And now... the patch. :) Cheers, -- Steve Langasek postmodern programmer
On Tue, Apr 19, 2005 at 10:33:44PM -0700, Steve Langasek wrote: > And valgrind reveals all in the end. Attached is a patch which fixes up a > rounding error in the use of malloc_array(); this is probably a bit wasteful > compared to the original code, but at least it never allocates too little and > gives us malloc corruption. > > I'll get this over to the security team asap; in the meantime, the patch is > here for people who can't wait for the official builds. > > Cheers, > -- > Steve Langasek > postmodern programmer > > On Fri, Apr 08, 2005 at 09:48:53AM +0200, Rasmus B�g Hansen wrote: > > Andrew Bartlett <[EMAIL PROTECTED]> hit the keyboard. > > Afterwards the following was on the screen: > > > > > On Fri, 2005-04-08 at 01:08 +0200, Rasmus B�g Hansen wrote: > > >> Hi again > > >> > > >> Valgrind is not in woody, so I installed it from backports, and made > > >> the following trace: > > >> > > >> valgrind -v -- smbd -i > /tmp/valgrind.log 2>&1 > > >> > > >> Output is here: > > >> > > >> http://www.amagerkollegiet.dk/~moffe/valgrind.log > > > > > > Sorry, that doesn't help. We will probably need --num-callers=32, and > > > we need to show it crashing, not just running and exiting once (which is > > > what -i does). > > > > > > Internally, Samba has been modified to assist in this, so if you run > > > with the valgrind --trace-children option, but not smbd's -i, the > > > valgrind errors will end up in the normal Samba logfiles (we redirect > > > stderr). > > > > Ok, I now did: > > > > valgrind -v --num-callers=32 --trace-children=yes --log-file=valgrind.log > > -- smbd > > > > I do not really understand (perhaps due to my limited knowledge of > > valgrind) why smbd crashes when run normally; when run through > > valgrind it seems to run without crashing. > > > > Nonetheless, the valgrind logfile is here: > > > > http://www.amagerkollegiet.dk/~moffe/valgrind.log.pid2456
diff -u samba-2.2.3a/debian/changelog samba-2.2.3a/debian/changelog
--- samba-2.2.3a/debian/changelog
+++ samba-2.2.3a/debian/changelog
@@ -1,3 +1,12 @@
+samba (2.2.3a-15) stable-security; urgency=low
+
+ * Acknowledge the Security Team's NMUs; thanks again for all your
+ work, Joey.
+ * Fix a rounding error introduced in the patch to bitmap_alloc() that
+ causes crashes on reload. Closes: #302378.
+
+ -- Steve Langasek <[EMAIL PROTECTED]> Tue, 19 Apr 2005 18:14:36 -0700
+
samba (2.2.3a-14.2) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -u samba-2.2.3a/debian/rules samba-2.2.3a/debian/rules
--- samba-2.2.3a/debian/rules
+++ samba-2.2.3a/debian/rules
@@ -4,7 +4,7 @@
# solve build problems) introduced in Samba 2.2.1a-5. These
# modification were made by Steve Langasek <[EMAIL PROTECTED]>.
#
-# $Id: rules,v 1.2.2.2.2.27 2002/10/12 16:53:59 vorlon Exp $
+# $Id: rules,v 1.2.2.2.2.29 2005/04/20 01:11:50 vorlon Exp $
#
# Uncomment this to turn on verbose mode.
diff -u samba-2.2.3a/debian/patches/z_CAN-2004-1154.patch
samba-2.2.3a/debian/patches/z_CAN-2004-1154.patch
--- samba-2.2.3a/debian/patches/z_CAN-2004-1154.patch
+++ samba-2.2.3a/debian/patches/z_CAN-2004-1154.patch
@@ -355,7 +355,7 @@
bm->n = n;
- bm->b = (uint32 *)malloc(sizeof(bm->b[0])*(n+31)/32);
-+ bm->b = (uint32 *)malloc_array(sizeof(bm->b[0]), (n+31)/32);
++ bm->b = (uint32 *)malloc_array(sizeof(bm->b[0]), (n+31)/32+1);
if (!bm->b) {
SAFE_FREE(bm);
return NULL;
signature.asc
Description: Digital signature
