stack overflow in smbd:smbd_dc_check
An OmniOS user has reported a crash in
% mdb core.smbd.1628737077 Loading modules: [ libumem.so.1 libc.so.1 libuutil.so.1 libcmdutils.so.1 libmlsvc.so.1 libavl.so.1 libtopo.so.1 libnvpair.so.1 ld.so.1 ] > $C fe7d0ab8 libc.so.1`syscall+0x13(feee9204, 1c, fe7d0a9c, 0, fe7d0b08, 26) fe7d0ad8 0xfee6d77f(fe7d0b44, 1, 1388, bd01001a, 0, 400726) fe7d0b08 smbd_dc_update(fe7d0b44, 8071bcc, fe7d0b3c, 805abd4) fe7d0fc8 smbd_dc_monitor+0x144(0, 0, 0, 0) fe7d0fe8 libc.so.1`_thrp_setup+0x81(fec51a40) fe7d0ff8 libc.so.1`_lwp_start(fec51a40, 0, 0, 0, 0, 0) > ::status debugging core file of smbd (32-bit) from fs2 initial argv: /usr/lib/smbsrv/smbd start threading model: native threads status: process panicked upanic message: *** stack smashing detected
(gdb) where #0 0xfeedef53 in syscall () from /lib/libc.so.1 #1 0xfeedd59a in upanic () from /lib/libc.so.1 #2 0xfee6d77f in __stack_chk_fail () from /lib/libc.so.1 #3 0x0805aa66 in smbd_dc_check () #4 0x0805acc7 in smbd_dc_monitor () #5 0xfeed8031 in _thrp_setup () from /lib/libc.so.1 #6 0xfeed82e0 in ?? () from /lib/libc.so.1 #7 0x00000000 in ?? ()
This occurred around the same time as one of the DCs was rebooted for maintenance; IPv6 is in use.
The problem appears to be that the
smbd_dc_check() function is allocating storage for a
struct sockaddr and then using it as
struct sockaddr_in6 which is twice as big.
Updated by Andy Fiddaman 4 months ago
The end user who reported the crash in the first place was able, with some effort, to recreate the crash by adding blackhole routes to prevent communication with the DC.
Having replaced the
smbd binary with one that includes the change in the attached Gerrit review, it was no longer possible to trigger a crash.
Updated by Electric Monk 4 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit d209bf0d7c080e4110469ed3a2c94e2382091f6c Author: Andy Fiddaman <firstname.lastname@example.org> Date: 2021-08-13T09:20:13.000Z 14021 stack overflow in smbd:smbd_dc_check Reviewed by: Mike Zeller <email@example.com> Reviewed by: Toomas Soome <firstname.lastname@example.org> Approved by: Robert Mustacchi <email@example.com>