Crash in CLEAR_IF_FIRST handling in tdb

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Oct 4 02:03:58 MDT 2012

On Wed, Oct 03, 2012 at 05:18:53PM +0930, Rusty Russell wrote:
> Volker Lendecke <Volker.Lendecke at SerNet.DE> writes:
> > Hi Rusty!
> >
> > Under
> >;a=shortlog;h=refs/heads/tdb
> > find a patchset that for me fixes a crash in winbind in tdb.
> > For the explanation, see the second patch from the top.
> Good catch!
> Your fix here should stop a crash when accessing the header, but the
> rest of the mmaped database is still going to cause SEGV, no?  We only
> re-map it when we see an offset which is out-of-bounds (vs the
> locally-cache tdb->map_size variable).

I believe we are okay with the fix. Whenever we access the
mmap area pointed to by the hash pointed to by the hash
sources, we lock the hash chain. I think we never keep
information beyond a F_UNLK. Because tdb_new_database
establishes an empty and correct database, tdb_fetch will
never randomly access memory beyond the current file limit.
The freelist is also set up with a short database in mind.
So whenever there is a need to go beyond the file size,
which might be shorter than the current mmap size, we will
end up in tdb_expand, which now should deal fine with a
shrunk file.

Please tell me if I missed something!



SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list