[SCM] Samba Shared Repository - branch master updated

Tue, 13 Jan 2026 06:51:21 -0800 

The branch, master has been updated
       via  a3684a2284c s3:winbindd fix race condition in terminate_child
      from  e7e0b69f04b auth/ntlmssp: Zero memory in ntlmssp_client.c

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a3684a2284cdf421090d6064b720b81b05b6eae6
Author: Gary Lockyer <[email protected]>
Date:   Wed Jan 7 10:23:33 2026 +1300

    s3:winbindd fix race condition in terminate_child
    
    Fixes:
    
    winbindd[306061]:   Bad talloc magic value - unknown value
    winbindd[306061]:   
=========================================================
    winbindd[306061]:   INTERNAL ERROR: Bad talloc magic value - unknown value 
in
                        winbindd () () pid
    
    A race condition in source3/windbindd/winbindd_util.c::terminate_child
    between the child socket closing, and the destructor de-registering the
    child socket from epoll.
    
    If the socket closes before it is de-registered from epoll, the event
    is added to the epoll rdllink and will be retrieved when epoll_wait
    is next called.  However monitor_fde has been deallocated and we get the
    observed failure.
    
    Moving the TALLOC_FREE before the kill ensures that the child socket has 
been
    de-registered from epoll before it closes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15937
    
    Signed-off-by: Gary Lockyer <[email protected]>
    Reviewed-by: Stefan Metzmacher <[email protected]>
    
    Autobuild-User(master): Stefan Metzmacher <[email protected]>
    Autobuild-Date(master): Tue Jan 13 14:50:20 UTC 2026 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2e86336322c..bc2ad712fdb 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -978,13 +978,13 @@ static void terminate_child(struct tevent_req *subreq)
        TALLOC_FREE(subreq);
 
        if (c->pid != 0) {
+               TALLOC_FREE(c->monitor_fde);
                kill(c->pid, SIGTERM);
                c->pid = 0;
                if (c->sock != -1) {
                        close(c->sock);
                }
                c->sock = -1;
-               TALLOC_FREE(c->monitor_fde);
        }
 
        c = NULL;


-- 
Samba Shared Repository

Reply via email to