The branch, v4-20-test has been updated
via ec098fbe840 s4:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via 59207809655 s3:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via 34618ab0a50 dcesrv_core: add dcesrv_assoc_group_common_destructor()
from c9581976a4e smbd: fix breaking leases on rename
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit ec098fbe840c82b30fef12c7de9e48cbcab1de7b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Dec 11 17:24:19 2024 +0100
s4:rpc_server: make use of dcesrv_assoc_group_common_destructor()
Currently this should not be needed, but it's better to
call dcesrv_assoc_group_common_destructor() in all assoc_group
destructors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 19657be71d7cec5ac58a5d6969dc1d6ae7c5b517)
Autobuild-User(v4-20-test): Jule Anger <[email protected]>
Autobuild-Date(v4-20-test): Wed Dec 18 09:51:41 UTC 2024 on atb-devel-224
commit 5920780965574b51af665aa262e2d30198639e29
Author: Stefan Metzmacher <[email protected]>
Date: Wed Dec 11 17:24:19 2024 +0100
s3:rpc_server: make use of dcesrv_assoc_group_common_destructor()
We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.
Typically this doesn't happen, but it does when
rpc_worker_connection_terminated explicitly calls
talloc_unlink(conn, conn->assoc_group)
and dcesrv_iface_state_store_conn() is used.
But we better do it in all assoc_group destructors.
==381007==ERROR: AddressSanitizer: heap-use-after-free on address
0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
#0 0x7f15fc12e0ab in dcesrv_iface_state_destructor
../../librpc/rpc/dcesrv_handles.c:166
#1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#2 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#4 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#6 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#8 0x7f15fc0f924c in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#10 0x7f15fadac024 in ncacn_terminate_connection
../../source3/rpc_server/rpc_server.c:263
#11 0x7f15fadac024 in dcesrv_transport_terminate_connection
../../source3/rpc_server/rpc_server.c:251
#12 0x7f15fc11e5ef in dcesrv_terminate_connection
../../librpc/rpc/dcesrv_core.c:2968
#13 0x7f15fc125446 in dcesrv_read_fragment_done
../../librpc/rpc/dcesrv_core.c:3196
#14 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#15 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#16 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#17 0x7f15fb4f69a1 in _tevent_req_nterror
../../lib/util/tevent_ntstatus.c:46
#18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done
../../librpc/rpc/dcerpc_util.c:612
#19 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#20 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#21 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#22 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#23 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#24 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#25 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#27 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#28 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#29 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler
../../libcli/named_pipe_auth/npa_tstream.c:697
#31 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#32 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#33 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#34 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#35 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#36 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#37 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#39 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#40 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#41 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#42 0x7f15fbff9691 in tstream_bsd_readv_handler
../../lib/tsocket/tsocket_bsd.c:2080
#43 0x7f15fbff6f85 in tstream_bsd_fde_handler
../../lib/tsocket/tsocket_bsd.c:1764
#44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#45 0x7f15fb7ef185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#46 0x7f15fb7ef185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#47 0x7f15fb7e77b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#49 0x7f15fc936b7c in rpc_worker_main
../../source3/rpc_server/rpc_worker.c:1249
#50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#51 0x7f15f7c2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
#53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115
0x50d000004f80 is located 112 bytes inside of 136-byte region
[0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
#0 0x7f15fcefb418 in free
../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
