[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Mon Sep 27 19:24:59 MDT 2010 

The branch, master has been updated
       via  d7c09f3 Add torture test BAD-NBT-SESSION as regression fix for bug 7698 - Assert causes smbd to panic on invalid NetBIOS session request.
       via  a738f5b Small tweak to bugfix for 7698 - Assert causes smbd to panic on invalid NetBIOS session request.
      from  38f5055 tsocket: make sure we delete the fd event before calling close()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d7c09f312ee326c3108c7d06bc9c7390861d8552
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Sep 27 18:24:01 2010 -0700

    Add torture test BAD-NBT-SESSION as regression fix for bug 7698 - Assert causes smbd to panic on invalid NetBIOS session request.
    
    Jeremy.

commit a738f5b846598fa3f44a7c6aa8019ef886bd1bb7
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Sep 27 18:21:46 2010 -0700

    Small tweak to bugfix for 7698 - Assert causes smbd to panic on invalid NetBIOS session request.
    
    Don't just fail to reply on a bad NBT name, just don't do the
    internal action.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/reply.c      |    6 +-
 source3/torture/torture.c |  130 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index abff317..f8c016b 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -522,12 +522,12 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb
 		name_len1 = name_len((unsigned char *)(inbuf+4),inbuf_size - 4);
 		if (name_len1 <= 0 || name_len1 > inbuf_size - 4) {
 			DEBUG(0,("Invalid name length in session request\n"));
-			return;
+			break;
 		}
 		name_len2 = name_len((unsigned char *)(inbuf+4+name_len1),inbuf_size - 4 - name_len1);
 		if (name_len2 <= 0 || name_len2 > inbuf_size - 4 - name_len1) {
 			DEBUG(0,("Invalid name length in session request\n"));
-			return;
+			break;
 		}
 
 		name_type1 = name_extract((unsigned char *)inbuf,
@@ -537,7 +537,7 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb
 
 		if (name_type1 == -1 || name_type2 == -1) {
 			DEBUG(0,("Invalid name type in session request\n"));
-			return;
+			break;
 		}
 
 		DEBUG(2,("netbios connect: name1=%s0x%x name2=%s0x%x\n",
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 588ed14..122c694 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -221,6 +221,120 @@ static struct cli_state *open_nbt_connection(void)
 	return c;
 }
 
+/****************************************************************************
+ Send a corrupt session request. See rfc1002.txt 4.3 and 4.3.2.
+****************************************************************************/
+
+static bool cli_bad_session_request(struct cli_state *cli,
+                         struct nmb_name *calling, struct nmb_name *called)
+{
+        char *p;
+        int len = 4;
+        int namelen = 0;
+        char *tmp;
+
+        memcpy(&(cli->calling), calling, sizeof(*calling));
+        memcpy(&(cli->called ), called , sizeof(*called ));
+
+        /* put in the destination name */
+
+        tmp = name_mangle(talloc_tos(), cli->called.name,
+                          cli->called.name_type);
+        if (tmp == NULL) {
+                return false;
+        }
+
+        p = cli->outbuf+len;
+        namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
+        if (namelen > 0) {
+                memcpy(p, tmp, namelen);
+                len += namelen;
+        }
+        TALLOC_FREE(tmp);
+
+	/* Deliberately corrupt the name len (first byte) */
+	*p = 100;
+
+        /* and my name */
+
+        tmp = name_mangle(talloc_tos(), cli->calling.name,
+                          cli->calling.name_type);
+        if (tmp == NULL) {
+                return false;
+        }
+
+        p = cli->outbuf+len;
+        namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
+        if (namelen > 0) {
+                memcpy(p, tmp, namelen);
+                len += namelen;
+        }
+        TALLOC_FREE(tmp);
+	/* Deliberately corrupt the name len (first byte) */
+	*p = 100;
+
+        /* send a session request (RFC 1002) */
+        /* setup the packet length
+         * Remove four bytes from the length count, since the length
+         * field in the NBT Session Service header counts the number
+         * of bytes which follow.  The cli_send_smb() function knows
+         * about this and accounts for those four bytes.
+         * CRH.
+         */
+        len -= 4;
+        _smb_setlen(cli->outbuf,len);
+        SCVAL(cli->outbuf,0,0x81);
+
+        cli_send_smb(cli);
+        DEBUG(5,("Sent session request\n"));
+
+        if (!cli_receive_smb(cli))
+                return False;
+
+        if (CVAL(cli->inbuf,0) != 0x82) {
+                /* This is the wrong place to put the error... JRA. */
+                cli->rap_error = CVAL(cli->inbuf,4);
+                return False;
+        }
+        return(True);
+}
+
+static struct cli_state *open_bad_nbt_connection(void)
+{
+	struct nmb_name called, calling;
+	struct sockaddr_storage ss;
+	struct cli_state *c;
+	NTSTATUS status;
+
+	make_nmb_name(&calling, myname, 0x0);
+	make_nmb_name(&called , host, 0x20);
+
+        zero_sockaddr(&ss);
+
+	if (!(c = cli_initialise())) {
+		printf("Failed initialize cli_struct to connect with %s\n", host);
+		return NULL;
+	}
+
+	c->port = 139;
+
+	status = cli_connect(c, host, &ss);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("Failed to connect with %s. Error %s\n", host, nt_errstr(status) );
+		return NULL;
+	}
+
+	c->timeout = 4000; /* set a short timeout (4 seconds) */
+
+	if (!cli_bad_session_request(c, &calling, &called)) {
+		printf("Failed to connect with %s. Error %s\n", host, nt_errstr(status) );
+		return NULL;
+	}
+
+	return c;
+}
+
+
 /* Insert a NULL at the first separator of the given path and return a pointer
  * to the remainder of the string.
  */
@@ -2654,6 +2768,21 @@ static bool run_negprot_nowait(int dummy)
 	return correct;
 }
 
+/* send smb negprot commands, not reading the response */
+static bool run_bad_nbt_session(int dummy)
+{
+	static struct cli_state *cli;
+
+	printf("starting bad nbt session test\n");
+
+	if (!(cli = open_bad_nbt_connection())) {
+		return False;
+	}
+
+	cli_shutdown(cli);
+	printf("finished bad nbt session test\n");
+	return true;
+}
 
 /* send random IPC commands */
 static bool run_randomipc(int dummy)
@@ -7680,6 +7809,7 @@ static struct {
 	{ "TLDAP", run_tldap },
 	{ "STREAMERROR", run_streamerror },
 	{ "NOTIFY-BENCH", run_notify_bench },
+	{ "BAD-NBT-SESSION", run_bad_nbt_session },
 	{ "LOCAL-SUBSTITUTE", run_local_substitute, 0},
 	{ "LOCAL-GENCACHE", run_local_gencache, 0},
 	{ "LOCAL-TALLOC-DICT", run_local_talloc_dict, 0},


-- 
Samba Shared Repository

More information about the samba-cvs mailing list