Seg fault with "net sam mapunixgroup"

Richard Sharpe realrichardsharpe at gmail.com
Wed May 27 02:34:28 MDT 2015


On Tue, May 26, 2015 at 10:27 PM, Abhidnya Joshi
<Abhidnya_Joshi at symantec.com> wrote:
> Hi,
>
> We are using Samba-4.1.16. We are getting seg fault always with "net sam mapunixgroup".
>
> The gdb shows stack as follows:
> (gdb)
> #0  0x00007f2fe4276451 in __strlen_sse2 () from /lib64/libc.so.6
> #1  0x00007f2fe5d87187 in tdb_pack_va (buf=0x8 <Address 0x8 out of bounds>,bufsize=0, fmt=0x7f2fe6c7666c "f", ap=0x7fffaefbe7a0) at ../source3/lib/util_tdb.c:98
> #2  0x00007f2fe5d87743 in tdb_pack (buf=<value optimized out>, bufsize=<value optimized out>, fmt=<value optimized out>) at ../source3/lib/util_tdb.c:138
> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60, flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
> #4  0x00007f2fe6c51c82 in pdb_default_add_group_mapping_entry (methods=<value optimized out>, map=0x7f2fee274f60) at ../source3/groupdb/mapping.c:459
> #5  0x00007f2fe6c4e695 in pdb_add_group_mapping_entry (map=0x7f2fee274f60) at ../source3/passdb/pdb_interface.c:849
> #6  0x00007f2fec101aba in map_unix_group (c=<value optimized out>, argc=<value optimized out>, argv=0x7f2fee26f928) at ../source3/utils/net_sam.c:865
> #7  net_sam_mapunixgroup (c=<value optimized out>, argc=<value optimized out>, argv=0x7f2fee26f928) at ../source3/utils/net_sam.c:893
> #8  0x00007f2fec0fd3cc in net_sam (c=0x7f2fee26d360, argc=2,argv=0x7f2fee26f920) at ../source3/utils/net_sam.c:2280
> #9  0x00007f2fec0cbb56 in main (argc=5, argv=0x7fffaefbf648) at ../source3/utils/net.c:960
> (gdb) f 3
> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60, flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
> 148     ../source3/groupdb/mapping_tdb.c: No such file or directory. in ../source3/groupdb/mapping_tdb.c
> (gdb) p map->sid_name_use
> $1 = SID_NAME_DOM_GRP
> (gdb) p map->comment
> $2 = 0x7f2fee2766d0 "Unix Group nogroup"
> (gdb) p map->gid
> $3 = 1004
> (gdb) p map->nt_name
> $4 = 0x0
> (gdb)
>
> It seems that strlen dumps core as map->nt_name is a NULL pointer.  I rerun this by populating nt_name the way earlier samba version (3.6.24) populates and it works.
> In map_unix_group function as:
>        if (map->nt_name == NULL) {
>                map->nt_name = talloc_asprintf(map, "%s", grp->gr_name);
>                DEBUG(10, ("Populate map->nt_name with %s\n", grp->gr_name));
>        }
>
> May I know if I am missing anything?

So, the second function on the stack trace suggests that buf is
actually an invalid pointer. Perhaps it was unitialized somewhere
along the way.

Can you see why that invalid buffer is turning up there?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list