[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27]

Jeremy Allison jra at samba.org
Fri Nov 16 18:36:24 GMT 2007

On Fri, Nov 16, 2007 at 04:36:30PM +0100, Michael Adam wrote:
> Hi Jeremy and Jerry,
> Samba 3.0.27 panics ("push_ascii - dest_len == -1").
> How do we proceed with this one? We have to find all the calls
> that eventually lead to push_ascii called with dest_len == -1.
> My analysis has produced quite a few (see below). 
> I can't fix all that right now, but I could do some more work on 
> that later.

Michael, clistr_push_fn explicitly handles the -1 case if it's pushing
into a cli->outbuf space. Check libsmb/clistr.c for details. srvstr_push_fn
does the same - it ensures it's pushing into valid space for the -1 case.

I'm guessing this is smbfs not setting the max_send correctly in the
sessionsetup call.

More information about the samba-technical mailing list