View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018344 | CentOS-7 | samba | public | 2021-11-03 10:51 | 2021-11-03 14:45 |
Reporter | jlusticky | Assigned To | |||
Priority | normal | Severity | crash | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Product Version | 7.9.2009 | ||||
Summary | 0018344: Winbindd crashes after NULL pointer dereference - missing return value check in winbindd_util.c:fill_domain_username_talloc() | ||||
Description | Winbindd crashes in strlower_m() called from winbindd_util.c:fill_domain_username_talloc() -see the following backtrace: ============= Program terminated with signal 6, Aborted. #0 0x00007fab86b09387 in raise () from /lib64/libc.so.6 #0 0x00007fab86b09387 in raise () from /lib64/libc.so.6 #1 0x00007fab86b0aa78 in abort () from /lib64/libc.so.6 #2 0x00007fab91ebc679 in dump_core () at ../../source3/lib/dumpcore.c:338 #3 0x00007fab91ea1ec8 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:847 #4 0x00007fab954cc11d in smb_panic (why=why@entry=0x7fab954dcf39 "internal error") at ../../lib/util/fault.c:174 #5 0x00007fab954cc37e in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:88 #6 sig_fault (sig=11) at ../../lib/util/fault.c:99 #7 <signal handler called> #8 strlower_m (s=s@entry=0x0) at ../../source3/lib/util_str.c:452 #9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672 #10 0x000055e7fb391371 in wb_query_user_list_done (subreq=<optimized out>) at ../../source3/winbindd/wb_query_user_list.c:110 #11 0x00007fab92eb3dd1 in dcerpc_binding_handle_call_done (subreq=0x55e7fcb957e0) at ../../librpc/rpc/binding_handle.c:520 #12 0x000055e7fb381fdd in wbint_bh_raw_call_domain_done (subreq=0x55e7fcb966d0) at ../../source3/winbindd/winbindd_dual_ndr.c:204 #13 0x000055e7fb37fa8c in wb_domain_request_done (subreq=0x55e7fcb96a30) at ../../source3/winbindd/winbindd_dual.c:708 #14 0x000055e7fb37dc5d in wb_child_request_done (subreq=0x55e7fcb970a0) at ../../source3/winbindd/winbindd_dual.c:273 #15 0x000055e7fb34e6a7 in wb_simple_trans_read_done (subreq=0x55e7fcb973e0) at ../../nsswitch/wb_reqtrans.c:432 #16 0x000055e7fb34deff in wb_resp_read_done (subreq=0x55e7fcb97710) at ../../nsswitch/wb_reqtrans.c:275 #17 0x00007fab87fcfb13 in tevent_common_invoke_fd_handler () from /lib64/libtevent.so.0 #18 0x00007fab87fd6087 in epoll_event_loop_once () from /lib64/libtevent.so.0 #19 0x00007fab87fd4057 in std_event_loop_once () from /lib64/libtevent.so.0 #20 0x00007fab87fcf25d in _tevent_loop_once () from /lib64/libtevent.so.0 #21 0x000055e7fb3464b8 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/winbindd/winbindd.c:1912 ============= (gdb) frame 9 #9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672 1672 if (!strlower_m(tmp_user)) { (gdb) l 1667 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { 1668 can_assume = false; 1669 } 1670 1671 tmp_user = talloc_strdup(mem_ctx, user); 1672 if (!strlower_m(tmp_user)) { 1673 TALLOC_FREE(tmp_user); 1674 return NULL; 1675 } 1676 (gdb) info locals tmp_user = 0x0 name = <optimized out> ============= gdb shows that strlower_m() functions gets NULL pointer from tmp_user value, which is returned from talloc_strdup() at LINE 1671 but it is not checked against NULL before passing to strlower_m(). | ||||
Additional Information | Affected CentOS 7 version: samba-winbind-4.10.16-15.el7_9.x86_64 NOTE: The check against NULL value is also absent in the current git sources of winbind_util.c. Please report upstream. | ||||
Tags | samba, winbind | ||||
abrt_hash | |||||
URL | |||||
Please report via bugzilla.redhat.com as only RH can fix problems and once fixed they trickle down to CentOS 7. | |
Reported in RedHat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2019888 | |