leases_db_del() can crash smbd when there's no record to delete

Youzhong Yang Youzhong.Yang at mathworks.com
Wed Jan 4 13:53:00 UTC 2017 

Sorry my bad. I was looking at 4.2.x code and didn't check master branch. The issue seems already fixed.



The crash in 4.2.x is here:



https://github.com/samba-team/samba/blob/v4-2-stable/source3/locking/leases_db.c#L311



if db_value.dsize is 0, it jumps to "out", and tries to TALLOC_FREE(value), but value is uninitialized.



-----Original Message-----
From: vlendec at samba.org [mailto:vlendec at samba.org] On Behalf Of Volker Lendecke
Sent: Wednesday, January 04, 2017 1:29 AM
To: Youzhong Yang <Youzhong.Yang at mathworks.com>
Cc: samba-technical at lists.samba.org
Subject: Re: leases_db_del() can crash smbd when there's no record to delete



On Tue, Jan 03, 2017 at 06:21:47PM +0000, Youzhong Yang wrote:

> Hi Volker,

>

> As I mentioned, in reality, it will never hit the crash condition of having nothing to delete from the db. We were testing something else which was able to crash smbd:

>

>    #0 /tmw-nas-3p/samba/lib/libsmbconf.so.0'log_stack_trace+0x1f [0xfffffd7fb937bfe6]

>    #1 /tmw-nas-3p/samba/lib/libsmbconf.so.0'smb_panic_s3+0x6f [0xfffffd7fb937be5a]

>    #2 /tmw-nas-3p/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x28 [0xfffffd7fb8b57aa8]

>    #3 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort+0x45 [0xfffffd7fc21f4b43]

>    #4 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort_unknown_value+0x10 [0xfffffd7fc21f4bd1]

>    #5 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_chunk_from_ptr+0x75 [0xfffffd7fc21f4c48]

>    #6 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'_talloc_free+0x36 [0xfffffd7fc21f6ea3]

>    #7

> /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'leases_db_del+0x5

> 8a [0xfffffd7fb90cee18]



Which line number is this? If it's the only talloc_free call in leases_db_del, I really don't see how "rec" can end up with an invalid value for the talloc_free call.



Don't get me wrong -- I believe you fix something, but I would like to understand what is wrong right now.



Volker

More information about the samba-technical mailing list