Fix bug #1300038

PANIC: Bad talloc magic value - wrong talloc version used/mixed

2 files changed, 72 insertions, 1 deletions

diff --git a/samba-4.3-s3-parm-clean-up-defaults-when-removing-global-param.patch b/samba-4.3-s3-parm-clean-up-defaults-when-removing-global-param.patch
new file mode 100644
index 0000000..0ffea94
--- /dev/null
+++ b/samba-4.3-s3-parm-clean-up-defaults-when-removing-global-param.patch
@@ -0,0 +1,65 @@
+From d8a03eeab8ece3d9001b087fc658272174f92a25 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 22 Jan 2016 11:44:03 +0200
+Subject: [PATCH] s3-parm: clean up defaults when removing global parameters
+
+When globals are re-initialized, they are cleared and globals' talloc
+context is freed. However, parm_table still contains a reference to the
+global value in the defaults. This confuses lpcfg_string_free() after
+commit 795c543d858b2452f062a02846c2f908fe4cffe4 because it tries to
+free already freed pointer which is passed by lp_save_defaults():
+
+....
+    case P_STRING:
+    case P_USTRING:
+                  lpcfg_string_set(Globals.ctx,
+                                   &parm_table[i].def.svalue,
+                                   *(char **)lp_parm_ptr(NULL, &parm_table[i]));
+....
+
+here &parm_table[i].def.svalue is passed to lpcfg_string_free() but it
+is a pointer to a value allocated with previous Globals.ctx which
+already was freed.
+
+This specifically affects registry backend of smb.conf in lp_load_ex()
+where init_globals() called explicitly to re-init globals after
+lp_save_defaults() if we have registry backend defined.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/param/loadparm.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 9f4a2b4..f8ecab7 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -399,8 +399,25 @@ static void free_parameters_by_snum(int snum)
+  */
+ static void free_global_parameters(void)
+ {
++	uint32_t i;
++	struct parm_struct *parm;
++
+ 	free_param_opts(&Globals.param_opt);
+ 	free_parameters_by_snum(GLOBAL_SECTION_SNUM);
++
++	/* Reset references in the defaults because the context is going to be freed */
++	for (i=0; parm_table[i].label; i++) {
++		parm = &parm_table[i];
++		if ((parm->type == P_STRING) ||
++		    (parm->type == P_USTRING)) {
++			if ((parm->def.svalue != NULL) &&
++			    (*(parm->def.svalue) != '\0')) {
++				if (talloc_parent(parm->def.svalue) == Globals.ctx) {
++					parm->def.svalue = NULL;
++				}
++			}
++		}
++	}
+ 	TALLOC_FREE(Globals.ctx);
+ }
+ 
+-- 
+2.5.0
+
diff --git a/samba.spec b/samba.spec
index 9406a1a..b756055 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 0
+%define main_release 1
 
 %define samba_version 4.3.4
 %define talloc_version 2.1.3
@@ -107,6 +107,8 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 
+Patch1: samba-4.3-s3-parm-clean-up-defaults-when-removing-global-param.patch
+
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 Requires(pre): /usr/sbin/groupadd
@@ -670,6 +672,7 @@ and use CTDB instead.
 
 %prep
 %setup -q -n samba-%{version}%{pre_release}
+%patch1 -p1
 
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1978,6 +1981,9 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Fri Jan 22 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.3.4-1
+- resolves: #1300038 - PANIC: Bad talloc magic value - wrong talloc version used/mixed
+
 * Tue Jan 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.4-0
 - resolves: #1261230 - Update to Samba 4.3.4