valgrind error in RPC-SPOOLSS-NOTIFY

Jelmer Vernooij jelmer at samba.org
Mon Jan 28 01:58:48 GMT 2008


Hi Volker,

On Sun, Jan 27, 2008 at 05:48:01PM +0100, Volker Lendecke wrote:
> When trying RPC-SPOOLSS-NOTIFY in Samba3 patched with

> --- a/source/lib/util_sock.c
> +++ b/source/lib/util_sock.c
> @@ -2085,6 +2085,10 @@ bool is_myname_or_ipaddr(const char
> *s)
>                 return true;
>         }

> +       if (strequal(servername, "*smbserver")) {
> +               return true;
> +       }
> +
>         /* Maybe it's my dns name */
>         dnsname = get_mydnsfullname();
>         if (dnsname && strequal(servername, dnsname)) {

> I get the attached valgrind error.

> Do you have an idea what might be wrong?
The strange thing is, I can not reproduce this when running this test 
against Samba 4's smbd, but I can reproduce it against Samba 3. 

It looks like the list of received DCE/RPC packets that the test kept 
was being freed too earlier because the memory context it was on was
being freed. I've changed this to use talloc_autofree_context(),
because I couldn't find a better memory context to use. Perhaps 
Samba 3 closes the connection quicker or something.

I've committed this to Samba 4 git, and attached the patch.

> I'm using samba4 with svn r26110, the current one does not
> compile for me. But I think that test has not changed for
> quite a while.
Yeah, that's a bit problematic at the moment :-( We need to get v4-0-test 
into a working shape and from then on keep v4-0-stable in a workable state. 

