input validation error in Samba 2.2.0

Claudius Peschke cpe at sunkist.physik.uni-frankfurt.de
Tue May 8 16:14:25 GMT 2001 

There is an input validation error in "nmbd" of Samba 2.2.0 and earlier, which can cause a segmentation fault. The failure first occurred, when a Macintosh SMB client "DAVE 2.5.2" tried to share files in the same workgroup. The problem is that DAVE claims the packet contains 0x3584 bytes of data. "nmbd" relies on this and tries (in source/nmbd/nmbd_packets.c) to read from unallocated memory. This probably can be used for a DoS attack against Samba servers.
I have solved the problem by comparing the claimed length with the "header.dgm_length" entry of the packet. I don't know whether there is an "official" way for input validation in "nmbd", but this one works.
I have attached an example of a deadly packet (snoop -v -x0) and the patch file (diff -C4 source/nmbd/nmbd_packets.c.orig source/nmbd/nmbd_packets.c).
My server is a Sun UltraSPARC 1 box running Solaris 7 (SunOS 2.7). I have compiled Samba 2.2.0 using gcc version 2.95.2.
Except of this little problem last week, Samba has done a very good service for me over the last years.
Thank You !

   Claudius Peschke
   cpe at sunkist.physik.uni-frankfurt.de


-----------------------------------------

diff -C4 source/nmbd/nmbd_packets.c.orig source/nmbd/nmbd_packets.c

*** source/nmbd/nmbd_packets.c.orig	Mon Jan  8 21:37:45 2001
--- source/nmbd/nmbd_packets.c	Tue May  8 13:50:36 2001
***************
*** 1253,1267 ****
  	  return;
    }
  
    buf = &dgram->data[0];
!   buf -= 4; /* XXXX for the pseudo tcp length - 
  	       someday I need to get rid of this */
  
    if (CVAL(buf,smb_com) != SMBtrans)
      return;
  
    len = SVAL(buf,smb_vwv11);
    buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);
  
    DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",
  	   nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),
--- 1253,1273 ----
  	  return;
    }
  
    buf = &dgram->data[0];
!   buf -= sizeof(int); /* XXXX for the pseudo tcp length - 
  	       someday I need to get rid of this */
  
    if (CVAL(buf,smb_com) != SMBtrans)
      return;
  
    len = SVAL(buf,smb_vwv11);
+   if (len > dgram->header.dgm_length + sizeof(int) - smb_vwv12)
+   {
+     DEBUG(5,("process_dgram: ignoring dgram packet from %s with invalid length=%d\n",
+       inet_ntoa(p->ip), len));
+     return;
+   }
    buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);
  
    DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",
  	   nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),



-----------------------------------------

snoop -v -x0

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 1 arrived at 15:42:14.17
ETHER:  Packet size = 253 bytes
ETHER:  Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER:  Source      = 0:a0:d2:11:9f:fb, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 239 bytes
IP:   Identification = 62235
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 60 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = d3ee
IP:   Source address = 141.2.46.112, mikro3mac.physik.uni-frankfurt.de
IP:   Destination address = 141.2.46.127, 141.2.46.127
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 138
UDP:  Destination port = 138 
UDP:  Length = 219 
UDP:  Checksum = DB40 
UDP:  


	   0: ffff ffff ffff 00a0 d211 9ffb 0800 4500    ..............E.
	  16: 00ef f31b 4000 3c11 d3ee 8d02 2e70 8d02    ..Û. at .<......p..
	  32: 2e7f 008a 008a 00db db40 1102 02fa 8d02    ......... at ......
	  48: 2e70 008a 00c5 0000 2045 4e45 4245 4443    .p...... ENEBEDC
	  64: 4145 4844 4443 4144 4243 4143 4143 4143    AEHDDCADBCACACAC
	  80: 4143 4143 4143 4143 4100 2045 4e45 4a45    ACACACACA. ENEJE
	  96: 4c46 4345 5046 4845 4645 4d45 4d45 4645    LFCEPFHEFEMEMEFE
	 112: 4f43 4143 4143 4143 4142 4e00 ff53 4d42    OCACACACABN..SMB
	 128: 2500 0000 0000 0000 0000 0000 0000 0000    %...............
	 144: 0000 0000 0000 0000 0000 0000 1100 002b    ...............+
	 160: 0000 0000 0000 0000 0000 0000 0000 0000    ................
	 176: 0000 0084 3556 0003 0001 0001 0002 003c    ....5V.........<
	 192: 005c 4d41 494c 534c 4f54 5c42 524f 5753    .\MAILSLOT\BROWS
	 208: 4500 0101 a0bb 0d00 4d41 4320 4733 2031    E.......MAC G3 1
	 224: 0000 0000 0000 0000 0400 0322 4100 1504    ..........."A...
	 240: 55aa 4d61 6320 4733 2028 3129 00           U.Mac G3 (1).

More information about the samba mailing list