'net ads join' is crashing during DoDNSUpdate

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • realmd 0.16.1-9
  • samba 4.7.1

Issue

  • Why does net ads crash while sending DNS update request?

Resolution

  • This issue has been fixed with release errata RHBA-2018:2440
  • Update samba packages to version 4.7.1-9

Root Cause

Diagnostic Steps

  • Core dump analysis
(gdb) bt
#0  0x0000562f8117ae1b in DoDNSUpdate (pszServerName=pszServerName@entry=0x7ffd17971180 "ans-4.iastate.edu", 
    pszDomainName=pszDomainName@entry=0x7ffd17971089 "example.com", pszHostName=pszHostName@entry=0x7ffd17971080 "server.example.com", 
    sslist=sslist@entry=0x562f833b9e00, num_addrs=num_addrs@entry=2, flags=flags@entry=61, remove_host=remove_host@entry=false) at ../source3/utils/net_dns.c:80
#1  0x0000562f81142cf3 in net_update_dns_internal (c=0x562f833711c0, remove_host=false, num_addrs=2, addrs=0x562f833b9e00, 
    machine_name=0x7ffd17971080 "server.example.com", ads=<optimized out>, ctx=0x7f8065f3de77 <secrets_fetch+135>) at ../source3/utils/net_ads.c:1250
#2  net_update_dns_ext (c=c@entry=0x562f833711c0, mem_ctx=mem_ctx@entry=0x562f8337e100, ads=<optimized out>, hostname=hostname@entry=0x0, iplist=0x562f833b9e00, 
    iplist@entry=0x0, num_addrs=2, num_addrs@entry=0, remove_host=remove_host@entry=false) at ../source3/utils/net_ads.c:1320
#3  0x0000562f81143a32 in net_update_dns (hostname=0x0, ads=<optimized out>, mem_ctx=0x562f8337e100, c=0x562f833711c0) at ../source3/utils/net_ads.c:1331
#4  _net_ads_join_dns_updates (r=0x562f83382820, ctx=0x562f8337e100, c=0x562f833711c0) at ../source3/utils/net_ads.c:1443
#5  net_ads_join (c=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net_ads.c:1632
#6  0x0000562f81148c54 in net_ads (c=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../source3/utils/net_ads.c:3473
#7  0x0000562f81127640 in main (argc=9, argv=0x7ffd179720e8) at ../source3/utils/net.c:1124
(gdb) frame 0
#0  0x0000562f8117ae1b in DoDNSUpdate (pszServerName=pszServerName@entry=0x7ffd17971180 "ans-4.iastate.edu", 
    pszDomainName=pszDomainName@entry=0x7ffd17971089 "example.com", pszHostName=pszHostName@entry=0x7ffd17971080 "server.example.com", 
    sslist=sslist@entry=0x562f833b9e00, num_addrs=num_addrs@entry=2, flags=flags@entry=61, remove_host=remove_host@entry=false) at ../source3/utils/net_dns.c:80
80          if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
(gdb) info registers 
rax            0x0  0       <=====
rbx            0x562f83517a20   94762066606624
rcx            0x7f806357de80   140189399244416
rdx            0x2710   10000
rsi            0x1  1
rdi            0x0  0
rbp            0x2  0x2
rsp            0x7ffd17970f80   0x7ffd17970f80
r8             0xa  10
r9             0x80 128
r10            0x9  9
r11            0x246    582
r12            0x562f833b9e00   94762065174016
r13            0x7ffd17971180   140724999229824
r14            0x7ffd17971089   140724999229577
r15            0x3d 61
rip            0x562f8117ae1b   0x562f8117ae1b <DoDNSUpdate+331>
eflags         0x10293  [ CF AF SF IF RF ]
cs             0x33 51
ss             0x2b 43
---Type <return> to continue, or q <return> to quit--- 
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) disassemble 
Dump of assembler code for function DoDNSUpdate:
   0x0000562f8117acd0 <+0>: push   %r15
   0x0000562f8117acd2 <+2>: mov    %r9d,%r15d
   0x0000562f8117acd5 <+5>: push   %r14
   0x0000562f8117acd7 <+7>: mov    %rsi,%r14
   0x0000562f8117acda <+10>:    push   %r13
   0x0000562f8117acdc <+12>:    mov    %rdi,%r13
   0x0000562f8117acdf <+15>:    push   %r12
   0x0000562f8117ace1 <+17>:    mov    %rcx,%r12
   0x0000562f8117ace4 <+20>:    push   %rbp
   0x0000562f8117ace5 <+21>:    mov    %r8,%rbp
   0x0000562f8117ace8 <+24>:    push   %rbx
   0x0000562f8117ace9 <+25>:    sub    $0x48,%rsp
......
=> 0x0000562f8117ae1b <+331>:   movzwl 0x2(%rax),%edi   <=== movzwl Instruction
   0x0000562f8117ae1f <+335>:   callq  0x562f81125cc0 <dns_response_code@plt>
   0x0000562f8117ae24 <+340>:   test   %ax,%ax
....
(gdb) p resp
$1 = (struct dns_update_request *) 0x0
(gdb) p resp->flags
Cannot access memory at address 0x2
(gdb)

Version-Release number of selected component (if applicable):
samba-client-libs-4.7.1-6.el7.x86_64                        Wed Apr 25 16:16:38 2018
samba-common-4.7.1-6.el7.noarch                             Wed Apr 25 16:16:34 2018
samba-common-libs-4.7.1-6.el7.x86_64                        Wed Apr 25 16:16:37 2018
samba-common-tools-4.7.1-6.el7.x86_64                       Wed Apr 25 16:19:38 2018
samba-libs-4.7.1-6.el7.x86_64                               Wed Apr 25 16:19:38 2018

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.