Segfault in smbd: messaging_dgm_fde_active

Andrew Bartlett abartlet at
Mon Jul 9 23:12:29 UTC 2018

On Mon, 2018-07-09 at 14:06 +0200, Stefan Metzmacher wrote:
> Hi,
> > Ping!
> > 
> > I know it is the crunch before the release but it would be good not to
> > forget this.
> I looked at it and found the problem.
> With auth_winbind as AD DC, smbd creates two temporary
> imessaging_context structures, both using messaging_dgm_ref()
> internally.
> Then we free both of them when the authentication is done.
> So 'next' becomes a stale pointer in msg_dgm_ref_recv().
> The attached patch fixes this. I'm currently running
> a private autobuild with it.
> Please review and push:-)

I realise things are really hectic right now, but is there any chance
of a cmokca or smbtorture local test?

The only way we found this was via an obscure libsmbclient test known
to be flapping (and eventually reproduced under valgrind).  Given it is
'just' the order of free between those could we have a test that locks
that in and keeps it working?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list