I seem to have hit the same bug, invalid poiter free()d by gssalloc_free() called by gss_release_buffer()
Happens when a program installed on the DC connects to this linux requesting some registry keys (not knowing this is not a windows machine) Here is a stack trace with full symbols Core was generated by `smbd -F'. Program terminated with signal 6, Aborted. #0 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f4458a0383b in __GI_abort () at abort.c:91 #2 0x00007f445be50eeb in dump_core () at lib/fault.c:391 #3 0x00007f445be5f5d1 in smb_panic (why=<optimized out>) at lib/util.c:1133 #4 0x00007f445be50838 in fault_report (sig=6) at lib/fault.c:53 #5 sig_fault (sig=6) at lib/fault.c:76 #6 <signal handler called> #7 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #8 0x00007f4458a0383b in __GI_abort () at abort.c:91 #9 0x00007f4458a3e04e in __libc_message (do_abort=2, fmt=0x7f4458b485e0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #10 0x00007f4458a48846 in malloc_printerr (action=3, str=0x7f4458b44ee9 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:5047 #11 0x00007f445b19db78 in gssalloc_free (value=<optimized out>) at ../../../include/gssapi/gssapi_alloc.h:22 #12 gss_release_buffer (minor_status=<optimized out>, buffer=0x7ffffef4b840) at ../../../../src/lib/gssapi/mechglue/g_rel_buffer.c:52 #13 0x00007f445beccca2 in gse_get_pac_blob (gse_ctx=<optimized out>, mem_ctx=0x7f445e2dce70, pac_blob=<optimized out>) at librpc/crypto/gse.c:731 #14 0x00007f445bd63a8b in gssapi_server_get_user_info (gse_ctx=0x7f445e2d8020, mem_ctx=0x7f445e2d7380, client_id=0x7f445e2bd5e8, server_info=0x7f445e2d73a8) at rpc_server/dcesrv_gssapi.c:127 #15 0x00007f445bd57f5d in pipe_gssapi_verify_final (mem_ctx=0x7f445e2d7380, gse_ctx=0x7f445e2d8020, client_id=0x7f445e2bd5e8, session_info=0x7f445e2d73a8) at rpc_server/srv_pipe.c:734 #16 0x00007f445bd5994a in pipe_auth_verify_final (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:814 #17 0x00007f445bd5bb3b in api_pipe_alter_context (pkt=0x7f445e2d3200, p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1403 #18 process_complete_pdu (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1955 #19 0x00007f445bd5c22b in process_incoming_data (p=0x7f445e2d7380, data=0x7f445e2e4cb4 "\270\020\270\020", n=<optimized out>) at rpc_server/srv_pipe_hnd.c:218 #20 0x00007f445bd5c90e in write_to_internal_pipe (n=216, data=0x7f445e2e4cb4 "\270\020\270\020", p=0x7f445e2d7380) at rpc_server/srv_pipe_hnd.c:244 #21 np_write_send (mem_ctx=<optimized out>, ev=0x7f445e2bd520, handle=<optimized out>, data=<optimized out>, len=216) at rpc_server/srv_pipe_hnd.c:538 #22 0x00007f445bb71177 in reply_pipe_write_and_X (req=0x7f445e2e4dd0) at smbd/pipes.c:322 #23 0x00007f445bb7ab18 in reply_write_and_X (req=0x7f445e2e4dd0) at smbd/reply.c:4529 #24 0x00007f445bbbd9c4 in switch_message (type=47 '/', req=0x7f445e2e4dd0, size=284) at smbd/process.c:1574 #25 0x00007f445bbbdddb in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=<optimized out>, unread_bytes=0, size=284, inbuf=0x0, sconn=0x7f445e2bd5e0) at smbd/process.c:1610 #26 process_smb (sconn=0x7f445e2bd5e0, inbuf=<optimized out>, nread=284, unread_bytes=0, seqnum=<optimized out>, encrypted=false, deferred_pcd=0x0) at smbd/process.c:1688 #27 0x00007f445bbbe1f3 in smbd_server_connection_read_handler (conn=0x7f445e2bd5e0, fd=24) at smbd/process.c:2317 #28 0x00007f445be6f27e in run_events_poll (num_pfds=2, pfds=0x7f445e2ce2e0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286 #29 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2ce2e0, num_pfds=2) at lib/events.c:184 #30 0x00007f445bbbf962 in smbd_server_connection_loop_once (conn=0x7f445e2bd5e0) at smbd/process.c:1017 #31 smbd_process (sconn=0x7f445e2bd5e0) at smbd/process.c:3158 #32 0x00007f445c0cd21f in smbd_accept_connection (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at smbd/server.c:511 #33 0x00007f445be6f27e in run_events_poll (num_pfds=5, pfds=0x7f445e2d67c0, pollrtn=<optimized out>, ev=0x7f445e2bd520) at lib/events.c:286 #34 run_events_poll (ev=0x7f445e2bd520, pollrtn=<optimized out>, pfds=0x7f445e2d67c0, num_pfds=5) at lib/events.c:184 #35 0x00007f445be6f41a in s3_event_loop_once (ev=0x7f445e2bd520, location=<optimized out>) at lib/events.c:349 #36 0x00007f445be6ffa0 in _tevent_loop_once (ev=0x7f445e2bd520, location=0x7f445c2d1f37 "smbd/server.c:844") at ../lib/tevent/tevent.c:494 #37 0x00007f445bb3e060 in smbd_parent_loop (parent=<optimized out>) at smbd/server.c:844 #38 main (argc=<optimized out>, argv=<optimized out>) at smbd/server.c:1326 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1094438 Title: Samba crashes invalid pointer: 0x00007f0bc3de7590 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1094438/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs