Bug 1334356
Summary: | ntlm_auth SEGV | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> | ||||
Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 23 | CC: | abokovoy, asn, dwmw2, gdeschner, jarrpa, jlayton, lmohanty, madam, metze, sbose, ssorce | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | samba-4.3.10-0.fc23 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-06-19 07:24:33 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David Woodhouse
2016-05-09 12:33:13 UTC
Hello David, I tried to reproduce this today (with samba-4.3.8-0.fc23.x86_64) but I couldn't. Can you share your config and describe briefly your setup? Thanks! Guenther client NTLMv2 auth = no Here's 4.3.8-0.fc23 (the above was 4.3.9-0.fc23) with debuginfo: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 1631 process_string_arg (((struct printf_spec *) NULL)); (gdb) bt #0 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 #1 0x00007ffff51e3e76 in ___vsnprintf_chk ( s=s@entry=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end", maxlen=<optimized out>, maxlen@entry=1024, flags=flags@entry=1, slen=slen@entry=1024, format=format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x7fffffffcbf8) at vsnprintf_chk.c:63 #2 0x00007ffff56a8dbe in vsnprintf (__ap=0x7fffffffcbf8, __fmt=<optimized out>, __n=1024, __s=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end") at /usr/include/bits/stdio2.h:77 #3 talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffd068) at ../talloc.c:2440 #4 0x00007ffff56a477c in talloc_log ( fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:370 #5 0x00007ffff56aab5a in talloc_chunk_from_ptr (ptr=0x7ffff673d9c3) at ../talloc.c:432 #6 _talloc_steal_loc (new_ctx=new_ctx@entry=0x5555557928b0, ---Type <return> to continue, or q <return> to quit--- ptr=0x7ffff673d9c3, location=location@entry=0x7ffff56b0cef "../talloc.c:1927") at ../talloc.c:1219 #7 0x00007ffff56aab93 in _talloc_move (new_ctx=new_ctx@entry=0x5555557928b0, _pptr=_pptr@entry=0x7fffffffd218) at ../talloc.c:1927 #8 0x00007ffff7374cfe in ntlmssp_client_challenge ( gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, in=..., out=0x7fffffffd580) at ../auth/ntlmssp/ntlmssp_client.c:354 #9 0x00007ffff737360f in gensec_ntlmssp_update ( gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, ev=<optimized out>, input=..., out=0x7fffffffd580) at ../auth/ntlmssp/ntlmssp.c:176 #10 0x00007ffff737d612 in gensec_update_ev (gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, ev=0x555555792dc0, ev@entry=0x0, in=..., out=0x7fffffffd580) at ../auth/gensec/gensec.c:303 #11 0x00007ffff737d657 in gensec_update (gensec_security=<optimized out>, out_mem_ctx=<optimized out>, in=..., out=<optimized out>) at ../auth/gensec/gensec.c:372 #12 0x000055555555bbfe in manage_gensec_request ( stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=<optimized out>, buf=<optimized out>, private1=<optimized out>, length=<optimized out>) at ../source3/utils/ntlm_auth.c:1467 #13 0x00005555555593b3 in manage_squid_request ( ---Type <return> to continue, or q <return> to quit--- stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=0x555555784050, state=0x555555791800, fn=0x55555555c8d0 <manage_client_ntlmssp_request>, private2=0x0) at ../source3/utils/ntlm_auth.c:2040 #14 0x0000555555558d5b in squid_stream ( fn=0x55555555c8d0 <manage_client_ntlmssp_request>, lp_ctx=0x555555784050, stdio_mode=NTLMSSP_CLIENT_1) at ../source3/utils/ntlm_auth.c:2074 #15 main (argc=<optimized out>, argv=<optimized out>) at ../source3/utils/ntlm_auth.c:2317 (Not the same run...) #8 0x00007ffff7374cfe in ntlmssp_client_challenge ( gensec_security=0x555555792360, out_mem_ctx=0x555555791470, in=..., out=0x7fffffffd570) at ../auth/ntlmssp/ntlmssp_client.c:354 354 ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain); (gdb) p server_domain $3 = 0x7ffff673d9c3 "" In /proc/$pid/maps it seems that server_domain is pointing to a static "" string in libcliauth-samba4.so, instead of something that was allocated. We probably weren't expecting msrpc_parse() to do that? The talloc library crapping itself when trying to report this, is obviously a separate issue. Right, have it reproduced and a possible fix, hold on. Created attachment 1155392 [details]
possible fix
The upstream bug is https://bugzilla.samba.org/show_bug.cgi?id=11912 Thanks Stefan, just saw I came up with the exact same patch 45 minutes later than yours :-) Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=13991277 And for f24 at http://koji.fedoraproject.org/koji/taskinfo?taskID=14166983 samba-4.3.10-0.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085 samba-4.3.10-0.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085 samba-4.3.10-0.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |