RACE condition in samba 2.2.0

Dirk De Wachter Dirk.DeWachter at rug.ac.be
Thu May 10 09:06:39 GMT 2001 

Dear samba enthousiasts,

I had already posted a question on the samba-list, but received no 
answer as it was probably too technical to solve. Here are my 
results:

While trying to implement the latest version of SAMBA (2.2.0) on HP-
UX 10.20, the smbd daemon quickly died after a few connections. 
Examining the core dump revealed a race condition which led to stack 
exhaustion and a segmentation violation.

The race condition is initiated as follows:
1. some error condition is issued (don't know which as stack depth is 
limited in the debugger) and a DEBUG call is done.
2. In smb.conf the log file is specified as log.smb.%M for which the 
qualified host name must be queried.
3. Something happens in the call to getpeername() and this failure 
triggers another DEBUG call.
At that moment the race condition is entered:

DEBUG calls dbghdr(), which calls Debug1(). In this latter function a 
call is done to check_log_size (), for which the logfilename must be 
known. The logfilename however depends on the qualified hostname, 
which is unknown because getpeername() fails (see above).

The complete race can be listed as follows (source lines conform to 
the original 2.2.0 source distribution)
DEBUG
dbghdr (lib/debug: 726)
Debug1 (lib/debug: 544)
check_log_size (lib/debug: 409)
reopen_logs (lib/debug: 324)
lp_logfile (param/loadparm.c: 1425)
lp_string (param/loadparm: 1398)
standard_sub_basic (lib/substitute: 180)
client_name (lib/util_sock: 976)
get_socket_name (lib/util_sock: 1041)
get_socket_addr (lib/util_sock: 1084)

Here getpeername fails (errno=9: "Bad file number"; fd=12)
and DEBUG is re-initiated and the loop is closed.

There are some different ways to solve this race condition, but I 
don't feel to be the appropiate person to select the best one. Any of 
the developers that wants to correct this?
Please feel free to demand more information if needed.

Best regards,

Dirk De Wachter
Hydraulics Laboratory, Ghent University, Belgium

PS. I'm no longer subscribed to the technical list, so please CC.

More information about the samba-technical mailing list