The branch, master has been updated
via 7e53506 torture: Fix a torture crash with -O3
via 1dd2351 torture: Fix a buffer overrun
from ca3998d vfs: propagate snapshot enumeration errors
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7e5350602e3b6f443855d5ac21a08dc8f6585aeb
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 28 16:30:52 2014 +0000
torture: Fix a torture crash with -O3
When compiled with -O3, smbtorture can crash after the following valgrind
trace:
==16944== Conditional jump or move depends on uninitialised value(s)
==16944== at 0x57FFAC3: ndr_push_unique_ptr (ndr_basic.c:730)
==16944== by 0x58CB855: ndr_push_spoolss_SetPrinterInfo
(ndr_spoolss.c:7939)
==16944== by 0x58E2F95: ndr_push_spoolss_SetPrinter (ndr_spoolss.c:24724)
==16944== by 0x417C78C: dcerpc_binding_handle_call_send
(binding_handle.c:410)
==16944== by 0x417C986: dcerpc_binding_handle_call (binding_handle.c:547)
==16944== by 0x522059C: dcerpc_spoolss_SetPrinter_r
(ndr_spoolss_c.c:1722)
==16944== by 0x2853BD: test_sd_set_level (spoolss.c:1248)
==16944== by 0x28F146: test_PrinterInfo_SD (spoolss.c:1962)
==16944== by 0x2A3C31: test_EnumPrinters_old (spoolss.c:6589)
==16944== by 0x41F6D66: internal_torture_run_test.part.0 (torture.c:442)
==16944== by 0x41F711F: torture_run_tcase_restricted (torture.c:758)
==16944== by 0x2018E8: run_matching.isra.1 (smbtorture.c:103)
==16944== by 0x20176B: run_matching.isra.1 (smbtorture.c:95)
==16944== by 0x20176B: run_matching.isra.1 (smbtorture.c:95)
==16944== by 0x201C12: torture_run_named_tests (smbtorture.c:143)
==16944== by 0x202F5B: main (smbtorture.c:661)
My assumption is that with optimization gcc makes use of the fact that the
structures that this patch moves go out of scope.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
Autobuild-User(master): David Disseldorp <dd...@samba.org>
Autobuild-Date(master): Fri Feb 28 21:27:11 CET 2014 on sn-devel-104
commit 1dd2351840c41232d8aea912be6304b256ea0329
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 28 15:50:21 2014 +0000
torture: Fix a buffer overrun
In test_EnumPrinterDrivers we go up to driver level 8. In C, this means
we are accessing the 9th entry in the following lines:
ctx->driver_count[level] = count;
ctx->drivers[level] = info;
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/torture/rpc/spoolss.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 135eb3c..3d99470 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -77,8 +77,8 @@ struct test_spoolss_context {
union spoolss_PortInfo *ports[3];
/* for EnumPrinterDrivers */
- uint32_t driver_count[8];
- union spoolss_DriverInfo *drivers[8];
+ uint32_t driver_count[9];
+ union spoolss_DriverInfo *drivers[9];
/* for EnumMonitors */
uint32_t monitor_count[3];
@@ -1874,13 +1874,14 @@ static bool test_sd_set_level(struct torture_context
*tctx,
struct spoolss_DevmodeContainer devmode_ctr;
struct sec_desc_buf secdesc_ctr;
union spoolss_SetPrinterInfo sinfo;
+ union spoolss_PrinterInfo info;
+ struct spoolss_SetPrinterInfo3 info3;
ZERO_STRUCT(devmode_ctr);
ZERO_STRUCT(secdesc_ctr);
switch (level) {
case 2: {
- union spoolss_PrinterInfo info;
torture_assert(tctx, test_GetPrinter_level(tctx, b, handle, 2,
&info), "");
torture_assert(tctx, PrinterInfo_to_SetPrinterInfo(tctx, &info,
2, &sinfo), "");
@@ -1890,7 +1891,6 @@ static bool test_sd_set_level(struct torture_context
*tctx,
break;
}
case 3: {
- struct spoolss_SetPrinterInfo3 info3;
info3.sec_desc_ptr = NULL;
--
Samba Shared Repository
