smbd crash

Olivier Sessink oliviersessink at
Tue Apr 13 14:33:15 MDT 2010

On the regular samba list this was posted:
==32107== Invalid read of size 4
==32107==    at 0x4B86AF9: (within /usr/lib/samba/vfs/
==32107==    by 0x815234F: smb_vfs_call_open (in /usr/sbin/smbd)
==32107==    by 0x8149F56: (within /usr/sbin/smbd)
==32107==    by 0x814C059: create_file_default (in /usr/sbin/smbd)
==32107==    by 0x8189161: (within /usr/sbin/smbd)
==32107==    by 0x81523FE: smb_vfs_call_create_file (in /usr/sbin/smbd)
==32107==    by 0x83E165A: (within /usr/sbin/smbd)
==32107==    by 0x83E1B7B: clean_up_driver_struct (in /usr/sbin/smbd)
==32107==    by 0x82D179D: _spoolss_AddPrinterDriver (in /usr/sbin/smbd)
==32107==    by 0x82D1E07: _spoolss_AddPrinterDriverEx (in /usr/sbin/smbd)
==32107==    by 0x82E362C: (within /usr/sbin/smbd)
==32107==    by 0x83272EA: api_pipe_request (in /usr/sbin/smbd)
==32107==  Address 0x18 is not stack'd, malloc'd or (recently) free'd

It would be very helpful if you could recompile with -g to
get line numbers. From the message we see that apparently
some pointer (very likely "fsp") is NULL while
scannedonly_open is called.
Invalid read of size 4 suggests a (64bit) pointer or integer, right?

However, fsp is not used in scannedonly_open (it is only passed to the 
NEXT() call), only handle and fname are used. Can 'handle' or 'fname' be 
NULL in a VFS _open call?


More information about the samba-technical mailing list