valgrind error on LSA lookup

Andrew Bartlett abartlet at samba.org
Wed Jul 27 01:20:02 MDT 2011 

On Wed, 2011-07-13 at 02:51 +0400, Matthieu Patou wrote:
> Hello Andrew,
> 
> I was trying to push the attached patch but I get errors, after a bit of 
> hunting I found that the problem is the unit test that do async 
> lsarlookupsid.
> 
> As I had no clue of why state->access_mask & LSA_POLICY_LOOKUP_NAMES 
> returned 1 when the openpolicy didn't set this flag I started to suspect 
> an error on state.
> 
> Running valgrind on samba4  + ./bin/smbtorture  
> ncacn_np:172.16.100.1[bigendian] rpc.lsa  -U administrator%totoTATA122 
> with my patches yield this:
> ==2592== Conditional jump or move depends on uninitialised value(s)
> ==2592==    at 0x125206CF: dcesrv_lsa_LookupSids2 (lsa_lookup.c:571)
> ==2592==    by 0x12520D43: dcesrv_lsa_LookupSids (lsa_lookup.c:732)
> ==2592==    by 0x12511762: lsarpc__op_dispatch (ndr_lsa_s.c:233)
> ==2592==    by 0x124EA510: dcesrv_request (dcerpc_server.c:964)
> ==2592==    by 0x124EAA7A: dcesrv_process_ncacn_packet 
> (dcerpc_server.c:1109)
> ==2592==    by 0x124EBABF: dcesrv_read_fragment_done (dcerpc_server.c:1487)
> ==2592==    by 0x71B82DA: _tevent_req_notify_callback (tevent_req.c:101)
> ==2592==    by 0x71B830C: tevent_req_finish (tevent_req.c:110)
> ==2592==    by 0x71B8333: _tevent_req_done (tevent_req.c:116)
> ==2592==    by 0xDB33E19: dcerpc_read_ncacn_packet_done (dcerpc_util.c:295)
> ==2592==    by 0x71B82DA: _tevent_req_notify_callback (tevent_req.c:101)
> ==2592==    by 0x71B830C: tevent_req_finish (tevent_req.c:110)
> ==2592==
> 
> 
> Obviously dcesrv_lsa_get_policy_state is not returning something correct 
> ... can you have a look because this async madness is more than I can 
> understand for the moment.

Don't think about the async, this isn't an async bug.  The async test
just makes a lot of requests, or exercises this particular interface.

The issue is that LsaLookupSids2 does not emulate the Microsoft
behaviour fully, because it does not do a full internal LsaOpenPolicy2.
The difference is in exactly the access_mask that you de-reference.
Only LsaOpenPolicy2 (but not  dcesrv_lsa_get_policy_state()) fills in
state->access_mask. 

We need to either call the full LsaOpenPolicy2, or at least it's full
equivalent.  We need to work out the access mask to use in the absence
of a policy handle.  The Samba3 code did a lot of access mask work,
perhaps it can help. 

I hope this helps, and sorry for the delay in getting back to you.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list