View Issue Details

IDProjectCategoryView StatusLast Update
0018344CentOS-7sambapublic2021-11-03 14:45
Reporterjlusticky Assigned To 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status newResolutionopen 
Product Version7.9.2009 
Summary0018344: Winbindd crashes after NULL pointer dereference - missing return value check in winbindd_util.c:fill_domain_username_talloc()
DescriptionWinbindd crashes in strlower_m() called from winbindd_util.c:fill_domain_username_talloc() -see the following backtrace:

Program terminated with signal 6, Aborted.
#0 0x00007fab86b09387 in raise () from /lib64/

#0 0x00007fab86b09387 in raise () from /lib64/
#1 0x00007fab86b0aa78 in abort () from /lib64/
#2 0x00007fab91ebc679 in dump_core () at ../../source3/lib/dumpcore.c:338
#3 0x00007fab91ea1ec8 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:847
#4 0x00007fab954cc11d in smb_panic (why=why@entry=0x7fab954dcf39 "internal error") at ../../lib/util/fault.c:174
#5 0x00007fab954cc37e in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:88
#6 sig_fault (sig=11) at ../../lib/util/fault.c:99
#7 <signal handler called>
#8 strlower_m (s=s@entry=0x0) at ../../source3/lib/util_str.c:452
#9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672
#10 0x000055e7fb391371 in wb_query_user_list_done (subreq=<optimized out>) at ../../source3/winbindd/wb_query_user_list.c:110
#11 0x00007fab92eb3dd1 in dcerpc_binding_handle_call_done (subreq=0x55e7fcb957e0) at ../../librpc/rpc/binding_handle.c:520
#12 0x000055e7fb381fdd in wbint_bh_raw_call_domain_done (subreq=0x55e7fcb966d0) at ../../source3/winbindd/winbindd_dual_ndr.c:204
#13 0x000055e7fb37fa8c in wb_domain_request_done (subreq=0x55e7fcb96a30) at ../../source3/winbindd/winbindd_dual.c:708
#14 0x000055e7fb37dc5d in wb_child_request_done (subreq=0x55e7fcb970a0) at ../../source3/winbindd/winbindd_dual.c:273
#15 0x000055e7fb34e6a7 in wb_simple_trans_read_done (subreq=0x55e7fcb973e0) at ../../nsswitch/wb_reqtrans.c:432
#16 0x000055e7fb34deff in wb_resp_read_done (subreq=0x55e7fcb97710) at ../../nsswitch/wb_reqtrans.c:275
#17 0x00007fab87fcfb13 in tevent_common_invoke_fd_handler () from /lib64/
#18 0x00007fab87fd6087 in epoll_event_loop_once () from /lib64/
#19 0x00007fab87fd4057 in std_event_loop_once () from /lib64/
#20 0x00007fab87fcf25d in _tevent_loop_once () from /lib64/
#21 0x000055e7fb3464b8 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/winbindd/winbindd.c:1912


(gdb) frame 9
#9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672
1672 if (!strlower_m(tmp_user)) {
(gdb) l
1667 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1668 can_assume = false;
1669 }
1671 tmp_user = talloc_strdup(mem_ctx, user);
1672 if (!strlower_m(tmp_user)) {
1673 TALLOC_FREE(tmp_user);
1674 return NULL;
1675 }
(gdb) info locals
tmp_user = 0x0
name = <optimized out>


gdb shows that strlower_m() functions gets NULL pointer from tmp_user value, which is returned from talloc_strdup() at LINE 1671
but it is not checked against NULL before passing to strlower_m().
Additional InformationAffected CentOS 7 version:

The check against NULL value is also absent in the current git sources of winbind_util.c.
Please report upstream.
Tagssamba, winbind




2021-11-03 11:07

manager   ~0038703

Please report via as only RH can fix problems and once fixed they trickle down to CentOS 7.


2021-11-03 14:45

reporter   ~0038704

Reported in RedHat bugzilla:

Issue History

Date Modified Username Field Change
2021-11-03 10:51 jlusticky New Issue
2021-11-03 10:51 jlusticky Tag Attached: samba
2021-11-03 10:51 jlusticky Tag Attached: winbind
2021-11-03 11:07 TrevorH Note Added: 0038703
2021-11-03 14:45 jlusticky Note Added: 0038704