Smbd crash while closing connection

Shilpa K shilpa.krishnareddy at gmail.com
Wed Feb 25 02:23:33 MST 2015


Hello,

We have encountered smbd crash with following foot prints:

Thread 7 (Thread 8038021c0 (LWP 101981)):
#0  0x0000000802e17ffc in thr_kill () from /lib/libc.so.7
#1  0x0000000802eb358b in abort () from /lib/libc.so.7
#2  0x0000000000798f41 in dump_core () at lib/fault.c:414
#3  0x00000000007a96ff in smb_panic (why=<optimized out>) at lib/util.c:1133
#4  0x00000000007995e2 in fault_report (sig=<optimized out>) at lib/fault.c:53
#5  sig_fault (sig=11) at lib/fault.c:76
#6  <signal handler called>
#7  0x0000000802e9320a in strlcpy () from /lib/libc.so.7
#8  0x00000000007b459b in connections_fetch_entry
(mem_ctx=0x803875050, conn=0x803849c50, name=0x0) at lib/conn_tdb.c:63
#9  0x00000000004b4de4 in yield_connection (conn=0x803849c50,
name=0x0) at smbd/connection.c:37
#10 0x000000000052556b in close_cnum (conn=0x803849c50, vuid=36947) at
smbd/service.c:1383
#11 0x0000000000539ec8 in smbd_smb2_tcon_destructor (tcon=0x8038674d0)
at smbd/smb2_tcon.c:138
#12 0x000000080297fe72 in _talloc_free_internal (ptr=0x8038674d0,
location=0xa3565a "smbd/smb2_tcon.c:339") at
../lib/talloc/talloc.c:826
#13 0x00000000005395be in smbd_smb2_request_process_tdis
(req=0x80424d110) at smbd/smb2_tcon.c:339
#14 0x0000000000535206 in smbd_smb2_request_dispatch (req=0x80424d110)
at smbd/smb2_server.c:1544
#15 0x0000000000535b4e in smbd_smb2_request_incoming
(subreq=0x80386c510) at smbd/smb2_server.c:2771
#16 0x0000000000533b7c in smbd_smb2_request_read_done
(subreq=0x80386c390) at smbd/smb2_server.c:2614
#17 0x00000000005cd861 in tstream_readv_pdu_queue_done
(subreq=0x80386ced0) at ../lib/tsocket/tsocket_helpers.c:423
#18 0x00000000005cdc13 in tstream_readv_pdu_readv_done
(subreq=0x80386cb10) at ../lib/tsocket/tsocket_helpers.c:316
#19 0x00000000005ccc92 in tstream_readv_done (subreq=0x80386cf90) at
../lib/tsocket/tsocket.c:604
#20 0x00000000007b91c0 in tevent_common_loop_immediate
(ev=0x80380e110) at ../lib/tevent/tevent_immediate.c:139
#21 0x00000000007b7485 in run_events_poll (ev=0x80380e110, pollrtn=0,
pfds=0x0, num_pfds=0) at lib/events.c:197
#22 0x0000000000523d5d in smbd_server_connection_loop_once
(conn=<optimized out>) at smbd/process.c:1005
#23 smbd_process (sconn=0x803811350) at smbd/process.c:3181
#24 0x0000000000a078d2 in smbd_accept_connection (ev=<optimized out>,
fde=<optimized out>, flags=<optimized out>, private_data=<optimized
out>) at smbd/server.c:675
#25 0x00000000007b77a1 in run_events_poll (ev=0x80380e110,
pollrtn=<optimized out>, pfds=0x803810990, num_pfds=7) at
lib/events.c:286
#26 0x00000000007b7c0f in s3_event_loop_once (ev=0x80380e110,
location=<optimized out>) at lib/events.c:349
#27 0x00000000007b7fc1 in _tevent_loop_once (ev=0x80380e110,
location=0xc15096 "smbd/server.c:981") at ../lib/tevent/tevent.c:494
#28 0x0000000000a095ee in smbd_parent_loop (parent=<optimized out>) at
smbd/server.c:981
#29 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1475


It is failing at below line as name is NULL:

strlcpy(ckey.name, name, sizeof(ckey.name));

I see that we are passing service name based on service number to

yield_connection(conn, lp_servicename(SNUM(conn)));


In this case, snum is 1:
(gdb) p (conn)->params->service
$3 = 1

The corresponding entry in ServicePtrs is NULL:

(gdb) p *ServicePtrs[1]
$4 = {valid = false, autoloaded = false, usershare = 0, usershare_last_mod
= {tv_sec = 0, tv_nsec = 0}, szService = 0x0, szPath = 0x0, szUsername =
0x0, szInvalidUsers = 0x0,
  szValidUsers = 0x0, szAdminUsers = 0x0,............

Can you please let me know as to why ServicePtrs entry can become NULL?

BTW, we are running Samba 3.6.12 version with additional code changes.

Thanks,
Shilpa


More information about the samba-technical mailing list