smbd core dump on usrmgr.exe (part 2)

Esh, Andrew Andrew_Esh at adaptec.com
Fri May 16 14:14:15 GMT 2003 

It doesn't appear as though "_samr_add_groupmem" initializes "pwd" before
using it. The "_samr_add_aliasmem" routine above it initializes "pwd", so I
made the same changes here, and took a patch. 

NOTE: A person who can be authoritative for this code should review and test
this patch. I did not, because I'm not sure what the intent of the code is.

Index: srv_samr_nt.c
===================================================================
RCS file: /cvsroot/samba/source/rpc_server/srv_samr_nt.c,v
retrieving revision 1.86.2.25
diff -u -c -r1.86.2.25 srv_samr_nt.c
cvs server: conflicting specifications of output style
*** srv_samr_nt.c	12 May 2003 21:27:53 -0000	1.86.2.25
--- srv_samr_nt.c	16 May 2003 14:09:12 -0000
***************
*** 3504,3509 ****
--- 3504,3510 ----
  {
  	DOM_SID group_sid;
  	DOM_SID user_sid;
+ 	uid_t uid;
  	fstring group_sid_str;
  	struct passwd *pwd;
  	struct group *grp;
***************
*** 3544,3549 ****
--- 3545,3562 ----
  	
  	if (check != True) {
  		pdb_free_sam(&sam_user);
+ 		return NT_STATUS_NO_SUCH_USER;
+ 	}
+ 	
+ 	/* check a real user exist before we run the script to add a user to
a group */
+ 	if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid)))
{
+ 		pdb_free_sam(&sam_user);
+ 		return NT_STATUS_NO_SUCH_USER;
+ 	}
+ 
+ 	pdb_free_sam(&sam_user);
+ 
+ 	if ((pwd=getpwuid_alloc(uid)) == NULL) {
  		return NT_STATUS_NO_SUCH_USER;
  	}
  	

-----Original Message-----
From: Alex Deiter [mailto:tiamat at komi.mts.ru]
Sent: Friday, May 16, 2003 8:39 AM
To: samba-technical at lists.samba.org
Subject: smbd core dump on usrmgr.exe (part 2)


I receive core dump at attempt to:

1. run usrmgr.exe
2. user -> select domain -> mydomain
3. open user properties
4. open groups
5. add any group from list "Not member of:" to list "Member of:"
6. click OK -> pid 62438 (smbd), uid 0: exited on signal 6 (core dumped)

in gdb:

Program received signal SIGSEGV, Segmentation fault.
0x081c1e47 in strnlen (s=0xc4678 <Error reading address 0xc4678: Bad
address>, n=256) at lib/util_str.c:1275
1275            for (i=0; s[i] && i<n; i++)
(gdb) bt
#0  0x081c1e47 in strnlen (s=0xc4678 <Error reading address 0xc4678: Bad
address>, n=256)
    at lib/util_str.c:1275
#1  0x081c07e2 in safe_strcpy_fn (fn=0x827e9a0 "", line=0, dest=0xbfbfed10
"\006О`( i[(",
    src=0xc4678 <Error reading address 0xc4678: Bad address>, maxlength=255)
at lib/util_str.c:499
#2  0x081bb653 in Get_Pwnam (user=0xc4678 <Error reading address 0xc4678:
Bad address>) at lib/username.c:286
#3  0x081bbb6d in user_in_unix_group_list (user=0xc4678 <Error reading
address 0xc4678: Bad address>,
    gname=0xbfbff0e0 "group") at lib/username.c:402
#4  0x0813c401 in _samr_add_groupmem (p=0x833f000, q_u=0xbfbff3d0,
r_u=0xbfbff3cc)
    at rpc_server/srv_samr_nt.c:3559
#5  0x081315e2 in api_samr_add_groupmem (p=0x833f000) at
rpc_server/srv_samr.c:1010
#6  0x08149a93 in api_rpcTNP (p=0x833f000, rpc_name=0x8324940 "samr",
api_rpc_cmds=0x8338400, n_cmds=48)
    at rpc_server/srv_pipe.c:1485
#7  0x08149676 in api_pipe_request (p=0x833f000) at
rpc_server/srv_pipe.c:1413
#8  0x08142da3 in process_request_pdu (p=0x833f000, rpc_in_p=0xbfbff5e0) at
rpc_server/srv_pipe_hnd.c:669
#9  0x08143015 in process_complete_pdu (p=0x833f000) at
rpc_server/srv_pipe_hnd.c:741
#10 0x08143340 in process_incoming_data (p=0x833f000, data=0x82bda90 "\034",
n=36)
    at rpc_server/srv_pipe_hnd.c:837
#11 0x08143548 in write_to_internal_pipe (np_conn=0x833f000, data=0x82bda90
"\034", n=52)
    at rpc_server/srv_pipe_hnd.c:876
#12 0x081434bd in write_to_pipe (p=0x833e000, data=0x82bda80 "\005", n=52)
at rpc_server/srv_pipe_hnd.c:859
#13 0x08086743 in api_fd_reply (conn=0x833c800, vuid=100, outbuf=0x8368000
"", setup=0x83990d0,
    data=0x82bda80 "\005", params=0x0, suwcnt=2, tdscnt=52, tpscnt=0,
mdrcnt=1024, mprcnt=0) at smbd/ipc.c:298
#14 0x08086992 in named_pipe (conn=0x833c800, vuid=100, outbuf=0x8368000 "",
name=0xbfbff7e6 "",
    setup=0x83990d0, data=0x82bda80 "\005", params=0x0, suwcnt=2, tdscnt=52,
tpscnt=0, msrcnt=0, mdrcnt=1024,
    mprcnt=0) at smbd/ipc.c:342
#15 0x08087629 in reply_trans (conn=0x833c800, inbuf=0x8347000 "",
outbuf=0x8368000 "", size=140,
    bufsize=131072) at smbd/ipc.c:532
#16 0x080c6bc9 in switch_message (type=37, inbuf=0x8347000 "",
outbuf=0x8368000 "", size=140, bufsize=131072)
    at smbd/process.c:758
#17 0x080c6c82 in construct_reply (inbuf=0x8347000 "", outbuf=0x8368000 "",
size=140, bufsize=131072)
    at smbd/process.c:788
#18 0x080c6ff2 in process_smb (inbuf=0x8347000 "", outbuf=0x8368000 "") at
smbd/process.c:889
#19 0x080c7cea in smbd_process () at smbd/process.c:1315
#20 0x08228bd6 in main (argc=2, argv=0xbfbffb44) at smbd/server.c:886
#21 0x0806fef5 in _start ()

Any ideas ?

Thanks!

More information about the samba-technical mailing list