SAMBA_TNG: SIG_SEGV with long filename path

Michael Braun mbraun at mediaone.net
Sun Apr 2 21:13:03 GMT 2000 

I found a crash with a long filename path over 128 characters.
The problem is in the latest version in the SAMBA_TNG branch (haven't
checked
the LATEST version in main).
I located the problem in the file source/smbd/dfs.c in the function
under_dfs. It can be fixed by using a pstring instead of fstring for
the variable fullpath.
Also the max_length in the call to the safe_strcpy is too long (should be
sizeof(fullpath) - 1).

Michael

This is the log.smb reporting the crash (SIG_SEGV):
mbraun2 (192.168.1.2) connect to service mbraun as user mbraun (uid=500,
gid=100) (pid 546)
tconX service=mbraun user=mbraun
size=91
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=128
smb_flg2=1
smb_tid=1
smb_pid=7327
smb_uid=102
smb_mid=52866
smt_wct=3
smb_vwv[0]=117 (0x75)
smb_vwv[1]=74 (0x4A)
smb_vwv[2]=0 (0x0)
smb_bcc=33
[000] 55 6E 69 78 00 53 61 6D  62 61 20 54 4E 47 2D 70  Unix.Sam ba TNG-p
[010] 72 65 61 6C 70 68 61 00  4D 42 44 4F 4D 41 49 4E  realpha. MBDOMAIN
[020] 00                                                .
write_socket(6,95)
write_socket(6,95) wrote 95
got smb length of 165
got message type 0x0 of len 0xa5
Transaction 3 of length 169
size=165
smb_com=0x8
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=0
smb_flg2=0
smb_tid=1
smb_pid=7327
smb_uid=102
smb_mid=52994
smt_wct=0
smb_bcc=130
[000] 04 5C 57 49 4E 44 4F 57  53 20 53 45 54 54 49 4E  .\WINDOW S SETTIN
[010] 47 53 5C 46 41 56 4F 52  49 54 45 53 5C 53 59 4E  GS\FAVOR ITES\SYN
[020] 41 50 53 45 20 4E 45 54  57 4F 52 4B 53 20 2D 20  APSE NET WORKS -
[030] 4F 4E 4C 49 4E 45 20 4E  45 54 57 4F 52 4B 20 50  ONLINE N ETWORK P
[040] 52 4F 54 4F 43 4F 4C 20  44 41 54 41 42 41 53 45  ROTOCOL  DATABASE
[050] 20 2D 20 41 54 4D 2C 20  54 43 50 2D 49 50 2C 20   - ATM,  TCP-IP,
[060] 45 54 48 45 52 4E 45 54  2C 20 54 4F 4B 45 4E 20  ETHERNET , TOKEN
[070] 52 49 4E 47 2C 20 49 50  58 2D 53 50 58 2E 55 52  RING, IP X-SPX.UR
[080] 4C 00                                             L.
switch message SMBgetatr (pid 546)
lookup user 222,66
000000 vuid_io_key key
0000 pid : 00000222
0004 vuid: 0066
000000 vuid_io_user_struct usr
    0000 uid: 000001f4
    0004 gid: 00000064
    0008 name: mbraun
    0010 requested_name: mbraun
    0018 real_name: <Full Name>
    0024 guest: 00000000
    0028 n_groups: 00000001
    002c : 00000064
    000030 net_io_user_info3 usr
        000030 smb_io_time logon_time
            0030 low : ffffffff
            0034 high: 7fffffff
        000038 smb_io_time logoff_time
            0038 low : ffffffff
            003c high: 7fffffff
        000040 smb_io_time kickoff_time
            0040 low : ffffffff
            0044 high: 7fffffff
        000048 smb_io_time pass_last_set_time
            0048 low : e1043700
            004c high: 01bf9a0f
        000050 smb_io_time pass_can_change_time
            0050 low : e1043700
            0054 high: 01bf9a0f
        000058 smb_io_time pass_must_change_time
            0058 low : ffffffff
            005c high: 7fffffff
        000060 smb_io_unihdr hdr_user_name
            0060 uni_str_len: 000c
            0062 uni_max_len: 000c
            0064 buffer     : 00000001
        000068 smb_io_unihdr hdr_full_name
            0068 uni_str_len: 001a
            006a uni_max_len: 001a
            006c buffer     : 00000001
        000070 smb_io_unihdr hdr_logon_script
            0070 uni_str_len: 0014
            0072 uni_max_len: 0014
            0074 buffer     : 00000001
        000078 smb_io_unihdr hdr_profile_path
            0078 uni_str_len: 0040
            007a uni_max_len: 0040
            007c buffer     : 00000001
        000080 smb_io_unihdr hdr_home_dir
            0080 uni_str_len: 001e
            0082 uni_max_len: 001e
            0084 buffer     : 00000001
        000088 smb_io_unihdr hdr_dir_drive
            0088 uni_str_len: 0004
            008a uni_max_len: 0004
