Crash in CLEAR_IF_FIRST handling in tdb
ronnie sahlberg
ronniesahlberg at gmail.com
Thu Oct 4 11:00:26 MDT 2012
Rusty,
There is also another bug I just found.
When you do a mark-unlock, mark-unlocks always unconditionally try
to release the corresponding fcntl lock.
mark-unlock probably should not try fcntl() at all.
Theoretical sequence could be
tdb_lock() take fcntl lock
lockall-mark (no-op)
unlockall-mark (will release the fcntl from tdb_lock above ?).
regards
ronnie sahlberg
On Wed, Oct 3, 2012 at 12:48 AM, Rusty Russell <rusty at rustcorp.com.au> wrote:
> Volker Lendecke <Volker.Lendecke at SerNet.DE> writes:
>
>> Hi Rusty!
>>
>> Under
>> http://git.samba.org/?p=vl/samba.git/.git;a=shortlog;h=refs/heads/tdb
>> find a patchset that for me fixes a crash in winbind in tdb.
>> For the explanation, see the second patch from the top.
>
> Good catch!
>
> Your fix here should stop a crash when accessing the header, but the
> rest of the mmaped database is still going to cause SEGV, no? We only
> re-map it when we see an offset which is out-of-bounds (vs the
> locally-cache tdb->map_size variable).
>
> To fix that we'd need to avoid ftruncate. We could either unlink and
> re-create the database, or simply put the rest of the database as a huge
> freelist entry. This will prevent crashes, though there may be other
> weirdness.
>
> Thoughts?
> Rusty.
More information about the samba-technical
mailing list