|
Description
|
When investigating 6776724 using libumem and watchmalloc i hit the following issue:
# LD_PRELOAD=watchmalloc.so.1 MALLOC_DEBUG=WATCH,RW /usr/lib/smbsrv/smbd -f
zsh: trace trap (core dumped) LD_PRELOAD=watchmalloc.so.1 MALLOC_DEBUG=WATCH,RW /usr/lib/smbsrv/smbd -f
pb-53# mdb ./core
Loading modules: [ libumem.so.1 libuutil.so.1 libavl.so.1 libnvpair.so.1 ld.so.1 ]
> $C
fdeee4ec libsmbrdr.so.1`smbrdr_logon_user+0x13b(fdeeec74, fe879620, fe879648, fe86388a)
fdeee50c libsmbrdr.so.1`smbrdr_authenticate+0x32(fdeeec74, fdeeea74, fe879620, fe879648)
fdeee53c libsmbrdr.so.1`smbrdr_auth_logon+0x77(fdeeec74, fdeeea74, fe879620, fe86363c)
fdeee55c libsmbrdr.so.1`mlsvc_logon+0x3d(fdeeec74, fdeeea74, fe879620, fe8657b6)
fdeee5ac libsmbrdr.so.1`smbrdr_open_pipe+0x26(fdeeec74, fdeeea74, fe879620, fe08002c)
fdeee5fc libmlsvc.so.1`ndr_rpc_bind+0x9d(fdeee6a4, fdeeec74, fdeeea74, fe879620, fe06bd04, 0)
fdeee66c libmlsvc.so.1`lsar_open_policy2+0x2f(fdeeec74, fdeeea74, fe879620, fdeee6a4)
fdeee68c libmlsvc.so.1`lsar_open+0x37(fdeeec74, fdeeea74, fe879620, fdeee6a4)
fdeee6dc libmlsvc.so.1`lsa_query_dns_domain_info+0x29(fdeeec74, fdeeea74, fdeee6f4, fe0352a0)
fdeee92c libmlsvc.so.1`smb_domain_query+0x2c(fdeeea74, fdeeec74, fdeeec74, 100)
fdeeea4c libmlsvc.so.1`smb_dc_discovery+0x144(fdeeea74, fdeeeb74, fdeeec74, fe034f3c)
fdeeefcc libmlsvc.so.1`smb_dclocator_main+0xd1(0, fef37000, fdeeefec, feea04fe)
fdeeefec libc_hwcap2.so.1`_thrp_setup+0x7e(fe9e5200)
fdeeeff8 libc_hwcap2.so.1`_lwp_start(fe9e5200, 0, 0, feea04fe, 0, 0)
>
Taking a quick look at the source code it looks like the problem is heere:
usr/src/lib/smbsrv/libsmbrdr/common/smbrdr_logon.c
276 session->logon = *logon;
277 free(logon);
...
283 smbrdr_session_unlock(session);
284 return ((logon->type == SDB_LOGON_GUEST)
285 ? AUTH_GUEST_GRANT : AUTH_USER_GRANT);
286 }
i.e. logon is used/dereferenced on line 284 after it has been free'ed on line 277.
|
