initialisation problems in rpc code
tridge at samba.anu.edu.au
Fri Aug 21 08:20:08 GMT 1998
While trying to reproduce the profiles BSOD I came across a way to
make samba segfault in the rpc code. I'm telling everyone in the hope
that people will be a bit more careful about the sort of code problem
that leads to this bug.
The bug is in api_lsa_lookup_sids(). It declares a number of
structures on the stack then calls a very deep set of functions to
play with those structures. The problem is that the structure isn't
initialised and at one point a few levels in (in lsa_io_trans_name())
it references a element of the structure that has never been
initialised. The particular element is q_l->names->num_entries2 in
this case. In this case the value happened to be garbage so a
segfault happened when it used this to dereference a array.
The fix is trivial. _always_ initialise structures that you declare on
the stack. The usual trick is:
memset((char *)&q_l, 0, sizeof(q_l));
this ensures that at least we get consistent behaviour and not a bug
that goes away when you try to look at it.
I know this costs us a few cycles, but I'd much rather have reliable
code than saving those microseconds.
The second rule is that you should initialise a variable at the point
of declaration, not as a side effect 6 levels deeper into the
Luke, you might like to go through the rpc code adding initialisation
to all those structures. I'll fix the couple that I have seen problems
with, but really it needs a more thorough examination.
C does not auto-initialise stack variables. We have to do it manually.
here endeth the lesson :)
More information about the samba-technical