SIG11 in smbtorture (libsmb/clientgen.c)

Andrew Bartlett abartlet at pcug.org.au
Sat Jun 30 10:41:35 GMT 2001 

I have started looking at making smbtorture more scriptable, with
failures being returned as status outputs.  I thought it would be a good
idea to check if smbtourture actualy worked *before* I started, and I
find it doesn't :-)

Well, it does for most of the tests - using smbd-on-a-string mode (AKA
SMBLIB_PROG), but test RW3 does this:

Its failing to free a pointer, but I can't see how this particular test
fails when the rest work fine.  The faling op is on cli->outbuf.

Does anybody have any ideas?

(I have had no problems reproducing this - so its not memory or the
like).

Andrew Bartlett

[abartlet at piglett bin]$ gdb ./smbtorture core 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./smbtorture //localhost/test RW3'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libdl.so.2...done.
Reading symbols from /lib/libcrypt.so.1...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0x400c0109 in chunk_free (ar_ptr=0x40154d40, p=0x80ff030) at
malloc.c:3111
3111	malloc.c: No such file or directory.
(gdb) bt full
#0  0x400c0109 in chunk_free (ar_ptr=0x40154d40, p=0x80ff030) at
malloc.c:3111
	hd = 1075137864
	sz = 65544
	idx = 0
	next = 0x810f038
	nextsz = 0
	prevsz = 1075137864
	bck = 0x424d53ff
	fwd = 0x810f040
	islr = 0
#1  0x400bff9a in __libc_free (mem=0x80ff038) at malloc.c:3023
	mem = (void *) 0x810f038
	ar_ptr = (arena *) 0x40154d40
	p = 0x80ff030
#2  0x8051633 in cli_shutdown (cli=0x80b4d80) at libsmb/clientgen.c:210
	cli = (struct cli_state *) 0x80b4d80
#3  0x804ad36 in close_connection (c=0x80b4d80) at torture/torture.c:162
	c = (struct cli_state *) 0x80b4d80
#4  0x804b9bd in run_readwritelarge (dummy=0) at torture/torture.c:531
	cli1 = {port = 139, fd = 5, cnum = 1, pid = 11426, mid = 1, vuid = 100,
protocol = 5, sec_mode = 3, rap_error = 0, privileges = 0, eff_name =
'\000' <repeats 255 times>, 
  desthost = "localhost", '\000' <repeats 246 times>, user_name =
"abartlet", '\000' <repeats 247 times>, domain = '\000' <repeats 255
times>, server_type = "Samba", '\000' <repeats 250 times>, 
  server_os = "Unix", '\000' <repeats 251 times>, server_domain =
"TESTWG", '\000' <repeats 249 times>, share = "test", '\000' <repeats
251 times>, dev = ":NTFS", '\000' <repeats 250 times>, called = {
    name = "LOCALHOST\000\000\000\000\000\000\000", scope = '\000'
<repeats 63 times>, name_type = 32}, calling = {name =
"PIGLETT\000\000\000\000\000\000\000\000\000", scope = '\000' <repeats
63 times>, 
    name_type = 0}, full_dest_host_name = '\000' <repeats 255 times>,
dest_ip = {s_addr = 16777343}, pwd = {null_pwd = 0, cleartext = 0,
crypted = 0, password = '\000' <repeats 255 times>, 
    smb_lm_pwd = '\000' <repeats 15 times>, smb_nt_pwd = '\000' <repeats
15 times>, smb_lm_owf = '\000' <repeats 23 times>, smb_nt_owf = '\000'
<repeats 127 times>, nt_owf_len = 0, 
    lm_cli_chal = "\000\000\000\000\000\000\000", nt_cli_chal = '\000'
<repeats 127 times>, nt_cli_chal_len = 0, sess_key = '\000' <repeats 15
times>}, cryptkey = "ø\214\\`X)\224µ", sesskey = 11428, 
  serverzone = -36000, servertime = 993859293, readbraw_supported = 1,
writebraw_supported = 1, timeout = 120000, max_xmit = 69632, max_mux =
50, outbuf = 0x80ff038 "", inbuf = 0x810f040 "", 
  bufsize = 65539, initialised = 1, win95 = 0, capabilities = 949,
mem_ctx = 0x80fe9b8, nt_error = 0, nt_pipe_fnum = 0, sess_key = '\000'
<repeats 15 times>, ntlmssp_hash = '\000' <repeats 257 times>, 
  ntlmssp_cli_flgs = 0, ntlmssp_srv_flgs = 0, ntlmssp_seq_num = 0,
clnt_cred = {challenge = {data = "\000\000\000\000\000\000\000"},
timestamp = {time = 0}}, mach_acct = '\000' <repeats 255 times>, 
  srv_name_slash = '\000' <repeats 255 times>, clnt_name_slash = '\000'
<repeats 255 times>, max_xmit_frag = 0, max_recv_frag = 0, key = {pid =
0, vuid = 0}, ntlmssp_flags = 0, use_oplocks = 0, 
  use_level_II_oplocks = 0, oplock_handler = 0x805ee50 <cli_oplock_ack>}
	fnum1 = 5025
	lockfname = 0x8085052 "\\large.dat"
	fsize = 65536
	buf = '\000' <repeats 65535 times>
#5  0x80509c0 in run_test (name=0xbffffa78 "RW3") at
torture/torture.c:2895
	name = 0xbffffa78 "RW3"
	i = 25
#6  0x8050de9 in main (argc=3, argv=0xbffff924) at
torture/torture.c:3050
	argc = 2
	argv = (char **) 0xbffff928
	opt = 1075137864
	i = 1
	p = 0x1 <Address 0x1 out of bounds>
	gotpass = 1
	servicesf = "/home/abartlet/build_farm/prefix/samba/lib/smb.conf",
'\000' <repeats 972 times>
(gdb) 

-- 
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org

More information about the samba-technical mailing list