            008c buffer     : 00000001
        0090 logon_count   : 0000
        0092 bad_pw_count  : 0000
        0094 user_id       : 00000bb8
        0098 group_id      : 00000579
        009c num_groups    : 00000000
        00a0 buffer_groups : 00000001
        00a4 user_flgs     : 00000020
        00a8 user_sess_key: 93 a8 4b e3 8c 87 90 12 fd ff 85 85 d6 24 8c a8
        0000b8 smb_io_unihdr hdr_logon_srv
            00b8 uni_str_len: 000c
            00ba uni_max_len: 000c
            00bc buffer     : 00000001
        0000c0 smb_io_unihdr hdr_logon_dom
            00c0 uni_str_len: 0010
            00c2 uni_max_len: 0010
            00c4 buffer     : 00000001
        00c8 buffer_dom_id : 00000001
        00cc padding       : 75 f6 9e e8 c5 82 43 af 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00f4 num_other_sids: 00000000
        00f8 buffer_other_sids: 00000000
        0000fc smb_io_unistr2 user_name
            00fc uni_max_len: 00000006
            0100 undoc      : 00000000
            0104 uni_str_len: 00000006
            0108 buffer     : m.b.r.a.u.n.
        000114 smb_io_unistr2 full_name
            0114 uni_max_len: 0000000d
            0118 undoc      : 00000000
            011c uni_str_len: 0000000d
            0120 buffer     : M.i.c.h.a.e.l. .B.r.a.u.n.
        00013c smb_io_unistr2 logon_script
            013c uni_max_len: 0000000a
            0140 undoc      : 00000000
            0144 uni_str_len: 0000000a
            0148 buffer     : m.b.r.a.u.n...b.a.t.
        00015c smb_io_unistr2 profile_path
            015c uni_max_len: 00000020
            0160 undoc      : 00000000
            0164 uni_str_len: 00000020
            0168 buffer     : \.\.m.b.r.a.u.n.\.m.b.r.a.u.n.\.W.i.n.d.o.w.s.
.S.e.t.t.i.n.g.s.
        0001a8 smb_io_unistr2 home_dir
            01a8 uni_max_len: 0000000f
            01ac undoc      : 00000000
            01b0 uni_str_len: 0000000f
            01b4 buffer     : \.\.m.b.r.a.u.n.\.m.b.r.a.u.n.
        0001d4 smb_io_unistr2 dir_drive
            01d4 uni_max_len: 00000002
            01d8 undoc      : 00000000
            01dc uni_str_len: 00000002
            01e0 buffer     : z.:.
        01e4 num_groups2   : 00000000
        0001e8 smb_io_unistr2 logon_srv
            01e8 uni_max_len: 00000006
            01ec undoc      : 00000000
            01f0 uni_str_len: 00000006
            01f4 buffer     : M.B.R.A.U.N.
        000200 smb_io_unistr2 logon_dom
            0200 uni_max_len: 00000008
            0204 undoc      : 00000000
            0208 uni_str_len: 00000008
            020c buffer     : M.B.D.O.M.A.I.N.
        00021c smb_io_dom_sid2 dom_sid
            021c num_auths: 00000004
            000220 smb_io_dom_sid sid
                0220 sid_rev_num: 01
                0221 num_auths  : 04
                0222 id_auth[0] : 00
                0223 id_auth[1] : 00
                0224 id_auth[2] : 00
                0225 id_auth[3] : 00
                0226 id_auth[4] : 00
                0227 id_auth[5] : 05
                0228 sub_auths : 00000015 daf114ab e9a63437 8284a6bc
Setting 500 in 1 groups: 100
become_unix_sec_ctx uid=(0,500) gid=(0,100) vuser=(546,66)
dos_ChDir to /home/mbraun
unix_dfs_convert: \WINDOWS SETTINGS\FAVORITES\SYNAPSE NETWORKS - ONLINE
NETWORK PROTOCOL DATABASE - ATM, TCP-IP, ETHERNET, TOKEN RING, IPX-SPX.URL
DFS looking for: [\WINDOWS SETTINGS\FAVORITES\SYNAPSE NETWORKS - ONLINE
NETWORK PROTOCOL DATABASE - ATM, TCP-IP, ETHERNET, TOKEN RING, IPX-SPX.URL]
unix_convert called on file "\WINDOWS SETTINGS\FAVORITES\SYNAPSE NETWORKS -
ONLINE NETWORK PROTOCOL DATABASE - ATM, TCP-IP, ETHERNET, TOKEN RING,
IPX-SPX.URL"
===============================================================
INTERNAL ERROR: Signal 11 in pid 546 (TNG-prealpha)
Please read the file BUGS.txt in the distribution
===============================================================

More information about the samba-technical mailing list