[PATCH] fix crash in winbindd in tevent_req_poll().

boyang boyang at suse.de
Sat Apr 18 12:14:39 GMT 2009 

Stefan (metze) Metzmacher wrote:
> boyang schrieb:
>   
>> hi, everyone:
>>     Have a look at close_conns_after_fork, dom->conn.cli->fd = -1. That
>> is to say, it is just set to -1 and not freed. And this is the problem,
>> pipes might be there after fork! Then have a look at connection after
>> fork, cm_connect_sam() --> invalidate_cm_connection() , pipes might not
>> be null, but cli->fd == -1. Then look at the destructor
>> rpc_transport_np_state_destructor(),  fd(-1) is added to fd_events list
>> and FD_SET will set it in fd sets, 0xFFFFFFFF is so large that FD_SET()
>> access invalid memory...
>>     Patch is for master.
>>     Please correct me if I am wrong. Thanks!
>>     
>
> I can't see what it has to do with tevent_req_poll()...
> I assume it's just bad luck because the memory is corrupted, right?
>   
No. winbindd crashed because dom->conn.cli->fd == -1 and pipes are not
freed. The the talloc destructor tries to close the pipe with function
cli_close(). We should determine if the fd is -1, otherwise,
tevent_req_poll() ---> tevent_loop_once() ---> s3_event_loop_once() --->
event_add_to_select_args() ---> FD_SET(-1, &writefds) causes winbindd to
crash. It may be wrong to blame tevent_req_poll() for this, but I think
there is no harm to determine if fd is -1 in tevent_req_poll(). Am I right?
> Could you please remove the reference to tevent_req_poll()
> from the commit message?
>   
Yep. I am posting the patch with new commit message here. Thanks! :-)
> metze
>
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash-in-winbindd.diff
Type: text/x-patch
Size: 1389 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/a9919564/crash-in-winbindd.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boyang.vcf
Type: text/x-vcard
Size: 187 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/a9919564/boyang.vcf

More information about the samba-technical mailing list