The branch, master has been updated via 7e53506 torture: Fix a torture crash with -O3 via 1dd2351 torture: Fix a buffer overrun from ca3998d vfs: propagate snapshot enumeration errors
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7e5350602e3b6f443855d5ac21a08dc8f6585aeb Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 28 16:30:52 2014 +0000 torture: Fix a torture crash with -O3 When compiled with -O3, smbtorture can crash after the following valgrind trace: ==16944== Conditional jump or move depends on uninitialised value(s) ==16944== at 0x57FFAC3: ndr_push_unique_ptr (ndr_basic.c:730) ==16944== by 0x58CB855: ndr_push_spoolss_SetPrinterInfo (ndr_spoolss.c:7939) ==16944== by 0x58E2F95: ndr_push_spoolss_SetPrinter (ndr_spoolss.c:24724) ==16944== by 0x417C78C: dcerpc_binding_handle_call_send (binding_handle.c:410) ==16944== by 0x417C986: dcerpc_binding_handle_call (binding_handle.c:547) ==16944== by 0x522059C: dcerpc_spoolss_SetPrinter_r (ndr_spoolss_c.c:1722) ==16944== by 0x2853BD: test_sd_set_level (spoolss.c:1248) ==16944== by 0x28F146: test_PrinterInfo_SD (spoolss.c:1962) ==16944== by 0x2A3C31: test_EnumPrinters_old (spoolss.c:6589) ==16944== by 0x41F6D66: internal_torture_run_test.part.0 (torture.c:442) ==16944== by 0x41F711F: torture_run_tcase_restricted (torture.c:758) ==16944== by 0x2018E8: run_matching.isra.1 (smbtorture.c:103) ==16944== by 0x20176B: run_matching.isra.1 (smbtorture.c:95) ==16944== by 0x20176B: run_matching.isra.1 (smbtorture.c:95) ==16944== by 0x201C12: torture_run_named_tests (smbtorture.c:143) ==16944== by 0x202F5B: main (smbtorture.c:661) My assumption is that with optimization gcc makes use of the fact that the structures that this patch moves go out of scope. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Fri Feb 28 21:27:11 CET 2014 on sn-devel-104 commit 1dd2351840c41232d8aea912be6304b256ea0329 Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 28 15:50:21 2014 +0000 torture: Fix a buffer overrun In test_EnumPrinterDrivers we go up to driver level 8. In C, this means we are accessing the 9th entry in the following lines: ctx->driver_count[level] = count; ctx->drivers[level] = info; Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/torture/rpc/spoolss.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c index 135eb3c..3d99470 100644 --- a/source4/torture/rpc/spoolss.c +++ b/source4/torture/rpc/spoolss.c @@ -77,8 +77,8 @@ struct test_spoolss_context { union spoolss_PortInfo *ports[3]; /* for EnumPrinterDrivers */ - uint32_t driver_count[8]; - union spoolss_DriverInfo *drivers[8]; + uint32_t driver_count[9]; + union spoolss_DriverInfo *drivers[9]; /* for EnumMonitors */ uint32_t monitor_count[3]; @@ -1874,13 +1874,14 @@ static bool test_sd_set_level(struct torture_context *tctx, struct spoolss_DevmodeContainer devmode_ctr; struct sec_desc_buf secdesc_ctr; union spoolss_SetPrinterInfo sinfo; + union spoolss_PrinterInfo info; + struct spoolss_SetPrinterInfo3 info3; ZERO_STRUCT(devmode_ctr); ZERO_STRUCT(secdesc_ctr); switch (level) { case 2: { - union spoolss_PrinterInfo info; torture_assert(tctx, test_GetPrinter_level(tctx, b, handle, 2, &info), ""); torture_assert(tctx, PrinterInfo_to_SetPrinterInfo(tctx, &info, 2, &sinfo), ""); @@ -1890,7 +1891,6 @@ static bool test_sd_set_level(struct torture_context *tctx, break; } case 3: { - struct spoolss_SetPrinterInfo3 info3; info3.sec_desc_ptr = NULL; -- Samba Shared Repository