#259 closed defect (fixed)
Crash in NDCTL.EXE while browsing directory under PMView
| Reported by: | Lewis Rosenthal | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Samba Client Plugin | Version: | Client 3.0.x |
| Keywords: | Cc: |
Description
Directory contains several nested directories of image files, and is located on NetWare CIFS volume (SMB1). Browsing for several minutes, moving form one directory to another results in a crash. The relevant portion of log.smbc (I think) is:
[2015/07/13 09:25:19.777000, 3, pid=46, effective(0, 0), real(0, 0)] ../source3
/lib/util_sock.c:617(open_socket_out_send)
Connecting to 192.168.100.1 at port 139
[2015/07/13 09:25:19.799000, 5, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/util_net.c:890(print_socket_options)
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
Could not test socket option SO_REUSEPORT.
SO_SNDBUF = 33580
SO_RCVBUF = 33580
SO_SNDLOWAT = 4096
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
[2015/07/13 09:25:19.801000, 4, pid=46, effective(0, 0), real(0, 0)] U:/DEV/sam
ba-svn/trunk/client-4.x/src/smbwrp.c:272(smbwrp_connect)
session request ok, c->timeout = 20000
[2015/07/13 09:25:19.844000, 0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/talloc_stack.c:104(talloc_pop)
Freed frame U:/DEV/samba-svn/trunk/client-4.x/src/smbwrp.c:1193, expected U:/D
EV/samba-svn/trunk/client-4.x/src/smbwrp.c:1193.
[2015/07/13 09:25:20.055000, 0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/debug.c:429(talloc_log_fn)
talloc: access after free error - first free may be at U:/DEV/samba-svn/trunk/
client-4.x/src/smbwrp.c:1251
[2015/07/13 09:25:20.057000, 0, pid=46, effective(0, 0), real(0, 0)] ../lib/uti
l/debug.c:429(talloc_log_fn)
Bad talloc magic value - access after free
Killed by SIGABRT
pid=0x002e ppid=0x0000 tid=0x0003 slot=0x0089 pri=0x0400 mc=0x0001 ps=0x0000
C:\NDFS\NDCTL.EXE
Process dumping was disabled, use DUMPPROC / PROCDUMP to enable it.
I have not tested with smbclient, yet, though I'm not sure I can even duplicate the conditions under smbclient (I can browse directories from a command line, but not from a file picker, as no drive letter mapping is possible with it).
Attachments (2)
Change History (5)
by , 9 years ago
comment:1 by , 9 years ago
This issue (or an unrelated one with similar symptoms) occurs against a Samba 4.1.8 share served from openSuSE 13.2 with only a handful of image files in it. The end of log.ndpsmb says:
2015/07/13 10:00:35.10: 9 3: NdpFindStart: dir [\Images\], dir_mask [*.*], mask [\Images\*], szPath [Images\*.*] 2015/07/13 10:00:35.10: 4 3: smbwrp_filelist 2015/07/13 10:00:35.10: 1 3: Filelist <\Images\*> on master <WORKGROUP> wgrp <wo rkgroup> server <dp45sg.randr> share <Test> clidev <(null)> 2015/07/13 10:00:35.10: 1 3: list_files 2015/07/13 10:00:35.10: 4 3: SMB2 detected, calling list_files_smb2() 2015/07/13 10:00:35.10: 1 3: list_files_smb 2015/07/13 10:00:35.10: 9 2: NdpCreateConnection in 2015/07/13 10:00:35.11: 9 2: NdpCreateConnection send CONNECT 2015/07/13 10:00:35.11: 1 2: Connecting to \\lewis:*********@workgroup:dp45sg.ra ndr\Test. Master WORKGROUP:1
at which point the control program crashes with the following in log.smbc:
[2015/07/13 10:00:35.111000, 5, pid=181, effective(0, 0), real(0, 0)] ../lib/td b_wrap/tdb_wrap.c:65(tdb_wrap_log) tdb(C:\MPTN\ETC/samba/lock/gencache_notrans.tdb): fcntl_lock: (fd=11) offset=4 24 rw_type=1 len=1 waitflag=1 (rc=0) pid=181 [2015/07/13 10:00:35.113000, 5, pid=181, effective(0, 0), real(0, 0)] ../lib/td b_wrap/tdb_wrap.c:65(tdb_wrap_log) tdb(C:\MPTN\ETC/samba/lock/gencache_notrans.tdb): fcntl_unlock: (fd=11) offset =424 rw_type=1 len=1 (rc=0) pid=181 [2015/07/13 10:00:35.113000, 5, pid=181, effective(0, 0), real(0, 0)] ../source 3/libsmb/namecache.c:165(namecache_fetch) name dp45sg.randr#20 found. [2015/07/13 10:00:35.113000, 10, pid=181, effective(0, 0), real(0, 0)] ../source 3/libsmb/namequery.c:1110(remove_duplicate_addrs2) remove_duplicate_addrs2: looking for duplicate address/port pairs [2015/07/13 10:00:35.113000, 3, pid=181, effective(0, 0), real(0, 0)] ../source 3/lib/util_sock.c:617(open_socket_out_send) Connecting to 192.168.100.18 at port 139
(complete log.smbc, attached as log.smbc.smb2.zip).
