The Nasty Case of TDB Commit...

Rusty Russell rusty at
Thu Feb 4 06:35:09 MST 2010

Hi all,

   I finally produced a unit test for "handle processes dying" (in CCAN: it
has unit test infrastructure which suits this better than the torture system
in SAMBA), and it uncovered what I think is a nasty bug.

   If a process (or the machine) dies after just after writing the
recovery head (pointing at the end of file), the recovery record will filled
with 0x42.  This will not invoke a recovery on open, since rec.magic

  Unfortunately, the first transaction commit will happily reuse that
area: tdb_recovery_allocate() doesn't check the magic.  The recovery
record has length 0x42424242, and it writes that back into the
now-valid-looking transaction header) for the next comer (which happens
to be tdb_wipe_all here).

I think the fix is that tdb_recovery_allocate() has to just ignore a
header with invalid magic (not 0, not TDB_RECOVERY_MAGIC).

My untested git tree is:;a=summary (tdb-cleanups)

I will be MIA for a few days, hence the post now.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: aborted-after-write-recovery-head.tdb.bz2
Type: application/x-bzip
Size: 91 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list