infinite loop ijn tdb/tdb.c function tdb_next_lock

Shlomi Yaakobovich Shlomi at exanet.com
Wed Feb 23 06:01:39 GMT 2005 

Hi,

I have also ran into the same scenario, for me it was the unexpected.tdb file. What I did in order to fix this was to add the simple check before assigning current and off:

> diff -u tdb.c patch/tdb.c
--- tdb.c       2005-02-22 17:55:45.000000000 +0200
+++ patch/tdb.c 2005-02-23 07:57:00.000000000 +0200
@@ -1280,6 +1280,8 @@
                                return tlock->off;
                        }
                        /* Try to clean dead ones from old traverses */
+            if (tlock->off == rec->next)
+                goto fail;
                        current = tlock->off;
                        tlock->off = rec->next;
                        if (!tdb->read_only &&

It resulted in failing the validation of course, and successfully restored the file from its backup file.

The patch is also attached here, based on my Samba 3.0.7, if anyone wishes to use it. I am not an expert in Samba code, but it looks as if this can't be any worse than the current code, which causes the infinite loop. There may be a better solution, those who knows this code better should comment on it, I suppose. 

Shlomi


> hello,
> 
> i had the problem that tdbbackup (and tdbdump) hangs in case of a 
> corrupt printer.tdb file. This problem is in Samba 3.0.8 ans Samba 
> 3.0.10 on Linux and Solaris Server.
> (This is a real problem, if you use tdbackup in your rc Scripts)
> If someone needs the corrupt printer.tdb file, send an email to me. I 
> dont want send Attachments to a mailinglist.
> 
> I've found, that tdbdump hangs in this loop, tlock->off is 
> always 20774 
> and never changes.
> 
> I've changed the code by inserting the following two lines after line 
> 1253 and tdbbackup works fine.
>          if (tlock->off == lastoff) goto fail;
>          lastoff = tlock->off;
> But this code is used in smbd nmbd winbindd smbclient net smbspool 
> testparm testprns smbstatus smbcontrol smbtree tdbbackup nmblookup 
> pdbedit tdbdump tdbtool smbpasswd rpcclient smbcacls ntlm_auth 
> smbcquotas and wbinfo.
> 
> I think, someone who understands samba code should fix the bug.
> 
> 1240       /* Iterate through chain */
> 1241        while( tlock->off) {
> 1242               tdb_off current;
> 1243               if (rec_read(tdb, tlock->off, rec) == -1)
> 1244                       goto fail;
> 1245               if (!TDB_DEAD(rec)) {
> 1246                       /* Woohoo: we found one! */
> 1247                       if (lock_record(tdb, tlock->off) != 0)
> 1248                               goto fail;
> 1249                       return tlock->off;
> 1250               }
> 1251               /* Try to clean dead ones from old traverses */
> 1252               current = tlock->off;
> 1253               tlock->off = rec->next;
> 1254               if (!tdb->read_only &&
> 1255                    do_delete(tdb, current, rec) != 0)
> 1256                         goto fail;
> 1257       }
> 
> Cheers
> 
> Gerhard Weick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tdb_loop.patch
Type: application/octet-stream
Size: 354 bytes
Desc: tdb_loop.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20050223/95408d40/tdb_loop.obj

More information about the samba-technical mailing list