help on a double free

Matthieu Patou mat at samba.org
Sun Nov 28 07:24:31 MST 2010 

Hello all,

I found a double free on builder72:

#4  0x0000000803a9316f in talloc_abort (reason=0x803a96b30 "Bad talloc 
magic value - double free") at ../../lib/talloc/talloc.c:213
#5  0x0000000803a93200 in talloc_abort_double_free () at 
../../lib/talloc/talloc.c:229
#6  0x0000000803a93336 in talloc_chunk_from_ptr (ptr=0x807045820) at 
../../lib/talloc/talloc.c:250
#7  0x0000000803a94995 in talloc_get_name (ptr=0x807045820) at 
../../lib/talloc/talloc.c:975
#8  0x0000000803a94a33 in talloc_check_name (ptr=0x807045820, 
name=0x802c8fbc0 "struct composite_context") at 
../../lib/talloc/talloc.c:994
#9  0x0000000802c25120 in continue_smb_connect (ctx=0x8070458b0) at 
../librpc/rpc/dcerpc_connect.c:68
#10 0x00000008032ffe7f in composite_error (ctx=0x8070458b0, status={v = 
3221225787}) at ../libcli/composite/composite.c:114
#11 0x00000008032fff09 in composite_is_ok (ctx=0x8070458b0) at 
../libcli/composite/composite.c:132
#12 0x0000000802c56124 in state_handler (c=0x8070458b0) at 
../libcli/smb_composite/connect.c:398
#13 0x0000000802c56160 in request_handler (req=0x806f323b0) at 
../libcli/smb_composite/connect.c:410
#14 0x0000000802c64784 in smbcli_transport_dead (transport=0x807002580, 
status={v = 3221225787}) at ../libcli/raw/clitransport.c:151
#15 0x0000000802c6428f in transport_destructor (transport=0x807002580) 
at ../libcli/raw/clitransport.c:56
#16 0x0000000803a94275 in _talloc_free_internal (ptr=0x807002580, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:621
#17 0x0000000803a94458 in _talloc_free_internal (ptr=0x80702c830, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:652
#18 0x0000000803a94458 in _talloc_free_internal (ptr=0x8070458b0, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:652
#19 0x0000000803a94458 in _talloc_free_internal (ptr=0x806fbf350, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:652
#20 0x0000000803a94458 in _talloc_free_internal (ptr=0x80702c5b0, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:652
#21 0x0000000803a94458 in _talloc_free_internal (ptr=0x807045790, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:652
#22 0x0000000803a94fc4 in _talloc_free (ptr=0x807045790, 
location=0x802c8ffa0 "../librpc/rpc/dcerpc_connect.c:810")
     at ../../lib/talloc/talloc.c:1171
#23 0x0000000802c267d1 in dcerpc_pipe_connect_b_recv (c=0x807045790, 
mem_ctx=0x807029a60, p=0x7fffffffa790) at ../librpc/rpc/dcerpc_connect.c:810
#24 0x0000000802c26835 in dcerpc_pipe_connect_b (parent_ctx=0x807029a60, 
pp=0x7fffffffa790, binding=0x80702c0b0, table=0x8042ed5a0,
     credentials=0x806f32070, ev=0x806f14590, lp_ctx=0x806f0a850) at 
../librpc/rpc/dcerpc_connect.c:831
#25 0x000000000068d87a in torture_rpc_connection (tctx=0x807029a60, 
p=0x7fffffffa790, table=0x8042ed5a0) at ../torture/rpc/rpc.c:84
#26 0x000000000068f22d in test_handles_lsa (torture=0x807029a60) at 
../torture/rpc/handles.c:52
#27 0x0000000802867bba in wrap_simple_test (torture_ctx=0x807029a60, 
tcase=0x806f847f0, test=0x806f8a240) at ../../lib/torture/torture.c:628
#28 0x0000000802867341 in internal_torture_run_test 
(context=0x807029a60, tcase=0x806f847f0, test=0x806f8a240, 
already_setup=true, restricted=0x0)
     at ../../lib/torture/torture.c:439
#29 0x0000000802867588 in torture_run_tcase_restricted 
(context=0x807029a60, tcase=0x806f847f0, restricted=0x0) at 
../../lib/torture/torture.c:502
#30 0x0000000802866f6b in torture_run_suite_restricted 
(context=0x807029a60, suite=0x806f86dd0, restricted=0x0) at 
../../lib/torture/torture.c:354
#31 0x0000000802866ed2 in torture_run_suite (context=0x807029a60, 
suite=0x806f86dd0) at ../../lib/torture/torture.c:336
#32 0x0000000000532730 in run_matching (torture=0x807029a60, 
prefix=0x80703adb0 "RPC", expr=0x7fffffffb9e2 "RPC-HANDLES", restricted=0x0,
     suite=0x806f78250, matched=0x7fffffffaade) at 
../torture/smbtorture.c:64
#33 0x000000000053276d in run_matching (torture=0x807029a60, prefix=0x0, 
expr=0x7fffffffb9e2 "RPC-HANDLES", restricted=0x0, suite=0x806f2d350,

Unfortunately I don't really understand how to fix it, I have the 
impression that it's somehow wrong to try to do the async function if 
the composite is in error:

         ctx->status = status;
         ctx->state = COMPOSITE_STATE_ERROR;
         if (ctx->async.fn != NULL) {
                 ctx->async.fn(ctx);
         }

But I might be wrong.

Anyone has a clue ?

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba-technical mailing list