Null pointer parameter in stat call in VFS layer

Cam Macdonell cam at cs.ualberta.ca
Fri Aug 15 19:31:57 GMT 2008


Jeremy Allison wrote:
> On Wed, Aug 13, 2008 at 06:23:09PM -0600, Cam Macdonell wrote:
>> Hi,
>>
>> I'm running a 3.0.28 server with a stackable VFS layer that I wrote. I'm 
>> encountering a bug that didn't occur when I ran with 3.0.21c previously.  
>> When I initially connect to the samba server with smbclient, the server 
>> executes a stat on the directory specified in the share.  However, the 
>> call to my vfs_stat function (corresponds to SMB_VFS_OP_STAT) receives a 
>> null pointer for the third parameter which is of type SMB_STRUCT_STAT*.  
>> Is there some circumstance where the stat buffer might be null?  The 
>> expected behaviour of returning -1 with "Bad Address" causes the samba 
>> connection to fail.
> 
> Can you post a backtrace when you get the NULL
> pointer ? Also you might want to try a later
> release. This could be a bug that was fixed.

I've tried with 3.0.29 with the same results.  I dereference the sbuf 
parameter at the start of the vfs_stat function to generate the backtrace.

[2008/08/15 13:27:46, 3] smbd/uid.c:push_conn_ctx(358)
   push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:set_sec_ctx(241)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/08/15 13:27:46, 5] auth/auth_util.c:debug_nt_user_token(448)
   NT user token: (NULL)
[2008/08/15 13:27:46, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
   pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(41)
   ===============================================================
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(42)
   INTERNAL ERROR: Signal 11 in pid 1166 (3.0.29)
   Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(44)

   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(45)
   ===============================================================
[2008/08/15 13:27:46, 0] lib/util.c:smb_panic(1633)
   PANIC (pid 1166): internal error
[2008/08/15 13:27:46, 0] lib/util.c:log_stack_trace(1737)
   BACKTRACE: 12 stack frames:
    #0 /usr/local/samba/sbin/smbd(log_stack_trace+0x2d) [0xb7dce4fc]
    #1 /usr/local/samba/sbin/smbd(smb_panic+0x78) [0xb7dce62a]
    #2 /usr/local/samba/sbin/smbd [0xb7dba2c4]
    #3 [0xb7b9c420]
    #4 /usr/local/samba/sbin/smbd [0xb7c82957]
    #5 /usr/local/samba/sbin/smbd(make_connection+0x722) [0xb7c833f6]
    #6 /usr/local/samba/sbin/smbd(reply_tcon_and_X+0x3f5) [0xb7c471c7]
    #7 /usr/local/samba/sbin/smbd [0xb7c7dc06]
    #8 /usr/local/samba/sbin/smbd(smbd_process+0x8b6) [0xb7c7ef30]
    #9 /usr/local/samba/sbin/smbd(main+0xb2c) [0xb7e800ce]
    #10 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb79f2450]
    #11 /usr/local/samba/sbin/smbd [0xb7c079a1]
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:push_sec_ctx(208)
   push_sec_ctx(1000, 1000) : sec_ctx_stack_ndx = 1
[2008/08/15 13:27:46, 3] smbd/uid.c:push_conn_ctx(358)
   push_conn_ctx(101) : conn_ctx_stack_ndx = 0

My hunch is I'm doing something that's overwriting the stack, but I'm 
not sure how to track that down quickly.  Any tips are appreciated,

Thanks,
Cam


More information about the samba-technical mailing list