RACE condition in samba 2.2.0

[Dirk De Wachter]

Dear samba enthousiasts,

While trying to implement the latest version of SAMBA (2.2.0) on HP-
UX 10.20, the smbd daemon quickly died after a few connections. 
Examining the core dump revealed a race condition which led to stack 
exhaustion and a segmentation violation.

The race condition is initiated as follows:
1. some error condition is issued (don't know which as stack depth is 
limited in the debugger) and a DEBUG call is done.
2. In smb.conf the log file is specified as log.smb.%M for which the 
qualified host name must be queried.
3. Something happens in the call to getpeername() and this failure 
triggers another DEBUG call.

At this moment the race condition is entered:
DEBUG calls dbghdr, which call Debug1(). In this function a call is 
done to check_log_size (), for which the logfilename must be known. 
The logfilename however depends on the qualified hostname, which is 
unknown because getpeername() fails (see above).

The complete race can be listed as follows (with the source lines as 
given by the debugger and refering to the original samba 2.2.0 
source)
DEBUG
dbghdr (lib/debug: 726)
Debug1 (lib/debug: 544)
check_log_size (lib/debug: 409)
reopen_logs (lib/debug: 324)
lp_logfile (param/loadparm.c: 1425)
lp_string (param/loadparm: 1398)
standard_sub_basic (lib/substitute: 180)
client_name (lib/util_sock: 976)
get_socket_name (lib/util_sock: 1041)
get_socket_addr (lib/util_sock: 1084)

Here getpeername fails (errno=9: Bad file descriptor; fd=12)
and DEBUG is re-initiated, thus closing the loop.

As there are different ways to solve this problem, I do not feel to 
be the appropriate person to select the one that best fits the samba 
code. Any of the developers that can take this?
I will be glad to give more information if needed. In fact this core 
dump is highly reproducable :-)

Best regards,

Dirk De Wachter
Hydraulics Laboratory, Ghent University, Belgium

PS. I'm no longer subscribed to samba-technical. Please CC.