[SCM] Samba Shared Repository - branch v4-17-test updated
Jule Anger
janger at samba.org
Thu Aug 17 12:24:02 UTC 2023
The branch, v4-17-test has been updated
via fca63c10314 s3: smbd: Ensure init_smb1_request() zeros out what the incoming pointer points to.
via 4f3d61dc268 s3: torture: Add SMB1-NEGOTIATE-TCON that shows the SMB1 server crashes on the uninitialized req->session.
via 098e5f240a5 s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.
from eb95b15b1ba s3: smbd: Add missing 'return;'s in exit paths in reply_exit_done().
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test
- Log -----------------------------------------------------------------
commit fca63c10314ca16e30d45880957f0e84d55296ae
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 11 17:28:53 2023 -0700
s3: smbd: Ensure init_smb1_request() zeros out what the incoming pointer points to.
Remove the now unneeded req->xxx = NULL assignments (and the
deliberately bogus req->session = (void *)0xDEADBEEF one
used to demonstrate the bug).
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Aug 15 12:06:36 UTC 2023 on atb-devel-224
(Back-ported from commit 4145bfb1b5a3639caf26a310d612aec29fc00117)
Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Thu Aug 17 12:23:05 UTC 2023 on sn-devel-184
commit 4f3d61dc268f193c324a03a5013d4ea1903c33c6
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 11 17:18:26 2023 -0700
s3: torture: Add SMB1-NEGOTIATE-TCON that shows the SMB1 server crashes on the uninitialized req->session.
Found by Robert Morris <rtm at lcs.mit.edu>.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <nopower at samba.org>
(Back-ported from commit c32df3bb31ce6275cfb91107e34e2d6b3c2fba1b)
commit 098e5f240a5561a7d57d936d9d01eba8994fa91f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 11 17:14:38 2023 -0700
s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.
If a client does a SMB1 NEGPROT followed by SMB1 TCON
then req->session is left uninitialized.
Show this causes a crash by deliberately initializing
req->session to an invalid pointer. This will be removed
once the test shows the crash, and the fix is added to
cause init_smb1_request() to zero the memory passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(Back-ported from commit f02f74e931f5821c7b7c1be2b8f0fb60c9a69b19)
-----------------------------------------------------------------------
Summary of changes:
source3/selftest/tests.py | 11 +++++++++++
source3/smbd/smb2_process.c | 7 ++-----
source3/torture/torture.c | 40 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 53 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 62f4662c9a3..831fdd6db2e 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -225,6 +225,17 @@ plantestsuite("samba3.smbtorture_s3.smb1.SMB1-NEGOTIATE-EXIT",
smbtorture3,
"-mNT1"])
+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-NEGOTIATE-TCON",
+ "fileserver_smb1",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_s3.sh"),
+ 'SMB1-NEGOTIATE-TCON',
+ '//$SERVER_IP/tmp',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "-mNT1"])
+
#
# MSDFS attribute tests.
#
diff --git a/source3/smbd/smb2_process.c b/source3/smbd/smb2_process.c
index ad4386e08a4..11f556c88ac 100644
--- a/source3/smbd/smb2_process.c
+++ b/source3/smbd/smb2_process.c
@@ -764,6 +764,8 @@ bool init_smb1_request(struct smb_request *req,
return false;
}
+ *req = (struct smb_request) { .cmd = 0};
+
req->request_time = timeval_current();
now = timeval_to_nttime(&req->request_time);
@@ -782,16 +784,12 @@ bool init_smb1_request(struct smb_request *req,
req->encrypted = encrypted;
req->sconn = sconn;
req->xconn = xconn;
- req->conn = NULL;
if (xconn != NULL) {
status = smb1srv_tcon_lookup(xconn, req->tid, now, &tcon);
if (NT_STATUS_IS_OK(status)) {
req->conn = tcon->compat;
}
}
- req->chain_fsp = NULL;
- req->smb2req = NULL;
- req->chain = NULL;
req->posix_pathnames = lp_posix_pathnames();
smb_init_perfcount_data(&req->pcd);
@@ -812,7 +810,6 @@ bool init_smb1_request(struct smb_request *req,
return false;
}
- req->outbuf = NULL;
return true;
}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 689fe494c14..4b22958c838 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -14999,6 +14999,42 @@ static bool run_smb1_negotiate_exit(int dummy)
return true;
}
+static bool run_smb1_negotiate_tcon(int dummy)
+{
+ struct cli_state *cli = NULL;
+ uint16_t cnum = 0;
+ uint16_t max_xmit = 0;
+ NTSTATUS status;
+
+ printf("Starting send SMB1 negotiate+tcon.\n");
+ cli = open_nbt_connection();
+ if (cli == NULL) {
+ d_fprintf(stderr, "open_nbt_connection failed!\n");
+ return false;
+ }
+ smbXcli_conn_set_sockopt(cli->conn, sockops);
+
+ status = smbXcli_negprot(cli->conn, 0, PROTOCOL_NT1, PROTOCOL_NT1);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_fprintf(stderr, "smbXcli_negprot failed %s!\n",
+ nt_errstr(status));
+ return false;
+ }
+ status = cli_raw_tcon(cli,
+ share,
+ "",
+ "?????",
+ &max_xmit,
+ &cnum);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ d_fprintf(stderr, "cli_raw_tcon failed - got %s "
+ "(should get NT_STATUS_ACCESS_DENIED)!\n",
+ nt_errstr(status));
+ return false;
+ }
+ return true;
+}
+
static bool run_ign_bad_negprot(int dummy)
{
struct tevent_context *ev;
@@ -15735,6 +15771,10 @@ static struct {
.name = "SMB1-NEGOTIATE-EXIT",
.fn = run_smb1_negotiate_exit,
},
+ {
+ .name = "SMB1-NEGOTIATE-TCON",
+ .fn = run_smb1_negotiate_tcon,
+ },
{
.name = "PIDHIGH",
.fn = run_pidhigh,
--
Samba Shared Repository
More information about the samba-cvs
mailing list