Smbd crash while closing connection

Shilpa K shilpa.krishnareddy at
Wed Feb 25 02:23:33 MST 2015


We have encountered smbd crash with following foot prints:

Thread 7 (Thread 8038021c0 (LWP 101981)):
#0  0x0000000802e17ffc in thr_kill () from /lib/
#1  0x0000000802eb358b in abort () from /lib/
#2  0x0000000000798f41 in dump_core () at lib/fault.c:414
#3  0x00000000007a96ff in smb_panic (why=<optimized out>) at lib/util.c:1133
#4  0x00000000007995e2 in fault_report (sig=<optimized out>) at lib/fault.c:53
#5  sig_fault (sig=11) at lib/fault.c:76
#6  <signal handler called>
#7  0x0000000802e9320a in strlcpy () from /lib/
#8  0x00000000007b459b in connections_fetch_entry
(mem_ctx=0x803875050, conn=0x803849c50, name=0x0) at lib/conn_tdb.c:63
#9  0x00000000004b4de4 in yield_connection (conn=0x803849c50,
name=0x0) at smbd/connection.c:37
#10 0x000000000052556b in close_cnum (conn=0x803849c50, vuid=36947) at
#11 0x0000000000539ec8 in smbd_smb2_tcon_destructor (tcon=0x8038674d0)
at smbd/smb2_tcon.c:138
#12 0x000000080297fe72 in _talloc_free_internal (ptr=0x8038674d0,
location=0xa3565a "smbd/smb2_tcon.c:339") at
#13 0x00000000005395be in smbd_smb2_request_process_tdis
(req=0x80424d110) at smbd/smb2_tcon.c:339
#14 0x0000000000535206 in smbd_smb2_request_dispatch (req=0x80424d110)
at smbd/smb2_server.c:1544
#15 0x0000000000535b4e in smbd_smb2_request_incoming
(subreq=0x80386c510) at smbd/smb2_server.c:2771
#16 0x0000000000533b7c in smbd_smb2_request_read_done
(subreq=0x80386c390) at smbd/smb2_server.c:2614
#17 0x00000000005cd861 in tstream_readv_pdu_queue_done
(subreq=0x80386ced0) at ../lib/tsocket/tsocket_helpers.c:423
#18 0x00000000005cdc13 in tstream_readv_pdu_readv_done
(subreq=0x80386cb10) at ../lib/tsocket/tsocket_helpers.c:316
#19 0x00000000005ccc92 in tstream_readv_done (subreq=0x80386cf90) at
#20 0x00000000007b91c0 in tevent_common_loop_immediate
(ev=0x80380e110) at ../lib/tevent/tevent_immediate.c:139
#21 0x00000000007b7485 in run_events_poll (ev=0x80380e110, pollrtn=0,
pfds=0x0, num_pfds=0) at lib/events.c:197
#22 0x0000000000523d5d in smbd_server_connection_loop_once
(conn=<optimized out>) at smbd/process.c:1005
#23 smbd_process (sconn=0x803811350) at smbd/process.c:3181
#24 0x0000000000a078d2 in smbd_accept_connection (ev=<optimized out>,
fde=<optimized out>, flags=<optimized out>, private_data=<optimized
out>) at smbd/server.c:675
#25 0x00000000007b77a1 in run_events_poll (ev=0x80380e110,
pollrtn=<optimized out>, pfds=0x803810990, num_pfds=7) at
#26 0x00000000007b7c0f in s3_event_loop_once (ev=0x80380e110,
location=<optimized out>) at lib/events.c:349
#27 0x00000000007b7fc1 in _tevent_loop_once (ev=0x80380e110,
location=0xc15096 "smbd/server.c:981") at ../lib/tevent/tevent.c:494
#28 0x0000000000a095ee in smbd_parent_loop (parent=<optimized out>) at
#29 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1475

It is failing at below line as name is NULL:

strlcpy(, name, sizeof(;

I see that we are passing service name based on service number to

yield_connection(conn, lp_servicename(SNUM(conn)));

In this case, snum is 1:
(gdb) p (conn)->params->service
$3 = 1

The corresponding entry in ServicePtrs is NULL:

(gdb) p *ServicePtrs[1]
$4 = {valid = false, autoloaded = false, usershare = 0, usershare_last_mod
= {tv_sec = 0, tv_nsec = 0}, szService = 0x0, szPath = 0x0, szUsername =
0x0, szInvalidUsers = 0x0,
  szValidUsers = 0x0, szAdminUsers = 0x0,............

Can you please let me know as to why ServicePtrs entry can become NULL?

BTW, we are running Samba 3.6.12 version with additional code changes.


More information about the samba-technical mailing list