[Samba] Re: Test Failure for RW1 with samba-3.0.30, Solaris 9

Herb Lewis hlewis at panasas.com
Tue Jun 3 00:41:24 GMT 2008 

It looks like a bug in smbtorture. I ran a 3.0.26a version of
smbtorture against a 3.0.30 server and it passes.

David Eisner wrote:
> Hmm, I wonder if this isn't a bug with the fix for CVE-2008-1105.
> 
> I'll add a bug (to the 717 [1] "NEW" bugs for Samba 3.0 ...), but
> here's what seems to be going on at a low level:
> 
> When the client state is setup in run_readwritetest() by way of
> torture_open_connection(), cli_state->bufsize gets set to
> CLI_SAMBA_MAX_LARGE_READX_SIZE, which is defined to be 127*1024 ==
> 130048.
> 
> During the rw_torture2 iteration that breaks the test,
> send_file_readX() in smbd/reply.c calculates the packet length to
> send:
> 
>     nread = read_file(fsp,data,startpos,smb_maxcnt);
>     // ...
> 
>     outsize = set_message(outbuf,12,nread,False);
>     // ...
> 
>     /* Returning the number of bytes we want to send back - including header. */
>     return outsize;
> }
> 
> When RW1 fails, nread == 130048 (which is
> CLI_SAMBA_MAX_LARGE_READX_SIZE), and outsize is set by set_message()
> to be 39 + 2x12 + nread == 130111.
> 
> Later on, construct_reply reduces this by 4, and I think this becomes
> the length of the reply packet:
> 
>   static int construct_reply(char *inbuf,char *outbuf,int size,int bufsize)
>   {
>       // ...
>       if(outsize > 4)
>           smb_setlen(outbuf,outsize - 4);
>       return(outsize);
>   }
> 
> Now the length stored in the packet is 130111 - 4 == 130107
> 
> Back on the client side, receive_smb_raw()  (in lib/util_sock.c) is unhappy:
> 
>   BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned
> int timeout)
>   {
>       // ...
>       len = read_smb_length_return_keepalive(fd,buffer,timeout);
>       // ...
>       if (len > buflen) {
>           DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
>       //...
> 
> And here's the output (I added a debugging statement to also print buflen:
> 
> ##DRE: receive_smb_raw: Invalid packet length! len == (130107 bytes),
> buflen == (130048).
> 
> That is, it's complaining because 130107, the length reported in the
> reply packet header (I think), is larger than bufsize for the client
> state.  As to where the real problem is (i.e. does receive_smb_raw()
> need to do something with len before comparing it with buflen), I
> can't say.
> 
> -David
> 
> [1] http://preview.tinyurl.com/6g6axu

More information about the samba mailing list