#2 0x7f15fc0f8d0f in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
#4 0x7f15fc934580 in rpc_worker_connection_terminated
../../source3/rpc_server/rpc_worker.c:143
#5 0x7f15fc9310bd in dcesrv_connection_destructor
../../source3/rpc_server/rpc_worker.c:175
#6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#7 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#9 0x7f15fc0f924c in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#11 0x7f15fadac024 in ncacn_terminate_connection
../../source3/rpc_server/rpc_server.c:263
#12 0x7f15fadac024 in dcesrv_transport_terminate_connection
../../source3/rpc_server/rpc_server.c:251
#13 0x7f15fc11e5ef in dcesrv_terminate_connection
../../librpc/rpc/dcesrv_core.c:2968
#14 0x7f15fc125446 in dcesrv_read_fragment_done
../../librpc/rpc/dcesrv_core.c:3196
#15 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#16 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#17 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#18 0x7f15fb4f69a1 in _tevent_req_nterror
../../lib/util/tevent_ntstatus.c:46
#19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done
../../librpc/rpc/dcerpc_util.c:612
#20 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#21 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#22 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#23 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#24 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#25 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#26 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#28 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#29 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#30 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler
../../libcli/named_pipe_auth/npa_tstream.c:697
#32 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#33 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
previously allocated by thread T0 here:
#0 0x7f15fcefc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
#5 0x7f15fc93156e in rpc_worker_assoc_group_new
../../source3/rpc_server/rpc_worker.c:681
#6 0x7f15fc93156e in rpc_worker_assoc_group_find
../../source3/rpc_server/rpc_worker.c:730
#7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
#8 0x7f15fc120a18 in dcesrv_process_ncacn_packet
../../librpc/rpc/dcesrv_core.c:2324
#9 0x7f15fc120a18 in dcesrv_loop_next_packet
../../librpc/rpc/dcesrv_core.c:3222
#10 0x7f15fc933722 in rpc_worker_new_client
../../source3/rpc_server/rpc_worker.c:489
#11 0x7f15fc933722 in rpc_worker_new_client_filter
../../source3/rpc_server/rpc_worker.c:558
#12 0x7f15fbef95ca in messaging_dispatch_waiters
../../source3/lib/messages.c:1343
#13 0x7f15fbefb589 in messaging_dispatch_rec
../../source3/lib/messages.c:1371
#14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
#15 0x7f15faddba9e in msg_dgm_ref_recv
../../lib/messaging/messages_dgm_ref.c:144
#16 0x7f15fadd6cc3 in messaging_dgm_recv
../../lib/messaging/messages_dgm.c:1426
#17 0x7f15fadd7618 in messaging_dgm_read_handler
../../lib/messaging/messages_dgm.c:1316
#18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#19 0x7f15fb7ef185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#20 0x7f15fb7ef185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#21 0x7f15fb7e77b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#23 0x7f15fc936b7c in rpc_worker_main
../../source3/rpc_server/rpc_worker.c:1249
#24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#25 0x7f15f7c2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 627a7857844804a29c6612df5da4605c94edb3f9)
commit 34618ab0a5071a6bdea5167608c18c033a08f8d4
Author: Stefan Metzmacher <[email protected]>
Date: Wed Dec 11 17:21:06 2024 +0100
dcesrv_core: add dcesrv_assoc_group_common_destructor()
We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.
==381007==ERROR: AddressSanitizer: heap-use-after-free on address
0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
#0 0x7f15fc12e0ab in dcesrv_iface_state_destructor
../../librpc/rpc/dcesrv_handles.c:166
#1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#2 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#4 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#6 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#8 0x7f15fc0f924c in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#10 0x7f15fadac024 in ncacn_terminate_connection
../../source3/rpc_server/rpc_server.c:263
#11 0x7f15fadac024 in dcesrv_transport_terminate_connection
../../source3/rpc_server/rpc_server.c:251
#12 0x7f15fc11e5ef in dcesrv_terminate_connection
../../librpc/rpc/dcesrv_core.c:2968
#13 0x7f15fc125446 in dcesrv_read_fragment_done
../../librpc/rpc/dcesrv_core.c:3196
