RHEL6 init.d script (was Re: Initscript Debian Wheezy)

Stefan (metze) Metzmacher metze at samba.org
Tue Sep 11 15:43:14 MDT 2012


Am 08.09.2012 00:50, schrieb Jeremy Allison:
> On Sat, Sep 08, 2012 at 12:33:51AM +0200, Stefan (metze) Metzmacher wrote:
>> Am 07.09.2012 01:33, schrieb Jeremy Allison:
>>> On Thu, Sep 06, 2012 at 12:08:41PM -0700, David Rivera wrote:
>>>> Did you check out the output from gdb_backtrace?  http://pastebin.com/Kjymcckg
>>>> Or is this not enough?
>>>
>>> Can you test the following patch against the last released
>>> code (or current master) and let me know if it fixes the
>>> crash ? I think it should, if I figured out the memory
>>> chains correctly.
>>
>> Hi Jeremy,
>>
>> the destructor should also set
>> state->pp_self_ref = NULL
>> otherwise still have the same problem.
> 
> I don't see that. pp_self_ref is allocated
> as a child of state->session.

state->pp_self_ref = talloc_zero(state->session,

> When we exist sessionsetup with success,
> we want to keep the session so we call
> TALLOC_FREE(state->pp_self_ref), which
> frees the memory pointed to by state->pp_self_ref
> and calls the destructor which then sets
> (*pp_state)->session = NULL, and then sets
> state->pp_self_ref = NULL (but that's
> not required, as it's not looked at
> again).

Sure the success works as before.

> If we're exiting on an error from
> the sessionsetup and we want to
> delete the session, we eventually
> end up in smbd_smb2_session_setup_state_destructor(),
> which calls TALLOC_FREE(state->session), which
> will call pp_self_ref_destructor() as
> the memory pointed to by state->pp_self_ref
> is a child of state->session. But
> at that point state still exists
> (we're inside it's destructor)
> so it's ok to set (*pp_state)->session = NULL.
> 
> If we get terminated whilst the
> sessionsetup is still in flight
> then when the state->session is
> deleted from exit_server again
> state still exists so it's safe
> to call the pp_self_ref_destructor()
> and set (*pp_state)->session = NULL.
>
> Let me know how you think the
> memory error can still happen.

I think we never set state->pp_self_ref to NULL
but still call TALLOC_FREE(state->pp_self_ref);
in some error cases. Which might trigger a double free.
so when we set (*pp_state)->session = NULL,
we should also sete (*pp_state)->pp_self_ref = NULL.
Otherwise we still leave an invalid pointer.

metze

> Jeremy.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120911/6e1b7c6e/attachment.pgp>


More information about the samba-technical mailing list