Null pointer parameter in stat call in VFS layer
Cam Macdonell
cam at cs.ualberta.ca
Fri Aug 15 19:31:57 GMT 2008
Jeremy Allison wrote:
> On Wed, Aug 13, 2008 at 06:23:09PM -0600, Cam Macdonell wrote:
>> Hi,
>>
>> I'm running a 3.0.28 server with a stackable VFS layer that I wrote. I'm
>> encountering a bug that didn't occur when I ran with 3.0.21c previously.
>> When I initially connect to the samba server with smbclient, the server
>> executes a stat on the directory specified in the share. However, the
>> call to my vfs_stat function (corresponds to SMB_VFS_OP_STAT) receives a
>> null pointer for the third parameter which is of type SMB_STRUCT_STAT*.
>> Is there some circumstance where the stat buffer might be null? The
>> expected behaviour of returning -1 with "Bad Address" causes the samba
>> connection to fail.
>
> Can you post a backtrace when you get the NULL
> pointer ? Also you might want to try a later
> release. This could be a bug that was fixed.
I've tried with 3.0.29 with the same results. I dereference the sbuf
parameter at the start of the vfs_stat function to generate the backtrace.
[2008/08/15 13:27:46, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/08/15 13:27:46, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2008/08/15 13:27:46, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(41)
===============================================================
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(42)
INTERNAL ERROR: Signal 11 in pid 1166 (3.0.29)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(44)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/08/15 13:27:46, 0] lib/fault.c:fault_report(45)
===============================================================
[2008/08/15 13:27:46, 0] lib/util.c:smb_panic(1633)
PANIC (pid 1166): internal error
[2008/08/15 13:27:46, 0] lib/util.c:log_stack_trace(1737)
BACKTRACE: 12 stack frames:
#0 /usr/local/samba/sbin/smbd(log_stack_trace+0x2d) [0xb7dce4fc]
#1 /usr/local/samba/sbin/smbd(smb_panic+0x78) [0xb7dce62a]
#2 /usr/local/samba/sbin/smbd [0xb7dba2c4]
#3 [0xb7b9c420]
#4 /usr/local/samba/sbin/smbd [0xb7c82957]
#5 /usr/local/samba/sbin/smbd(make_connection+0x722) [0xb7c833f6]
#6 /usr/local/samba/sbin/smbd(reply_tcon_and_X+0x3f5) [0xb7c471c7]
#7 /usr/local/samba/sbin/smbd [0xb7c7dc06]
#8 /usr/local/samba/sbin/smbd(smbd_process+0x8b6) [0xb7c7ef30]
#9 /usr/local/samba/sbin/smbd(main+0xb2c) [0xb7e800ce]
#10 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb79f2450]
#11 /usr/local/samba/sbin/smbd [0xb7c079a1]
[2008/08/15 13:27:46, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(1000, 1000) : sec_ctx_stack_ndx = 1
[2008/08/15 13:27:46, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(101) : conn_ctx_stack_ndx = 0
My hunch is I'm doing something that's overwriting the stack, but I'm
not sure how to track that down quickly. Any tips are appreciated,
Thanks,
Cam
More information about the samba-technical
mailing list