Project

General

Profile

Actions

Bug #11835

closed

smbd rpc service crash in ndr_outer_string / ndr_s_wchar

Added by Gordon Ross over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Found an smbd core dump (sigsegv, not panic) after running the smbtorture rpc tests:

smbtorture  //myhost/IPC\$ -U test%test rpc.srvsvc.\*.NetNameValidate

Careful with the escapes for the dollar sign and asterisk above.

The stack from this core file:

root@nstor:/var/cores# mdb  core.smbd.100606.1569377704
Loading modules: [ libumem.so.1 libc.so.1 libuutil.so.1 libcmdutils.so.1 libmlsvc.so.1 libavl.so.1 libtopo.so.1 libnvpair.so.1 ld.so.1 ]
> $C
f8bfb7a8 libc.so.1`_lwp_kill+0x15(7a, 6, f8bfb7d8, fef47000, fef47000, f8bfb840
)
f8bfb7c8 libc.so.1`raise+0x2b(6, 0, f8bfb7e0, fee896a0, 0, 0)
f8bfb818 libc.so.1`abort+0x10e(f8bfb840, f8bfb840, 61, fe0bb7bc, fe0bbcb7, 784)
f8bfba48 0xfee417f4(fe0bb7bc, fe0bbcb7, 784, fe0b7c48)
f8bfdaf8 libmlrpc.so.2`ndr_s_wchar+0x51(f8bfdb84, 4c, 4, fe0b64ff)
f8bfdb48 libmlrpc.so.2`ndr_inner+0x67(f8bfdb84, 3c, 853ad60, fe0b663c)
f8bfdbd8 libmlrpc.so.2`ndr_outer_string+0x4a8(853ad60, fe0bbdb2, 853ad60, 
853ac58)
f8bfdc28 libmlrpc.so.2`ndr_outer+0xd7(853ad60, fefc2d7f, f8bfde1c, fe0b764e)
f8bfdc48 libmlrpc.so.2`ndr_run_outer_queue+0x29(837b80c, 0, 853ac18, fe0b769a)
f8bfdc98 libmlrpc.so.2`ndr_topmost+0x2b4(f8bfdcb4, 3c, fef4c38c, 0)
f8bfdd08 libmlsvc.so.1`ndr__mslm_NetNameValidate+0xc1(f8bfdd44, 0, 3c, fe0b795e
)
f8bfdd28 libmlrpc.so.2`ndr_params+0x28(f8bfdd44, 3c, fe0e0928, 837b808)
f8bfdd98 libmlsvc.so.1`ndr__srvsvc_interface+0x2e4(f8bfddb4, 3c, 0, 0)
f8bfde08 libmlrpc.so.2`ndo_operation+0x86(837b80c, fe16fbe8, 21, 853ac54)
f8bfde28 libmlrpc.so.2`ndr_encode_decode_common+0x23(837b80c, 21, fe16fbe8, 
853ac54)
f8bfde48 libmlrpc.so.2`ndr_decode_call+0x38(837b808, 853ac54, 837b808, fe0b8005
)
f8bfde88 libmlrpc.so.2`ndr_generic_call_stub+0xd4(837b808, 0, f8bfdeb8, fe0b4c76
, 837b80c, 837b83c)
f8bfdec8 libmlrpc.so.2`ndr_svc_request+0x6f(837b808, fe0cd000, fe0b8604, 837b808
, 837b808, 0)
f8bfdee8 libmlrpc.so.2`ndr_svc_process+0x44(837b808, 0, 21, 853a008, 124, 
83a09b8)
f8bfdf28 libmlrpc.so.2`ndr_pipe_process+0x9a(83a09b8, 837b808, 2, 0)
f8bfdf58 libmlrpc.so.2`ndr_pipe_worker+0x54(83a09b8, f8bfdf8c, 4, 1, 8, 0)
f8bfdfc8 pipesvc_worker+0x195(83a09b8, 0, 0, 0)
f8bfdfe8 libc.so.1`_thrp_setup+0x88(feccb240)
f8bfdff8 libc.so.1`_lwp_start(feccb240, 0, 0, 0, 0, 0)

Actions

Also available in: Atom PDF