#1129976 samba: Samba and testparm crashes with bad talloc magic value - access after free with smb ports in config

Package:
samba
Source:
samba
Description:
SMB/CIFS file, print, and login server for Unix
Submitter:
Dr. Thomas Orgis
Date:
2026-03-07 12:15:02 UTC
Severity:
normal
Tags:
#1129976#5
Date:
2026-03-06 22:30:30 UTC
From:
To:
Dear Maintainer,

trying to configure samba to use a different port using the old-style syntax

smb ports = tcp:1445

leads to instant crash on samba server and testparm:

$ testparm  /dev/shm/smb-crash.conf
Load smb config files from /dev/shm/smb-crash.conf
Error loading services.
talloc: access after free error - first free may be at lib/param/loadparm.c:1378
Bad talloc magic value - access after free
===============================================================
INTERNAL ERROR: Bad talloc magic value - access after free in testparm () () pid 3990067 (4.22.6-Debian-4.22.6+dfsg-0+deb13u1)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 3990067): Bad talloc magic value - access after free in 4.22.6-Debian-4.22.6+dfsg-0+deb13u1
BACKTRACE: 8 stack frames:
 #0 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(log_stack_trace+0x2d) [0x7f737aa435bd]
 #1 /usr/lib/x86_64-linux-gnu/samba/libgenrand-private-samba.so.0(smb_panic+0xd) [0x7f737aa4385d]
 #2 /lib/x86_64-linux-gnu/libtalloc.so.2(+0x3467) [0x7f737b08e467]
 #3 /lib/x86_64-linux-gnu/libsmbconf.so.0(+0x43fc0) [0x7f737b0dbfc0]
 #4 testparm(main+0x6c9) [0x5641631cafd9]
 #5 /lib/x86_64-linux-gnu/libc.so.6(+0x29ca8) [0x7f737adb8ca8]
 #6 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7f737adb8d65]
 #7 testparm(_start+0x21) [0x5641631cc8d1]
Can not dump core: corepath not set up

On trixie, it is possible to use the new-style syntax

server smb transports = tcp:1445

which seems to work (did not test actual operation). But on bookworm, that is not supported
and one simply cannot start a samba instance on a different port.

#1129976#10
Date:
2026-03-07 00:43:00 UTC
From:
To:
Can you file this upstream @ https://bugzilla.samba.org please?

That is the best way to get a developer's attention and so a fix for
this bug.

Andrew Bartlett

#1129976#15
Date:
2026-03-07 07:29:36 UTC
From:
To:
Hah, I forgot that I already had an account there … upstream report:

https://bugzilla.samba.org/show_bug.cgi?id=16017

#1129976#20
Date:
2026-03-07 08:29:25 UTC
From:
To:
Well, as noted in the upstream bug, this is actually invalid
configuration syntax (tcp:123 in smb ports). So nothing that impedes
actual user scenarios.

#1129976#25
Date:
2026-03-07 12:12:29 UTC
From:
To:
Control: severity -1 minor
Control: forwarded -1 https://bugzilla.samba.org/show_bug.cgi?id=16017
Control: tag -1 + upstream confirmed
Well.  The crash isn't really good, even if input is bad - this is a
clear lack of proper error handling.  But indeed, it is not about
real-life usage scenarios.

Thanks,

/mjt