Crash in CLEAR_IF_FIRST handling in tdb
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Oct 4 02:03:58 MDT 2012
On Wed, Oct 03, 2012 at 05:18:53PM +0930, Rusty Russell wrote:
> Volker Lendecke <Volker.Lendecke at SerNet.DE> writes:
>
> > Hi Rusty!
> >
> > Under
> > http://git.samba.org/?p=vl/samba.git/.git;a=shortlog;h=refs/heads/tdb
> > find a patchset that for me fixes a crash in winbind in tdb.
> > For the explanation, see the second patch from the top.
>
> Good catch!
>
> Your fix here should stop a crash when accessing the header, but the
> rest of the mmaped database is still going to cause SEGV, no? We only
> re-map it when we see an offset which is out-of-bounds (vs the
> locally-cache tdb->map_size variable).
I believe we are okay with the fix. Whenever we access the
mmap area pointed to by the hash pointed to by the hash
sources, we lock the hash chain. I think we never keep
information beyond a F_UNLK. Because tdb_new_database
establishes an empty and correct database, tdb_fetch will
never randomly access memory beyond the current file limit.
The freelist is also set up with a short database in mind.
So whenever there is a need to go beyond the file size,
which might be shorter than the current mmap size, we will
end up in tdb_expand, which now should deal fine with a
shrunk file.
Please tell me if I missed something!
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list