[PATCH] segfault (attempt to dereference/free null) in smbd/service.c -- 2.0.7 and 2.2.0-alpha

Ed Boraas ed at boraas.ca
Fri Apr 6 20:32:32 GMT 2001 

Hi, all.

Recently, I've been experiencing a number of segfaults in Samba 2.0.7,
generating entries in the smb logile as follows:

[begin log snippet]
[2001/04/06 13:44:58, 1] smbd/conn.c:conn_new(104)
  ERROR! Out of connection structures
[2001/04/06 13:44:58, 0] smbd/service.c:make_connection(291)
  Couldn't find free connection.
[2001/04/06 13:44:58, 0] lib/fault.c:fault_report(40)
  ===============================================================
[2001/04/06 13:44:58, 0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 1311 (2.0.7)
  Please read the file BUGS.txt in the distribution
[2001/04/06 13:44:58, 0] lib/fault.c:fault_report(43)
  ===============================================================
[2001/04/06 13:44:58, 0] lib/util.c:smb_panic(2381)
  PANIC: internal error
[end log snippet]

The client in question is an NT4 Terminal Server, with a large number of
concurrent users. After the smbd dies, various Bad Things(tm) occur,
including document corruption and the like. After a brief investigation, I
believe the following patch should prevent the segfault:

[begin patch]
--- samba-2.0.7.old/source/smbd/service.c       Tue Apr 25 17:07:12 2000
+++ samba-2.0.7.new/source/smbd/service.c       Fri Apr  6 12:06:24 2001
@@ -290,7 +290,6 @@
        if (!conn) {
                DEBUG(0,("Couldn't find free connection.\n"));
                *ecode = ERRnoresource;
-               conn_free(conn);
                return NULL;
        }
[end patch]

Perhaps I am mistaken about the specifics of the situation, but I believe
calling conn_free(0) (which is guaranteed in this case) would never be
desirable. I don't believe any of the other cleanup work done within
conn_free() is necessary in this case either (e.g., num_open does not need
to be decremented, since it was never incremented in this case). The same
change can (and should, if I am correct) be applied to 2.2.0-alpha3.

Am I correct in my analysis?

Also, I am curious as to the specifics of what it is that triggers the "Out
of connection structures" condition. Though smbd should no longer segfault
in this situation, will it cause other problems for me down the line?

Thanks,
Ed Boraas

More information about the samba-technical mailing list