64bit problems in 2.0.5a

Darren Reed darrenr at telnetmedia.com
Fri Jan 28 05:29:38 GMT 2000

The first problem I found is at nmbd/nmbd_winsserver.c:814 (or thereabouts):

  if( namerec != NULL )
    char ud[sizeof(struct userdata_struct) + sizeof(struct packet_struct *)];
    struct userdata_struct *userdata = (struct userdata_struct *)ud;

"struct userdata_struct" contains pointers as the first few records.
It is possible for ud to be stored on an address boundary which is not
a multiple of 8 and hence cause a bus error when trying to access the
first element - copy_fn - which is a pointer. Stack trace is as follows:

(dbx) where
  [1] _libc_kill(0x0, 0x6, 0x0, 0x0, 0xffffffffffffffff, 0x1001524f8), at 0xffff
  [2] abort(0xffffffff7f0affb8, 0x100138958, 0x10013ac58, 0x97b, 0x100138908, 0x
2b), at 0xffffffff7ef4115c
  [3] smb_panic(why = 0x100138958 "internal error"), line 2429 in "util.c"
  [4] fault_report(sig = 10), line 45 in "fault.c"
  [5] sig_fault(sig = 10), line 65 in "fault.c"
  [6] sigacthandler(0xa, 0x0, 0xffffffff7fffe5a0, 0xa, 0x0, 0x1), at 0xffffffff7
  ---- called from signal handler with signal 10 (SIGBUS) ------
=>[7] wins_process_multihomed_name_registration_request(subrec = 0x10015f3e0, p
= 0x10016b750), line 1131 in "nmbd_winsserver.c"
  [8] process_nmb_request(p = 0x10016b750), line 1488 in "nmbd_packets.c"
  [9] run_packet_queue(), line 1588 in "nmbd_packets.c"
  [10] process(), line 265 in "nmbd.c"
  [11] main(argc = 4, argv = 0xffffffff7fffede8), line 783 in "nmbd.c"

Using "long" instead of "char" as:

long ud[(sizeof(foo) + sizeof(bar))/sizeof(long) + 1];

seems to solve the problem (the +1 is there to take care of truncation).
It would appear this problem is elsewhere in samba code too.


More information about the samba-technical mailing list