mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
8f4c1c67b4
If configured as AD DC and aio_pthread appended into 'vfs objects'[1], run these commands would get segfault: 1. sudo samba-tool ntacl get . 2. sudo net vfs getntacl sysvol . gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2], and the fsp->conn->sconn->client is null (0x0). 'sconn->client' memory is allocated when a new connection is accpeted: smbd_accept_connection > smbd_process > smbXsrv_client_create While running local commands looks like it would not go through smbXsrv_client_create so the 'client' is null, segfault might happen. We should not dereference 'client->server_multi_channel_enabled', if 'client' is null. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441 [1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 [global] dns forwarder = 127.0.0.53 netbios name = U22-JONES-88X1 realm = U22-JONES-88X1.X88X1.JONES server role = active directory domain controller workgroup = X88X1 idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 acl_xattr aio_pthread [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts read only = No [2] gdb (gdb) run /usr/local/samba/bin/samba-tool ntacl get . Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get . [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 warning: Source file is more recent than executable. 467 if (fsp->conn->sconn->client->server_multi_channel_enabled) { (gdb) bt at ../../source3/modules/vfs_aio_pthread.c:467 at ../../source3/smbd/pysmbd.c:320 ---Type <return> to continue, or q <return> to quit--- (gdb) f at ../../source3/modules/vfs_aio_pthread.c:467 467 if (fsp->conn->sconn->client->server_multi_channel_enabled) { (gdb) p fsp->conn->sconn->client $1 = (struct smbXsrv_client *) 0x0 (gdb) Signed-off-by: Jones Syue <jonessyue@qnap.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> |
||
|---|---|---|
| .. | ||
| auth | ||
| build | ||
| client | ||
| exports | ||
| groupdb | ||
| include | ||
| intl | ||
| lib | ||
| libads | ||
| libgpo/gpext | ||
| libnet | ||
| librpc | ||
| libsmb | ||
| locale | ||
| locking | ||
| modules | ||
| nmbd | ||
| param | ||
| passdb | ||
| printing | ||
| profile | ||
| registry | ||
| rpc_client | ||
| rpc_server | ||
| rpcclient | ||
| script | ||
| selftest | ||
| services | ||
| smbd | ||
| torture | ||
| utils | ||
| web | ||
| winbindd | ||
| .clang_complete | ||
| .dmallocrc | ||
| .indent.pro | ||
| Doxyfile | ||
| mainpage.dox | ||
| smbadduser.in | ||
| wscript | ||
| wscript_build | ||
| wscript_configure_system_ncurses | ||