When running dir on the directory from 4OS2, there is a noticeable delay befor ethe results are displayed. From CMD, there is no delay, though the results are displayed more slowly. The directory contains the following:
Volume in drive K is NETDRIVE
Directory of K:\Images\*
7-13-15 10:09 <DIR> 0 .
7-13-15 10:09 <DIR> 0 ..
7-04-15 17:33 <DIR> 0 Samba
7-04-15 17:33 <DIR> 0 YUMIE
7-04-15 17:33 3,491 0 64px-BC_Logo_.ico
7-04-15 17:33 2,409 124 64px-BC_Logo_.png
7-04-15 17:33 36,199 0 artdeco.jpg
7-04-15 17:33 641 0 beach.jpg
7-04-15 17:33 51,648 0 bikes.jpg
7-04-15 17:33 52,750 124 branding.bmp
7-04-15 17:33 32,325 9,577 Captured001.png
7-04-15 17:33 21,610 9,577 Captured002.png
7-04-15 17:33 13,711 9,577 Captured003.png
7-04-15 17:33 16,943 9,577 Captured004.png
7-04-15 17:33 8,085 9,577 Captured005.png
7-04-15 17:33 36,927 9,577 Captured007.png
7-04-15 17:33 11,855 9,577 Captured008.png
7-04-15 17:33 10,548 9,577 Captured009.png
7-04-15 17:33 14,886 9,577 Captured010.png
7-04-15 17:33 40,492 0 city.jpg
7-04-15 17:33 2,585 9,577 default-logo-branding-1024x768.png
7-04-15 17:33 4,502 0 electrum.ico
7-04-15 17:33 9,322 124 electrum.png
7-04-15 17:33 31,452 0 flower.jpg
7-04-15 17:33 10,645 9,577 startcom-ca-list-ff-24-8-1.png
7-04-15 17:33 1,605 9,577 yumie-062-update-from-available-list-not-selectable.png
7-04-15 17:33 28,272 9,577 yumie-063-after-package-update-fresh-search-results-contents.png
7-04-15 17:33 34,046 9,577 yumie-063-after-package-update-installed-contents.png
7-04-15 17:33 9,210 9,577 yumie-063-after-package-update-search-results-contents.png
7-04-15 17:33 893 9,577 yumie-063-before-package-update-installed-contents.png
7-04-15 17:33 29,447 9,577 yumie-063-before-package-update-search-results-contents.png
7-04-15 17:33 26,402 9,577 yumie-063-search-results-contents-after-clearing-and-refreshing.png
7-04-15 17:33 10,610 9,577 yumie-070-error-message.png
7-04-15 17:33 38,201 9,577 yumie-070-lost-help-tooltip.png
7-04-15 17:33 28,880 9,577 yumie-070-truncated-filter-field.png
7-04-15 17:33 14,682 9,577 yumie-072-unreadable-log-text.png
7-04-15 17:33 5,015 9,577 yumie-072-vertical-error-text.png
7-04-15 17:33 2,147 9,577 yumie-075update-fixed-error-text.png
7-04-15 17:33 2,087 0 yumie-pics.zip
644,523 bytes in 35 files and 4 dirs
665,600 bytes allocated
465,719,894,016 bytes (433GB) free
As this occurs under SMB2, I can't tell yet whether this is the same crash. EAs are properly read from the other directories. The above directory is also a light table object. Opening it on the desktop takes a considerable amount of time and high CPU (but no crash).
by , 9 years ago
| Attachment: | log.smbc.smb2.zip added |
|---|
Complete log.smbc taken during crash under SMB2
comment:2 by , 9 years ago
I meant to comment here yesterday, the 20150716a.zip and 20150716b.zip have a potential fix for this issue
comment:3 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I can no longer reproduce this condition, either over SMB1 (without EA support on the server side; NetWare CIFS) or SMB3_11 with full EA support (XFS partition on the server side) with:
6-22-16 3:51 13,953,656 124 ndpsmb.dll
I was able to traverse the directory tree from PMView 3.75, create thumbnails on the fly, delete files, delete directories, move files between directories, switch from one mapped volume to another, and even ran a slideshow (of the Developers Workshop 2005) from across the LAN.
Performance could be improved, but that is a separate issue and there are many factors (including the server) to consider. No matter; I could not get NDCTL.EXE to crash.
Last 1,000 lines of log.smbc