug 9782 - Panic when running 'smbtorture smb.base'
Summary: Panic when running 'smbtorture smb.base'
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-10 15:24 UTC by Ralph Wuerthner
Modified: 2013-04-17 09:10 UTC (History)
1 user (show)

See Also:


Attachments
[PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_get_path_req_wcard() (1.21 KB, patch)
2013-04-12 08:00 UTC, Ralph Wuerthner
no flags Details
[PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a function (2.66 KB, patch)
2013-04-12 08:00 UTC, Ralph Wuerthner
no flags Details
[PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen in srvstr_pull_req_talloc() (1.01 KB, patch)
2013-04-12 08:01 UTC, Ralph Wuerthner
no flags Details
Consolidated patch (4.88 KB, patch)
2013-04-12 08:24 UTC, Volker Lendecke
ambi: review+
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Wuerthner 2013-04-10 15:24:27 UTC
When running 'smbtorture smb.base' you get the following panic:

[2013/02/23 19:22:58.524698,  0] lib/util.c:810(smb_panic_s3)
  PANIC (pid 2109097): sec_len == -1 in pull_ucs2_base_talloc
[2013/02/23 19:22:58.563334,  0] lib/util.c:921(log_stack_trace)
  BACKTRACE: 22 stack frames:
   #0 smbd(log_stack_trace+0x1a) [0x7f3dfe84022a]
   #1 smbd(smb_panic_s3+0x25) [0x7f3dfe8402f5]
   #2 smbd(smb_panic+0x1a1) [0x7f3dfe8321a1]
   #3 smbd(+0x466298) [0x7f3dfe82f298]
   #4 smbd(srvstr_get_path_wcard+0x42) [0x7f3dfe51a802]
   #5 smbd(srvstr_get_path_req_wcard+0x3c) [0x7f3dfe51a8cc]
   #6 smbd(srvstr_get_path_req+0x12) [0x7f3dfe51ba22]
   #7 smbd(reply_mkdir+0x53) [0x7f3dfe51bdf3]
   #8 smbd(+0x199a7b) [0x7f3dfe562a7b]
   #9 smbd(+0x19a864) [0x7f3dfe563864]
   #10 smbd(+0x19b709) [0x7f3dfe564709]
   #11 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #12 smbd(+0x486580) [0x7f3dfe84f580]
   #13 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #14 smbd(smbd_process+0xc77) [0x7f3dfe561c07]
   #15 smbd(+0x7202dc) [0x7f3dfeae92dc]
   #16 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #17 smbd(+0x486580) [0x7f3dfe84f580]
   #18 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #19 smbd(main+0x1381) [0x7f3dfeaead11]
   #20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f3dfb396cdd]
   #21 smbd(+0x106a19) [0x7f3dfe4cfa19]
[2013/02/23 19:22:58.563848,  0] lib/dumpcore.c:317(dump_core)
  dumping core in /var/log/samba/cores/smbd

The following patch will fix this issue: https://lists.samba.org/archive/samba-technical/2013-April/091451.html

Please consider to include this patch in an upcomming 4.0.x release.
Comment 1 Ralph Wuerthner 2013-04-12 08:00:08 UTC
Created attachment 8763 [details]
[PATCH 1/3] s3:smbd: do not access data behind req->buf+req->buflen  in srvstr_get_path_req_wcard()
Comment 2 Ralph Wuerthner 2013-04-12 08:00:37 UTC
Created attachment 8764 [details]
[PATCH 2/3] s3:smbd: convert srvstr_pull_req_talloc() into a  function
Comment 3 Ralph Wuerthner 2013-04-12 08:01:09 UTC
Created attachment 8765 [details]
[PATCH 3/3] s3:smbd: do not access data behind req->buf+req->buflen  in srvstr_pull_req_talloc()
Comment 4 Volker Lendecke 2013-04-12 08:24:02 UTC
Created attachment 8766 [details]
Consolidated patch

Consolidated patch for easier push
Comment 5 Christian Ambach 2013-04-16 10:31:43 UTC
Karolin, please pick for v4.0.next
Comment 6 Karolin Seeger 2013-04-17 06:57:44 UTC
Pushed to autobuild-v4-0-test.
Comment 7 Karolin Seeger 2013-04-17 09:10:37 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!