[Bug 1094438] Re: Samba crashes invalid pointer: 0x00007f0bc3de7590

danb1974 1094438 at bugs.launchpad.net
Tue Jan 6 13:11:30 UTC 2015 

I seem to have hit the same bug, invalid poiter free()d by
gssalloc_free() called by gss_release_buffer()

Happens when a program installed on the DC connects to this linux
requesting some registry keys (not knowing this is not a windows
machine)

Here is a stack trace with full symbols

Core was generated by `smbd -F'.
Program terminated with signal 6, Aborted.
#0  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f4458a0383b in __GI_abort () at abort.c:91
#2  0x00007f445be50eeb in dump_core () at lib/fault.c:391
#3  0x00007f445be5f5d1 in smb_panic (why=<optimized out>) at lib/util.c:1133
#4  0x00007f445be50838 in fault_report (sig=6) at lib/fault.c:53
#5  sig_fault (sig=6) at lib/fault.c:76
#6  <signal handler called>
#7  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#8  0x00007f4458a0383b in __GI_abort () at abort.c:91
#9  0x00007f4458a3e04e in __libc_message (do_abort=2, fmt=0x7f4458b485e0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#10 0x00007f4458a48846 in malloc_printerr (action=3, str=0x7f4458b44ee9 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:5047
#11 0x00007f445b19db78 in gssalloc_free (value=<optimized out>) at ../../../include/gssapi/gssapi_alloc.h:22
#12 gss_release_buffer (minor_status=<optimized out>, buffer=0x7ffffef4b840) at ../../../../src/lib/gssapi/mechglue/g_rel_buffer.c:52
#13 0x00007f445beccca2 in gse_get_pac_blob (gse_ctx=<optimized out>, mem_ctx=0x7f445e2dce70, pac_blob=<optimized out>) at librpc/crypto/gse.c:731
#14 0x00007f445bd63a8b in gssapi_server_get_user_info (gse_ctx=0x7f445e2d8020, mem_ctx=0x7f445e2d7380, client_id=0x7f445e2bd5e8, server_info=0x7f445e2d73a8) at rpc_server/dcesrv_gssapi.c:127
#15 0x00007f445bd57f5d in pipe_gssapi_verify_final (mem_ctx=0x7f445e2d7380, gse_ctx=0x7f445e2d8020, client_id=0x7f445e2bd5e8, session_info=0x7f445e2d73a8) at rpc_server/srv_pipe.c:734
#16 0x00007f445bd5994a in pipe_auth_verify_final (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:814
#17 0x00007f445bd5bb3b in api_pipe_alter_context (pkt=0x7f445e2d3200, p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1403
#18 process_complete_pdu (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1955
#19 0x00007f445bd5c22b in process_incoming_data (p=0x7f445e2d7380, data=0x7f445e2e4cb4 "\270\020\270\020", n=<optimized out>) at rpc_server/srv_pipe_hnd.c:218
#20 0x00007f445bd5c90e in write_to_internal_pipe (n=216, data=0x7f445e2e4cb4 "\270\020\270\020", p=0x7f445e2d7380) at rpc_server/srv_pipe_hnd.c:244
#21 np_write_send (mem_ctx=<optimized out>, ev=0x7f445e2bd520, handle=<optimized out>, data=<optimized out>, len=216) at rpc_server/srv_pipe_hnd.c:538
#22 0x00007f445bb71177 in reply_pipe_write_and_X (req=0x7f445e2e4dd0) at smbd/pipes.c:322
#23 0x00007f445bb7ab18 in reply_write_and_X (req=0x7f445e2e4dd0) at smbd/reply.c:4529
#24 0x00007f445bbbd9c4 in switch_message (type=47 '/', req=0x7f445e2e4dd0, size=284) at smbd/process.c:1574
#25 0x00007f445bbbdddb in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=<optimized out>, unread_bytes=0, size=284, inbuf=0x0, sconn=0x7f445e2bd5e0) at smbd/process.c:1610
#26 process_smb (sconn=0x7f445e2bd5e0, inbuf=<optimized out>, nread=284, unread_bytes=0, seqnum=<optimized out>, encrypted=false, deferred_pcd=0x0) at smbd/process.c:1688
#27 0x00007f445bbbe1f3 in smbd_server_connection_read_handler (conn=0x7f445e2bd5e0, fd=24) at smbd/process.c:2317
#28 0x00007f445be6f27e in run_events_poll (num_pfds=2, pfds=0x7f445e2ce2e0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286
#29 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2ce2e0, num_pfds=2) at lib/events.c:184
#30 0x00007f445bbbf962 in smbd_server_connection_loop_once (conn=0x7f445e2bd5e0) at smbd/process.c:1017
#31 smbd_process (sconn=0x7f445e2bd5e0) at smbd/process.c:3158
#32 0x00007f445c0cd21f in smbd_accept_connection (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at smbd/server.c:511
#33 0x00007f445be6f27e in run_events_poll (num_pfds=5, pfds=0x7f445e2d67c0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286
#34 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2d67c0, num_pfds=5) at lib/events.c:184
#35 0x00007f445be6f41a in s3_event_loop_once (ev=0x7f445e2bd520, location=<optimized out>) at lib/events.c:349
#36 0x00007f445be6ffa0 in _tevent_loop_once (ev=0x7f445e2bd520, location=0x7f445c2d1f37 "smbd/server.c:844") at ../lib/tevent/tevent.c:494
#37 0x00007f445bb3e060 in smbd_parent_loop (parent=<optimized out>) at smbd/server.c:844
#38 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1326

