Seg fault with "net sam mapunixgroup"

Abhidnya Joshi Abhidnya_Joshi at symantec.com
Mon Jun 1 03:30:16 MDT 2015


Hi All,

I went through gdb stack trace, and the reason is again map->nt_name is NULL pointer. I tried again with following diff:

diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
index 9fe7b63..a2b4df8 100644
--- a/source3/utils/net_sam.c
+++ b/source3/utils/net_sam.c
@@ -849,6 +849,8 @@ static NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *map)
                return NT_STATUS_GROUP_EXISTS;
        }

+       map->nt_name = talloc_asprintf(map, "%s", grp->gr_name);
+
       if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
                if (!pdb_new_rid(&rid)) {
                        DEBUG(3, ("Could not get a new RID for %s\n",
-bash-4.1$

And it works.

However  what I have observed is, map->nt_name gets populated after call to pdb_getgrgid and when there exists at least one entry already in group db.
Please let me know your views.

Thanks and Regards
Abhidnya Joshi

From: Richard Sharpe [mailto:realrichardsharpe at gmail.com]
Sent: Wednesday, May 27, 2015 2:34 PM
To: Abhidnya Joshi
Cc: samba-technical at lists.samba.org
Subject: Re: Seg fault with "net sam mapunixgroup"

On Wednesday, May 27, 2015, Abhidnya Joshi <Abhidnya_Joshi at symantec.com<mailto:Abhidnya_Joshi at symantec.com>> wrote:
> Hi Richard,
>
> What I can see from code is, add_mapping_entry calls tdb_pack with NULL which is getting passed to tdb_pack and tdb_pack_va.
>
> tdb_pack is not changing it.

Ok, but the stack trace suggests that but is an invalid pointer. Where was it set up?


> Thanks and Regards
> Abhidnya Joshi
>
>
> -----Original Message-----
> From: Richard Sharpe [mailto:realrichardsharpe at gmail.com<mailto:realrichardsharpe at gmail.com>]
> Sent: Wednesday, May 27, 2015 2:04 PM
> To: Abhidnya Joshi
> Cc: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>
> Subject: Re: Seg fault with "net sam mapunixgroup"
>
> On Tue, May 26, 2015 at 10:27 PM, Abhidnya Joshi <Abhidnya_Joshi at symantec.com<mailto:Abhidnya_Joshi at symantec.com>> wrote:
>> Hi,
>>
>> We are using Samba-4.1.16. We are getting seg fault always with "net sam mapunixgroup".
>>
>> The gdb shows stack as follows:
>> (gdb)
>> #0  0x00007f2fe4276451 in __strlen_sse2 () from /lib64/libc.so.6
>> #1  0x00007f2fe5d87187 in tdb_pack_va (buf=0x8 <Address 0x8 out of
>> bounds>,bufsize=0, fmt=0x7f2fe6c7666c "f", ap=0x7fffaefbe7a0) at
>> ../source3/lib/util_tdb.c:98
>> #2  0x00007f2fe5d87743 in tdb_pack (buf=<value optimized out>,
>> bufsize=<value optimized out>, fmt=<value optimized out>) at
>> ../source3/lib/util_tdb.c:138
>> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60,
>> flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
>> #4  0x00007f2fe6c51c82 in pdb_default_add_group_mapping_entry
>> (methods=<value optimized out>, map=0x7f2fee274f60) at
>> ../source3/groupdb/mapping.c:459
>> #5  0x00007f2fe6c4e695 in pdb_add_group_mapping_entry
>> (map=0x7f2fee274f60) at ../source3/passdb/pdb_interface.c:849
>> #6  0x00007f2fec101aba in map_unix_group (c=<value optimized out>,
>> argc=<value optimized out>, argv=0x7f2fee26f928) at
>> ../source3/utils/net_sam.c:865
>> #7  net_sam_mapunixgroup (c=<value optimized out>, argc=<value
>> optimized out>, argv=0x7f2fee26f928) at ../source3/utils/net_sam.c:893
>> #8  0x00007f2fec0fd3cc in net_sam (c=0x7f2fee26d360,
>> argc=2,argv=0x7f2fee26f920) at ../source3/utils/net_sam.c:2280
>> #9  0x00007f2fec0cbb56 in main (argc=5, argv=0x7fffaefbf648) at
>> ../source3/utils/net.c:960
>> (gdb) f 3
>> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60, flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
>> 148     ../source3/groupdb/mapping_tdb.c: No such file or directory. in ../source3/groupdb/mapping_tdb.c
>> (gdb) p map->sid_name_use
>> $1 = SID_NAME_DOM_GRP
>> (gdb) p map->comment
>> $2 = 0x7f2fee2766d0 "Unix Group nogroup"
>> (gdb) p map->gid
>> $3 = 1004
>> (gdb) p map->nt_name
>> $4 = 0x0
>> (gdb)
>>
>> It seems that strlen dumps core as map->nt_name is a NULL pointer.  I rerun this by populating nt_name the way earlier samba version (3.6.24) populates and it works.
>> In map_unix_group function as:
>>        if (map->nt_name == NULL) {
>>                map->nt_name = talloc_asprintf(map, "%s", grp->gr_name);
>>                DEBUG(10, ("Populate map->nt_name with %s\n", grp->gr_name));
>>        }
>>
>> May I know if I am missing anything?
>
> So, the second function on the stack trace suggests that buf is actually an invalid pointer. Perhaps it was unitialized somewhere along the way.
>
> Can you see why that invalid buffer is turning up there?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list