samba_3_0 still segfaults upon trying to refresh view of prin ters: gdb bt

jra at jra at
Thu Apr 10 19:04:56 GMT 2003

On Thu, Apr 10, 2003 at 08:49:09AM -0700, Esh, Andrew wrote:
> I just noticed a potential problem in tdb/tdbutil.c, tdb_pack. The primary
> intent of tdb_pack is to pack and store values into a given buffer. The use
> it is also being put to is to use a null buffer and zero size in order to
> simply "measure" the storage which would be needed if a buffer were actually
> supplied. The problem is, some of the code in tdb_pack could still do the
> storage to the given buffer, even when it is only measuring. It seems to me
> that if someone were to pass the right arguments to tdb_pack, they could
> cause a segfault.
> The specific problem is that the bufsize is assumed to be a positive
> integer. If it starts at zero, as in a measurement call, it gets decremented
> by the measurement of the first storage item. The second storage item starts
> with bufsize less than zero. The code will continue to work until the
> bufsize is decremented below MAXINT, at which point the storage code will
> become active, and the null pointer will have values written to it.
> This probably does not explain the bug begin described by Alex Deiter, since
> the call that appears to have caused that problem only passes one storage
> item.
> Here's a suggestion: Don't store when bufsize is zero, and don't alter
> bufsize if it's already zero.

Good catch - applied.


More information about the samba-technical mailing list