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1094438

Title:
  Samba crashes invalid pointer: 0x00007f0bc3de7590

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 12.04.1 LTS
  Samba 2:3.6.3-2ubuntu2.3
  krb5-config 2.2
  Samba on ubuntu joined to Windows 2003 domain
  Share on /media/100RAGE = /dev/md0 (software raid5)

  getent passwd, getent group working fine.
  All working fine, except I see errors in samba logs.

  We have two of the same server with the same configuration (differents
  only in hostname).

  Samba crushes everytime after opening shared folder from windows
  workstation on both servers.

    BACKTRACE: 30 stack frames:
     #0 smbd(log_stack_trace+0x1a) [0x7f4533d61aea]
     #1 smbd(smb_panic+0x25) [0x7f4533d61bc5]
     #2 smbd(+0x409e88) [0x7f4533d52e88]
     #3 /lib/x86_64-linux-gnu/libc.so.6(+0x364a0) [0x7f45309024a0]
     #4 /lib/x86_64-linux-gnu/libc.so.6(gsignal+0x35) [0x7f4530902425]
     #5 /lib/x86_64-linux-gnu/libc.so.6(abort+0x17b) [0x7f4530905b8b]
     #6 /lib/x86_64-linux-gnu/libc.so.6(+0x7439e) [0x7f453094039e]
     #7 /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96) [0x7f453094ab96]
     #8 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2(gss_release_buffer+0x28) [0x7f453309fb78]
     #9 smbd(gse_get_pac_blob+0x202) [0x7f4533dcf182]
     #10 smbd(gssapi_server_get_user_info+0x6b) [0x7f4533c661ab]
     #11 smbd(+0x31167d) [0x7f4533c5a67d]
     #12 smbd(+0x31306a) [0x7f4533c5c06a]
     #13 smbd(process_complete_pdu+0x102b) [0x7f4533c5e25b]
     #14 smbd(process_incoming_data+0x12b) [0x7f4533c5e94b]
     #15 smbd(np_write_send+0x14e) [0x7f4533c5f02e]
     #16 smbd(reply_pipe_write_and_X+0x167) [0x7f4533a73967]
     #17 smbd(reply_write_and_X+0x368) [0x7f4533a7d308]
     #18 smbd(+0x176fa4) [0x7f4533abffa4]
     #19 smbd(+0x1773bb) [0x7f4533ac03bb]
     #20 smbd(+0x1777d3) [0x7f4533ac07d3]
     #21 smbd(run_events_poll+0x34e) [0x7f4533d718ae]
     #22 smbd(smbd_process+0x812) [0x7f4533ac1f42]
     #23 smbd(+0x68666f) [0x7f4533fcf66f]
     #24 smbd(run_events_poll+0x34e) [0x7f4533d718ae]
     #25 smbd(+0x428a4a) [0x7f4533d71a4a]
     #26 smbd(_tevent_loop_once+0x90) [0x7f4533d725d0]
     #27 smbd(main+0xed0) [0x7f4533a40030]
     #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed) [0x7f45308ed76d]
     #29 smbd(+0xf7515) [0x7f4533a40515]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1094438/+subscriptions

More information about the foundations-bugs mailing list