#14 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#15 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#16 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#17 0x7f15fb4f69a1 in _tevent_req_nterror
../../lib/util/tevent_ntstatus.c:46
#18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done
../../librpc/rpc/dcerpc_util.c:612
#19 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#20 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#21 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#22 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#23 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#24 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#25 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#27 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#28 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#29 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler
../../libcli/named_pipe_auth/npa_tstream.c:697
#31 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#32 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#33 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#34 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#35 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#36 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#37 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#39 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#40 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#41 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#42 0x7f15fbff9691 in tstream_bsd_readv_handler
../../lib/tsocket/tsocket_bsd.c:2080
#43 0x7f15fbff6f85 in tstream_bsd_fde_handler
../../lib/tsocket/tsocket_bsd.c:1764
#44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#45 0x7f15fb7ef185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#46 0x7f15fb7ef185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#47 0x7f15fb7e77b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#49 0x7f15fc936b7c in rpc_worker_main
../../source3/rpc_server/rpc_worker.c:1249
#50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#51 0x7f15f7c2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
#53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115
0x50d000004f80 is located 112 bytes inside of 136-byte region
[0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
#0 0x7f15fcefb418 in free
../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
#2 0x7f15fc0f8d0f in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
#4 0x7f15fc934580 in rpc_worker_connection_terminated
../../source3/rpc_server/rpc_worker.c:143
#5 0x7f15fc9310bd in dcesrv_connection_destructor
../../source3/rpc_server/rpc_worker.c:175
#6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
#7 0x7f15fc0f7acd in _tc_free_children_internal
../../lib/talloc/talloc.c:1669
#8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
#9 0x7f15fc0f924c in _talloc_free_internal
../../lib/talloc/talloc.c:1248
#10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
#11 0x7f15fadac024 in ncacn_terminate_connection
../../source3/rpc_server/rpc_server.c:263
#12 0x7f15fadac024 in dcesrv_transport_terminate_connection
../../source3/rpc_server/rpc_server.c:251
#13 0x7f15fc11e5ef in dcesrv_terminate_connection
../../librpc/rpc/dcesrv_core.c:2968
#14 0x7f15fc125446 in dcesrv_read_fragment_done
../../librpc/rpc/dcesrv_core.c:3196
#15 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#16 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#17 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#18 0x7f15fb4f69a1 in _tevent_req_nterror
../../lib/util/tevent_ntstatus.c:46
#19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done
../../librpc/rpc/dcerpc_util.c:612
#20 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#21 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#22 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#23 0x7f15fbff4228 in tstream_readv_pdu_readv_done
../../lib/tsocket/tsocket_helpers.c:313
#24 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#25 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#26 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
#28 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#29 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#30 0x7f15fb7dcdb7 in _tevent_req_error
../../lib/tevent/tevent_req.c:252
#31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler
../../libcli/named_pipe_auth/npa_tstream.c:697
#32 0x7f15fb7dcae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#33 0x7f15fb7dcd1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
previously allocated by thread T0 here:
#0 0x7f15fcefc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
#5 0x7f15fc93156e in rpc_worker_assoc_group_new
../../source3/rpc_server/rpc_worker.c:681
