[PATCH] Patch for bug 11535
Ralph Böhme
rb at sernet.de
Wed Sep 30 23:49:52 UTC 2015
On Wed, Sep 30, 2015 at 04:46:11PM -0700, Jeremy Allison wrote:
> On Wed, Sep 30, 2015 at 04:43:56PM -0700, Ralph Böhme wrote:
> > > On Wed, Sep 30, 2015 at 04:30:23PM -0700, Ralph Böhme wrote:
> > > > On Wed, Sep 30, 2015 at 04:17:52PM -0700, Jeremy Allison wrote:
> > > > > On Wed, Sep 30, 2015 at 04:09:00PM -0700, Ralph Böhme wrote:
> > > > > > Hi,
> > > > > >
> > > > > > adding a NULL check seems to be the natural thing to fix a crash I hit
> > > > > > when running MTM. This passes a private autobuild, so fingers crossed.
> > > > >
> > > > > OK, I can't see a code path that leaves dirpath == NULL
> > > > > and getting to fail:
> > > >
> > > > line 387?
> > > >
> > > > As I can reproduce the issue I could check which code path actually
> > > > triggers this, in case you think adding the NULL check is just paving
> > > > over the problem not fixing it. :)
> > >
> > > Oh, now I see it. It's my fault :-).
> > >
> > > The fix I added to detect a 'raw' stream
> > > name means we can 'goto done;' without
> > > allocating dirpath.
> > >
> > > 374 if (smb_fname->base_name[0] == '\0') {
> > > 375 /*
> > > 376 * orig_name was just a stream name.
> > > 377 * This is a stream on the root of
> > > 378 * the share. Replace base_name with
> > > 379 * a "."
> > > 380 */
> > > 381 smb_fname->base_name =
> > > 382 talloc_strdup(smb_fname, ".");
> > > 383 if (smb_fname->base_name == NULL) {
> > > 384 status = NT_STATUS_NO_MEMORY;
> > > 385 goto err;
> > > 386 }
> > > 387 if (SMB_VFS_STAT(conn, smb_fname) != 0) {
> > > 388 status = map_nt_error_from_unix(errno);
> > > 389 goto err;
> > > 390 }
> > > 391 DEBUG(5, ("conversion finished %s -> %s\n",
> > > 392 orig_path,
> > > 393 smb_fname->base_name));
> > > 394 goto done;
> > > 395 }
> > >
> > > calls 'goto done;' before dirpath alloc. Sorry.
> >
> > oh, so we have two bugs. :) Because "my" crash happens after fail
> > (dereferncing dirpath which is NULL at line 1016), not done.
>
> Oh, so it's not me :-). done: calls TALLOC_FREE(dirpath);
> which is safe on NULL.
>
> So yeah, I'd still love to see the reproducer level 10
> log with added debugs :-).
working on it, currently trying to figure out which test(s) from the
35 tests that test stream renames trigger this by running them
individually. We survived 10 so far. ;)
-slow
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de
More information about the samba-technical
mailing list