leases_db_del() can crash smbd when there's no record to delete
Volker Lendecke
vl at samba.org
Wed Jan 4 06:29:23 UTC 2017
On Tue, Jan 03, 2017 at 06:21:47PM +0000, Youzhong Yang wrote:
> Hi Volker,
>
> As I mentioned, in reality, it will never hit the crash condition of having nothing to delete from the db. We were testing something else which was able to crash smbd:
>
> #0 /tmw-nas-3p/samba/lib/libsmbconf.so.0'log_stack_trace+0x1f [0xfffffd7fb937bfe6]
> #1 /tmw-nas-3p/samba/lib/libsmbconf.so.0'smb_panic_s3+0x6f [0xfffffd7fb937be5a]
> #2 /tmw-nas-3p/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x28 [0xfffffd7fb8b57aa8]
> #3 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort+0x45 [0xfffffd7fc21f4b43]
> #4 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort_unknown_value+0x10 [0xfffffd7fc21f4bd1]
> #5 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_chunk_from_ptr+0x75 [0xfffffd7fc21f4c48]
> #6 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'_talloc_free+0x36 [0xfffffd7fc21f6ea3]
> #7 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'leases_db_del+0x58a [0xfffffd7fb90cee18]
Which line number is this? If it's the only talloc_free call in
leases_db_del, I really don't see how "rec" can end up with an invalid
value for the talloc_free call.
Don't get me wrong -- I believe you fix something, but I would like to
understand what is wrong right now.
Volker
More information about the samba-technical
mailing list