#6 0x7f15fc93156e in rpc_worker_assoc_group_find
../../source3/rpc_server/rpc_worker.c:730
#7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
#8 0x7f15fc120a18 in dcesrv_process_ncacn_packet
../../librpc/rpc/dcesrv_core.c:2324
#9 0x7f15fc120a18 in dcesrv_loop_next_packet
../../librpc/rpc/dcesrv_core.c:3222
#10 0x7f15fc933722 in rpc_worker_new_client
../../source3/rpc_server/rpc_worker.c:489
#11 0x7f15fc933722 in rpc_worker_new_client_filter
../../source3/rpc_server/rpc_worker.c:558
#12 0x7f15fbef95ca in messaging_dispatch_waiters
../../source3/lib/messages.c:1343
#13 0x7f15fbefb589 in messaging_dispatch_rec
../../source3/lib/messages.c:1371
#14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
#15 0x7f15faddba9e in msg_dgm_ref_recv
../../lib/messaging/messages_dgm_ref.c:144
#16 0x7f15fadd6cc3 in messaging_dgm_recv
../../lib/messaging/messages_dgm.c:1426
#17 0x7f15fadd7618 in messaging_dgm_read_handler
../../lib/messaging/messages_dgm.c:1316
#18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#19 0x7f15fb7ef185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#20 0x7f15fb7ef185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#21 0x7f15fb7e77b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#23 0x7f15fc936b7c in rpc_worker_main
../../source3/rpc_server/rpc_worker.c:1249
#24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
#25 0x7f15f7c2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 5b929860e269e2968a0ec3759a6125ae990b43c3)
-----------------------------------------------------------------------
Summary of changes:
librpc/rpc/dcesrv_core.h | 2 ++
librpc/rpc/dcesrv_handles.c | 17 ++++++++++++++++-
source3/rpc_server/rpc_server.c | 3 +++
source3/rpc_server/rpc_worker.c | 2 ++
source4/rpc_server/dcerpc_server.c | 3 +++
5 files changed, 26 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index 24750872b3f..90f5bd21d64 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -647,6 +647,8 @@ _PUBLIC_ NTSTATUS
dcesrv_interface_bind_reject_connect(struct dcesrv_connection_
_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct
dcesrv_connection_context *context,
const struct
dcesrv_interface *iface);
+_PUBLIC_ void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group
*assoc_group);
+
_PUBLIC_ NTSTATUS _dcesrv_iface_state_store_assoc(
struct dcesrv_call_state *call,
uint64_t magic,
diff --git a/librpc/rpc/dcesrv_handles.c b/librpc/rpc/dcesrv_handles.c
index b8719d8c804..eff63970e16 100644
--- a/librpc/rpc/dcesrv_handles.c
+++ b/librpc/rpc/dcesrv_handles.c
@@ -163,10 +163,25 @@ struct dcesrv_iface_state {
static int dcesrv_iface_state_destructor(struct dcesrv_iface_state *istate)
{
- DLIST_REMOVE(istate->assoc->iface_states, istate);
+ if (istate->assoc != NULL) {
+ DLIST_REMOVE(istate->assoc->iface_states, istate);
+ istate->assoc = NULL;
+ }
return 0;
}
+void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group
*assoc_group)
+{
+ struct dcesrv_iface_state *cur = NULL;
+ struct dcesrv_iface_state *next = NULL;
+
+ for (cur = assoc_group->iface_states; cur != NULL; cur = next) {
+ next = cur->next;
+ cur->assoc = NULL;
+ DLIST_REMOVE(assoc_group->iface_states, cur);
+ }
+}
+
static void *dcesrv_iface_state_find(struct dcesrv_assoc_group *assoc,
const struct dcesrv_interface *iface,
const struct dom_sid *owner,
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index a60f4294402..73fafa635cd 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -138,6 +138,9 @@ void dcesrv_log_successful_authz(
static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group
*assoc_group)
{
int ret;
+
+ dcesrv_assoc_group_common_destructor(assoc_group);
+
ret = idr_remove(assoc_group->dce_ctx->assoc_groups_idr,
assoc_group->id);
if (ret != 0) {
diff --git a/source3/rpc_server/rpc_worker.c b/source3/rpc_server/rpc_worker.c
index bf9671d3c15..3eba37f63ee 100644
--- a/source3/rpc_server/rpc_worker.c
+++ b/source3/rpc_server/rpc_worker.c
@@ -661,6 +661,8 @@ static int rpc_worker_assoc_group_destructor(
{
int ret;
+ dcesrv_assoc_group_common_destructor(assoc_group);
+
ret = idr_remove(
assoc_group->dce_ctx->assoc_groups_idr,
assoc_group->id & UINT16_MAX);
diff --git a/source4/rpc_server/dcerpc_server.c
b/source4/rpc_server/dcerpc_server.c
index e072cd20f95..e701503b458 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -75,6 +75,9 @@ static struct dcesrv_assoc_group
*dcesrv_assoc_group_reference(struct dcesrv_con
static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group
*assoc_group)
{
int ret;
+
+ dcesrv_assoc_group_common_destructor(assoc_group);
+
ret = idr_remove(assoc_group->dce_ctx->assoc_groups_idr,
assoc_group->id);
if (ret != 0) {
DEBUG(0,(__location__ ": Failed to remove assoc_group 0x%08x\n",
--
Samba Shared Repository
