Crash in CLEAR_IF_FIRST handling in tdb
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Oct 4 09:25:42 MDT 2012
On Thu, Oct 04, 2012 at 10:03:58AM +0200, Volker Lendecke wrote:
> > > Under
> > > http://git.samba.org/?p=vl/samba.git/.git;a=shortlog;h=refs/heads/tdb
> > > find a patchset that for me fixes a crash in winbind in tdb.
> > > For the explanation, see the second patch from the top.
> >
> > Good catch!
> >
> > Your fix here should stop a crash when accessing the header, but the
> > rest of the mmaped database is still going to cause SEGV, no? We only
> > re-map it when we see an offset which is out-of-bounds (vs the
> > locally-cache tdb->map_size variable).
>
> I believe we are okay with the fix. Whenever we access the
> mmap area pointed to by the hash pointed to by the hash
> sources, we lock the hash chain. I think we never keep
> information beyond a F_UNLK. Because tdb_new_database
> establishes an empty and correct database, tdb_fetch will
> never randomly access memory beyond the current file limit.
> The freelist is also set up with a short database in mind.
> So whenever there is a need to go beyond the file size,
> which might be shorter than the current mmap size, we will
> end up in tdb_expand, which now should deal fine with a
> shrunk file.
Just updated the above branch with code that survived
autobuild.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list