[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd
after upgrade to 3.0.27]
Jeremy Allison
jra at samba.org
Fri Nov 16 18:36:24 GMT 2007
On Fri, Nov 16, 2007 at 04:36:30PM +0100, Michael Adam wrote:
> Hi Jeremy and Jerry,
>
> Samba 3.0.27 panics ("push_ascii - dest_len == -1").
>
> How do we proceed with this one? We have to find all the calls
> that eventually lead to push_ascii called with dest_len == -1.
> My analysis has produced quite a few (see below).
>
> I can't fix all that right now, but I could do some more work on
> that later.
Michael, clistr_push_fn explicitly handles the -1 case if it's pushing
into a cli->outbuf space. Check libsmb/clistr.c for details. srvstr_push_fn
does the same - it ensures it's pushing into valid space for the -1 case.
I'm guessing this is smbfs not setting the max_send correctly in the
sessionsetup call.
Jeremy.
More information about the samba-technical
mailing list