Segfault in smbd: messaging_dgm_fde_active
Andrew Bartlett
abartlet at samba.org
Mon Jul 9 23:12:29 UTC 2018
On Mon, 2018-07-09 at 14:06 +0200, Stefan Metzmacher wrote:
> Hi,
>
> > Ping!
> >
> > I know it is the crunch before the release but it would be good not to
> > forget this.
>
> I looked at it and found the problem.
>
> With auth_winbind as AD DC, smbd creates two temporary
> imessaging_context structures, both using messaging_dgm_ref()
> internally.
>
> Then we free both of them when the authentication is done.
> So 'next' becomes a stale pointer in msg_dgm_ref_recv().
>
> The attached patch fixes this. I'm currently running
> a private autobuild with it.
>
> Please review and push:-)
I realise things are really hectic right now, but is there any chance
of a cmokca or smbtorture local test?
The only way we found this was via an obscure libsmbclient test known
to be flapping (and eventually reproduced under valgrind). Given it is
'just' the order of free between those could we have a test that locks
that in and keeps it working?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list