initialisation problems in rpc code

Andrew Tridgell tridge at
Fri Aug 21 08:20:08 GMT 1998

While trying to reproduce the profiles BSOD I came across a way to
make samba segfault in the rpc code. I'm telling everyone in the hope
that people will be a bit more careful about the sort of code problem
that leads to this bug.

The bug is in api_lsa_lookup_sids(). It declares a number of
structures on the stack then calls a very deep set of functions to
play with those structures. The problem is that the structure isn't
initialised and at one point a few levels in (in lsa_io_trans_name())
it references a element of the structure that has never been
initialised. The particular element is q_l->names->num_entries2 in
this case. In this case the value happened to be garbage so a
segfault happened when it used this to dereference a array.

The fix is trivial. _always_ initialise structures that you declare on
the stack. The usual trick is:

    memset((char *)&q_l, 0, sizeof(q_l));

this ensures that at least we get consistent behaviour and not a bug
that goes away when you try to look at it.

I know this costs us a few cycles, but I'd much rather have reliable
code than saving those microseconds.

The second rule is that you should initialise a variable at the point
of declaration, not as a side effect 6 levels deeper into the

Luke, you might like to go through the rpc code adding initialisation
to all those structures. I'll fix the couple that I have seen problems
with, but really it needs a more thorough examination.

C does not auto-initialise stack variables. We have to do it manually.

here endeth the lesson :)

More information about the samba-technical mailing list