v2.2.3a: spoolss related SIGSEGV on Solaris

Neil Hoggarth neil.hoggarth at physiol.ox.ac.uk
Thu Feb 14 03:48:06 GMT 2002 

SERVER:

SunBlade 1000 workstation with Solaris 8 01/01, running Samba 2.2.3a
release version. Also tried on a SunBlade 100 workstation running
Solaris 8 10/01, with the same results.

CLIENT:

Windows 2000 Professional Editions (running under VMware 2.0.4),
*without* the "File and Printer Sharing for Microsoft Networks"
component installed (problem does not seem to occur if File and Printer
Sharing is installed on the client).

PROBLEM:

I can repeatably crash smbd from Samba 2.2.3a (and a CVS 2.2.3-pre
version from mid-January) with a "INTERNAL ERROR:  Signal 11 ..."
message, by going to the Printers control panel on the client and
double-clicking the icon for a network print queue served from the Samba
server.

I realize that the client configuration is non-default, and possibly not
typical of how people have their Windows 2000 workstations set up. I
thought that I'd report the error anyway, given the MS appear to allow
one to remove the File and Printer Sharing component easily enough in
Windows 2000 (my recollection is that this was not the case in NT 4) and
that it doesn't seem an unreasonable configuration for a paranoid
sysadmin who is setting up a pure workstation to adopt. I think that
smbd ought to be robust if it finds itself unable to make an SMB
connection back to the client.

I enclose a gdb stack trace, followed by a few observations:

#0  0x8b548 in cli_errstr (cli=0x1b6f28) at
     /usr/local/src/samba-2.2.3a/source/libsmb/clierror.c:75
#1  0xf915c in spoolss_connect_to_client (cli=0x1b6f28,
    remote_machine=0xffbeed58 "PC-MIKE-2K")
    at /usr/local/src/samba-2.2.3a/source/rpc_client/cli_spoolss_notify.c:73
#2  0xba948 in srv_spoolss_replyopenprinter (printer=0x282ad0
    "\\\\PC-MIKE-2K", localprinter=8, type=1, handle=0x282bd8)
    at /usr/local/src/samba-2.2.3a/source/rpc_server/srv_spoolss_nt.c:1370
#3  0xbab10 in _spoolss_rffpcnex (p=0x2829a8, q_u=0xffbeef40,
    r_u=0xffbeef38) at
    /usr/local/src/samba-2.2.3a/source/rpc_server/srv_spoolss_nt.c:1426
#4  0xb5554 in api_spoolss_rffpcnex (p=0x278b50) at
   /usr/local/src/samba-2.2.3a/source/rpc_server/srv_spoolss.c:266
#5  0xb49d8 in api_rpcTNP (p=0x278b50, rpc_name=0x15d718
    "api_spoolss_rpc", api_rpc_cmds=0x195d1c)
    at /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe.c:1199
#6  0xb81c8 in api_spoolss_rpc (p=0x278b50) at
    /usr/local/src/samba-2.2.3a/source/rpc_server/srv_spoolss.c:1417
#7  0xb47b4 in api_pipe_request (p=0x278b50) at
    /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe.c:1150
#8  0xa3a14 in process_request_pdu (p=0x278b50, rpc_in_p=0x27aa44)
    at /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe_hnd.c:563
#9  0xa3c14 in process_complete_pdu (p=0x278b50) at
    /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe_hnd.c:635
#10 0xa3ebc in process_incoming_data (p=0x278b50, data=0x285f28 "\216",
    n=150) at
    /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe_hnd.c:731
#11 0xa404c in write_to_pipe (p=0x278b50, data=0x285f28 "\216", n=166)
    at /usr/local/src/samba-2.2.3a/source/rpc_server/srv_pipe_hnd.c:760
#12 0x46890 in api_fd_reply (conn=0x278b50, vuid=100, outbuf=0x235201
    "", setup=0x26, data=0x285f18 "\005", params=0x0, suwcnt=2,
    tdscnt=166, tpscnt=0, mdrcnt=1024, mprcnt=0) at
    /usr/local/src/samba-2.2.3a/source/smbd/ipc.c:306
#13 0x46ad0 in named_pipe (conn=0x1c8e98, vuid=100, outbuf=0x235201 "",
    name=0xffbef586 "", setup=0x275bd8, data=0x285f18 "\005", params=0x0,
    suwcnt=2, tdscnt=166, tpscnt=0, msrcnt=0, mdrcnt=1024, mprcnt=0)
    at /usr/local/src/samba-2.2.3a/source/smbd/ipc.c:350
#14 0x47288 in reply_trans (conn=0x1c8e98, inbuf=0x224db9 "",
    outbuf=0x235201 "", size=2, bufsize=65535)
    at /usr/local/src/samba-2.2.3a/source/smbd/ipc.c:500
#15 0x7a3f4 in switch_message (type=37, inbuf=0x224db9 "",
    outbuf=0x235201 "", size=246, bufsize=65535)
    at /usr/local/src/samba-2.2.3a/source/smbd/process.c:756
#16 0x7a480 in construct_reply (inbuf=0x224db9 "", outbuf=0x235201 "",
    size=246, bufsize=65535) at
    /usr/local/src/samba-2.2.3a/source/smbd/process.c:785
#17 0x7a72c in process_smb (inbuf=0x224db9 "", outbuf=0x235201 "") at
    /usr/local/src/samba-2.2.3a/source/smbd/process.c:879
#18 0x7b12c in smbd_process () at
    /usr/local/src/samba-2.2.3a/source/smbd/process.c:1267
#19 0x3b9fc in main (argc=0, argv=0xffbefd34) at
    /usr/local/src/samba-2.2.3a/source/smbd/server.c:825


The offending line in clierror.c reads:

  uint32 flgs2 = SVAL(cli->inbuf,smb_flg2), errnum;

I've used gdb to examine the *cli structure in cli_error() and the
calling function, spoolss_connect_to_client(). All its members are
zeroed and it seems to me that the immediate cause of the segfault is
attempting to dereference cli->inbuf.

Imediately proceeding the fault_report() lines in the log.smbd
file, I have:

[2002/02/14 10:21:19, 0, pid=8049] /usr/local/src/samba-2.2.3a/source/libsmb/cliconnect.c:attempt_netbios_session_request(977)
  attempt_netbios_session_request: PC-MIKE-2K rejected the session for name *SMBSERVER with error Called name not present
[2002/02/14 10:21:19, 0, pid=8049] /usr/local/src/samba-2.2.3a/source/rpc_client/cli_spoolss_notify.c:spoolss_connect_to_client(73)

log level is only set to 1 at the moment. Given that the problem is
reproduceable, I can easily generate more detailed logs if required.

Regards,
-- 
Neil Hoggarth                                 Departmental Computer Officer
<neil.hoggarth at physiol.ox.ac.uk>                   Laboratory of Physiology
http://www.physiol.ox.ac.uk/~njh/                  University of Oxford, UK

More information about the samba-technical mailing list