[Bug 1094438] Re: Samba crashes invalid pointer: 0x00007f0bc3de7590

danb1974 1094438 at bugs.launchpad.net
Tue Jan 6 13:11:30 UTC 2015 

I seem to have hit the same bug, invalid poiter free()d by
gssalloc_free() called by gss_release_buffer()

Happens when a program installed on the DC connects to this linux
requesting some registry keys (not knowing this is not a windows
machine)

Here is a stack trace with full symbols

Core was generated by `smbd -F'.
Program terminated with signal 6, Aborted.
#0  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f4458a0383b in __GI_abort () at abort.c:91
#2  0x00007f445be50eeb in dump_core () at lib/fault.c:391
#3  0x00007f445be5f5d1 in smb_panic (why=<optimized out>) at lib/util.c:1133
#4  0x00007f445be50838 in fault_report (sig=6) at lib/fault.c:53
#5  sig_fault (sig=6) at lib/fault.c:76
#6  <signal handler called>
#7  0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#8  0x00007f4458a0383b in __GI_abort () at abort.c:91
#9  0x00007f4458a3e04e in __libc_message (do_abort=2, fmt=0x7f4458b485e0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#10 0x00007f4458a48846 in malloc_printerr (action=3, str=0x7f4458b44ee9 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:5047
#11 0x00007f445b19db78 in gssalloc_free (value=<optimized out>) at ../../../include/gssapi/gssapi_alloc.h:22
#12 gss_release_buffer (minor_status=<optimized out>, buffer=0x7ffffef4b840) at ../../../../src/lib/gssapi/mechglue/g_rel_buffer.c:52
#13 0x00007f445beccca2 in gse_get_pac_blob (gse_ctx=<optimized out>, mem_ctx=0x7f445e2dce70, pac_blob=<optimized out>) at librpc/crypto/gse.c:731
#14 0x00007f445bd63a8b in gssapi_server_get_user_info (gse_ctx=0x7f445e2d8020, mem_ctx=0x7f445e2d7380, client_id=0x7f445e2bd5e8, server_info=0x7f445e2d73a8) at rpc_server/dcesrv_gssapi.c:127
#15 0x00007f445bd57f5d in pipe_gssapi_verify_final (mem_ctx=0x7f445e2d7380, gse_ctx=0x7f445e2d8020, client_id=0x7f445e2bd5e8, session_info=0x7f445e2d73a8) at rpc_server/srv_pipe.c:734
#16 0x00007f445bd5994a in pipe_auth_verify_final (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:814
#17 0x00007f445bd5bb3b in api_pipe_alter_context (pkt=0x7f445e2d3200, p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1403
#18 process_complete_pdu (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1955
#19 0x00007f445bd5c22b in process_incoming_data (p=0x7f445e2d7380, data=0x7f445e2e4cb4 "\270\020\270\020", n=<optimized out>) at rpc_server/srv_pipe_hnd.c:218
#20 0x00007f445bd5c90e in write_to_internal_pipe (n=216, data=0x7f445e2e4cb4 "\270\020\270\020", p=0x7f445e2d7380) at rpc_server/srv_pipe_hnd.c:244
#21 np_write_send (mem_ctx=<optimized out>, ev=0x7f445e2bd520, handle=<optimized out>, data=<optimized out>, len=216) at rpc_server/srv_pipe_hnd.c:538
#22 0x00007f445bb71177 in reply_pipe_write_and_X (req=0x7f445e2e4dd0) at smbd/pipes.c:322
#23 0x00007f445bb7ab18 in reply_write_and_X (req=0x7f445e2e4dd0) at smbd/reply.c:4529
#24 0x00007f445bbbd9c4 in switch_message (type=47 '/', req=0x7f445e2e4dd0, size=284) at smbd/process.c:1574
#25 0x00007f445bbbdddb in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=<optimized out>, unread_bytes=0, size=284, inbuf=0x0, sconn=0x7f445e2bd5e0) at smbd/process.c:1610
#26 process_smb (sconn=0x7f445e2bd5e0, inbuf=<optimized out>, nread=284, unread_bytes=0, seqnum=<optimized out>, encrypted=false, deferred_pcd=0x0) at smbd/process.c:1688
#27 0x00007f445bbbe1f3 in smbd_server_connection_read_handler (conn=0x7f445e2bd5e0, fd=24) at smbd/process.c:2317
#28 0x00007f445be6f27e in run_events_poll (num_pfds=2, pfds=0x7f445e2ce2e0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286
#29 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2ce2e0, num_pfds=2) at lib/events.c:184
#30 0x00007f445bbbf962 in smbd_server_connection_loop_once (conn=0x7f445e2bd5e0) at smbd/process.c:1017
#31 smbd_process (sconn=0x7f445e2bd5e0) at smbd/process.c:3158
#32 0x00007f445c0cd21f in smbd_accept_connection (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at smbd/server.c:511
#33 0x00007f445be6f27e in run_events_poll (num_pfds=5, pfds=0x7f445e2d67c0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286
#34 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2d67c0, num_pfds=5) at lib/events.c:184
#35 0x00007f445be6f41a in s3_event_loop_once (ev=0x7f445e2bd520, location=<optimized out>) at lib/events.c:349
#36 0x00007f445be6ffa0 in _tevent_loop_once (ev=0x7f445e2bd520, location=0x7f445c2d1f37 "smbd/server.c:844") at ../lib/tevent/tevent.c:494
#37 0x00007f445bb3e060 in smbd_parent_loop (parent=<optimized out>) at smbd/server.c:844
#38 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1326

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1094438

Title:
  Samba crashes invalid pointer: 0x00007f0bc3de7590

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1094438/+subscriptions

More information about the Ubuntu-server-bugs mailing list