Cheers,

Jelmer

> Thanks,

> Volker

> Invalid read of size 4
> ==17105==    at 0x81C22D8: spoolss__op_dispatch (spoolss_notify.c:89)
> ==17105==    by 0x836388F: dcesrv_input_process (dcerpc_server.c:853)
> ==17105==    by 0x83648D4: dcesrv_input (dcerpc_server.c:1188)
> ==17105==    by 0x833FAEF: ipc_trans (vfs_ipc.c:747)
> ==17105==    by 0x833003A: ntvfs_trans (ntvfs_interface.c:270)
> ==17105==    by 0x832CF39: reply_trans_complete (trans2.c:1183)
> ==17105==    by 0x831E12B: switch_message (receive.c:568)
> ==17105==    by 0x831E887: smbsrv_recv_smb_request (receive.c:160)
> ==17105==    by 0x873083E: packet_recv (packet.c:378)
> ==17105==    by 0x822C954: smbsrv_recv (smb_server.c:96)
> ==17105==    by 0x822DD4B: stream_io_handler_fde (service_stream.c:91)
> ==17105==    by 0x8739B57: std_event_loop_once (events_standard.c:315)
> ==17105==    by 0x8739330: event_loop_once (events.c:295)
> ==17105==    by 0x84C10DF: dcerpc_request_recv (dcerpc.c:1119)
> ==17105==    by 0x84C1C9C: dcerpc_ndr_request_recv (dcerpc.c:1431)
> ==17105==    by 0x838AE4A: dcerpc_spoolss_ClosePrinter (ndr_spoolss_c.c:781)
> ==17105==    by 0x81C2098: test_RFFPCNEx (spoolss_notify.c:274)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)
> ==17105==  Address 0x45A7D7C is 60 bytes inside a block of size 64 free'd
> ==17105==    at 0x40231CF: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
> ==17105==    by 0x87573C1: _talloc_free (talloc.c:423)
> ==17105==    by 0x8759C7E: talloc_free (talloc.c:413)
> ==17105==    by 0x836267E: dcesrv_output (dcerpc_server.c:1245)
> ==17105==    by 0x833FB20: ipc_trans (vfs_ipc.c:757)
> ==17105==    by 0x833003A: ntvfs_trans (ntvfs_interface.c:270)
> ==17105==    by 0x832CF39: reply_trans_complete (trans2.c:1183)
> ==17105==    by 0x831E12B: switch_message (receive.c:568)
> ==17105==    by 0x831E887: smbsrv_recv_smb_request (receive.c:160)
> ==17105==    by 0x873083E: packet_recv (packet.c:378)
> ==17105==    by 0x822C954: smbsrv_recv (smb_server.c:96)
> ==17105==    by 0x822DD4B: stream_io_handler_fde (service_stream.c:91)
> ==17105==    by 0x8739B57: std_event_loop_once (events_standard.c:315)
> ==17105==    by 0x8739330: event_loop_once (events.c:295)
> ==17105==    by 0x84C10DF: dcerpc_request_recv (dcerpc.c:1119)
> ==17105==    by 0x84C1C9C: dcerpc_ndr_request_recv (dcerpc.c:1431)
> ==17105==    by 0x838814A: dcerpc_spoolss_RemoteFindFirstPrinterChangeNotifyEx (ndr_spoolss_c.c:1717)
> ==17105==    by 0x81C1F8E: test_RFFPCNEx (spoolss_notify.c:263)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)
> ==17105==
> ==17105== Invalid write of size 4
> ==17105==    at 0x81C22DF: spoolss__op_dispatch (spoolss_notify.c:89)
> ==17105==    by 0x836388F: dcesrv_input_process (dcerpc_server.c:853)
> ==17105==    by 0x83648D4: dcesrv_input (dcerpc_server.c:1188)
> ==17105==    by 0x833FAEF: ipc_trans (vfs_ipc.c:747)
> ==17105==    by 0x833003A: ntvfs_trans (ntvfs_interface.c:270)
> ==17105==    by 0x832CF39: reply_trans_complete (trans2.c:1183)
> ==17105==    by 0x831E12B: switch_message (receive.c:568)
> ==17105==    by 0x831E887: smbsrv_recv_smb_request (receive.c:160)
> ==17105==    by 0x873083E: packet_recv (packet.c:378)
> ==17105==    by 0x822C954: smbsrv_recv (smb_server.c:96)
> ==17105==    by 0x822DD4B: stream_io_handler_fde (service_stream.c:91)
> ==17105==    by 0x8739B57: std_event_loop_once (events_standard.c:315)
> ==17105==    by 0x8739330: event_loop_once (events.c:295)
> ==17105==    by 0x84C10DF: dcerpc_request_recv (dcerpc.c:1119)
> ==17105==    by 0x84C1C9C: dcerpc_ndr_request_recv (dcerpc.c:1431)
> ==17105==    by 0x838AE4A: dcerpc_spoolss_ClosePrinter (ndr_spoolss_c.c:781)
> ==17105==    by 0x81C2098: test_RFFPCNEx (spoolss_notify.c:274)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)
> ==17105==  Address 0x45A7D7C is 60 bytes inside a block of size 64 free'd
> ==17105==    at 0x40231CF: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
> ==17105==    by 0x87573C1: _talloc_free (talloc.c:423)
> ==17105==    by 0x8759C7E: talloc_free (talloc.c:413)
> ==17105==    by 0x836267E: dcesrv_output (dcerpc_server.c:1245)
> ==17105==    by 0x833FB20: ipc_trans (vfs_ipc.c:757)
> ==17105==    by 0x833003A: ntvfs_trans (ntvfs_interface.c:270)
> ==17105==    by 0x832CF39: reply_trans_complete (trans2.c:1183)
> ==17105==    by 0x831E12B: switch_message (receive.c:568)
> ==17105==    by 0x831E887: smbsrv_recv_smb_request (receive.c:160)
> ==17105==    by 0x873083E: packet_recv (packet.c:378)
> ==17105==    by 0x822C954: smbsrv_recv (smb_server.c:96)
> ==17105==    by 0x822DD4B: stream_io_handler_fde (service_stream.c:91)
> ==17105==    by 0x8739B57: std_event_loop_once (events_standard.c:315)
> ==17105==    by 0x8739330: event_loop_once (events.c:295)
> ==17105==    by 0x84C10DF: dcerpc_request_recv (dcerpc.c:1119)
> ==17105==    by 0x84C1C9C: dcerpc_ndr_request_recv (dcerpc.c:1431)
> ==17105==    by 0x838814A: dcerpc_spoolss_RemoteFindFirstPrinterChangeNotifyEx (ndr_spoolss_c.c:1717)
> ==17105==    by 0x81C1F8E: test_RFFPCNEx (spoolss_notify.c:263)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)
> ==17105==
> ==17105== Invalid read of size 2
> ==17105==    at 0x81C20CB: test_RFFPCNEx (spoolss_notify.c:279)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)
> ==17105==  Address 0x45A7D70 is 48 bytes inside a block of size 64 free'd
> ==17105==    at 0x40231CF: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
> ==17105==    by 0x87573C1: _talloc_free (talloc.c:423)
> ==17105==    by 0x8759C7E: talloc_free (talloc.c:413)
> ==17105==    by 0x836267E: dcesrv_output (dcerpc_server.c:1245)
> ==17105==    by 0x833FB20: ipc_trans (vfs_ipc.c:757)
> ==17105==    by 0x833003A: ntvfs_trans (ntvfs_interface.c:270)
> ==17105==    by 0x832CF39: reply_trans_complete (trans2.c:1183)
> ==17105==    by 0x831E12B: switch_message (receive.c:568)
> ==17105==    by 0x831E887: smbsrv_recv_smb_request (receive.c:160)
> ==17105==    by 0x873083E: packet_recv (packet.c:378)
> ==17105==    by 0x822C954: smbsrv_recv (smb_server.c:96)
> ==17105==    by 0x822DD4B: stream_io_handler_fde (service_stream.c:91)
> ==17105==    by 0x8739B57: std_event_loop_once (events_standard.c:315)
> ==17105==    by 0x8739330: event_loop_once (events.c:295)
> ==17105==    by 0x84C10DF: dcerpc_request_recv (dcerpc.c:1119)
> ==17105==    by 0x84C1C9C: dcerpc_ndr_request_recv (dcerpc.c:1431)
> ==17105==    by 0x838814A: dcerpc_spoolss_RemoteFindFirstPrinterChangeNotifyEx (ndr_spoolss_c.c:1717)
> ==17105==    by 0x81C1F8E: test_RFFPCNEx (spoolss_notify.c:263)
> ==17105==    by 0x80CCF4E: torture_rpc_wrap_test (rpc.c:275)
> ==17105==    by 0x80C2650: internal_torture_run_test (ui.c:281)
> ==17105==    by 0x80C28A7: torture_run_tcase (ui.c:340)
> ==17105==    by 0x80C2A13: torture_run_suite (ui.c:197)
> ==17105==    by 0x80BFA78: run_matching (smbtorture.c:72)
> ==17105==    by 0x80BFC01: run_matching (smbtorture.c:58)
> ==17105==    by 0x80C0DC9: main (smbtorture.c:116)




-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Fix-too-early-free-in-spoolss-notify-test.patch
Type: text/x-diff
Size: 2147 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080128/2881d04e/0001-torture-Fix-too-early-free-in-spoolss-notify-test.bin


More information about the samba-technical mailing list