Seg fault with "net sam mapunixgroup"

Abhidnya Joshi Abhidnya_Joshi at symantec.com
Wed May 27 02:44:50 MDT 2015


Hi Richard,

What I can see from code is, add_mapping_entry calls tdb_pack with NULL which is getting passed to tdb_pack and tdb_pack_va.

tdb_pack is not changing it.

Thanks and Regards
Abhidnya Joshi


-----Original Message-----
From: Richard Sharpe [mailto:realrichardsharpe at gmail.com] 
Sent: Wednesday, May 27, 2015 2:04 PM
To: Abhidnya Joshi
Cc: samba-technical at lists.samba.org
Subject: Re: Seg fault with "net sam mapunixgroup"

On Tue, May 26, 2015 at 10:27 PM, Abhidnya Joshi <Abhidnya_Joshi at symantec.com> wrote:
> Hi,
>
> We are using Samba-4.1.16. We are getting seg fault always with "net sam mapunixgroup".
>
> The gdb shows stack as follows:
> (gdb)
> #0  0x00007f2fe4276451 in __strlen_sse2 () from /lib64/libc.so.6
> #1  0x00007f2fe5d87187 in tdb_pack_va (buf=0x8 <Address 0x8 out of 
> bounds>,bufsize=0, fmt=0x7f2fe6c7666c "f", ap=0x7fffaefbe7a0) at 
> ../source3/lib/util_tdb.c:98
> #2  0x00007f2fe5d87743 in tdb_pack (buf=<value optimized out>, 
> bufsize=<value optimized out>, fmt=<value optimized out>) at 
> ../source3/lib/util_tdb.c:138
> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60, 
> flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
> #4  0x00007f2fe6c51c82 in pdb_default_add_group_mapping_entry 
> (methods=<value optimized out>, map=0x7f2fee274f60) at 
> ../source3/groupdb/mapping.c:459
> #5  0x00007f2fe6c4e695 in pdb_add_group_mapping_entry 
> (map=0x7f2fee274f60) at ../source3/passdb/pdb_interface.c:849
> #6  0x00007f2fec101aba in map_unix_group (c=<value optimized out>, 
> argc=<value optimized out>, argv=0x7f2fee26f928) at 
> ../source3/utils/net_sam.c:865
> #7  net_sam_mapunixgroup (c=<value optimized out>, argc=<value 
> optimized out>, argv=0x7f2fee26f928) at ../source3/utils/net_sam.c:893
> #8  0x00007f2fec0fd3cc in net_sam (c=0x7f2fee26d360, 
> argc=2,argv=0x7f2fee26f920) at ../source3/utils/net_sam.c:2280
> #9  0x00007f2fec0cbb56 in main (argc=5, argv=0x7fffaefbf648) at 
> ../source3/utils/net.c:960
> (gdb) f 3
> #3  0x00007f2fe6c54828 in add_mapping_entry (map=0x7f2fee274f60, flag=<value optimized out>) at ../source3/groupdb/mapping_tdb.c:148
> 148     ../source3/groupdb/mapping_tdb.c: No such file or directory. in ../source3/groupdb/mapping_tdb.c
> (gdb) p map->sid_name_use
> $1 = SID_NAME_DOM_GRP
> (gdb) p map->comment
> $2 = 0x7f2fee2766d0 "Unix Group nogroup"
> (gdb) p map->gid
> $3 = 1004
> (gdb) p map->nt_name
> $4 = 0x0
> (gdb)
>
> It seems that strlen dumps core as map->nt_name is a NULL pointer.  I rerun this by populating nt_name the way earlier samba version (3.6.24) populates and it works.
> In map_unix_group function as:
>        if (map->nt_name == NULL) {
>                map->nt_name = talloc_asprintf(map, "%s", grp->gr_name);
>                DEBUG(10, ("Populate map->nt_name with %s\n", grp->gr_name));
>        }
>
> May I know if I am missing anything?

So, the second function on the stack trace suggests that buf is actually an invalid pointer. Perhaps it was unitialized somewhere along the way.

Can you see why that invalid buffer is turning up there?

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list