nmbd INTERNAL ERROR in 2.2.0
Ard van Breemen
ard at telegraafnet.nl
Tue May 1 15:54:42 GMT 2001
On Tue, Apr 24, 2001 at 01:44:11PM -0400, PetitBilouch at netscape.net wrote:
> nmbd has stopped to work properly for me and rashes consistently a fews
> minutes after started. My system is Ultra1/Solaris 5.5.1.
<snip>
> [2001/04/24 11:36:48, 4] nmbd/nmbd_packets.c:process_dgram(1268)
> process_dgram: datagram from ANTARES<20> to ELECTRONICS<1d> IP yyy.yyy.yyy.yyy for \MAILSLOT\BROWSE of type 1 len=25912
Notice the len=
> [2001/04/24 11:36:48, 8] lib/util.c:is_myname(1407)
> is_myname("ANTARES") returns 0
> [2001/04/24 11:36:48, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
> debug_browse_data():
> 0 char ......ANTARES... hex 01 01 a0 bb 0d 00 41 4e 54 41 52 45 53 00 00 00
> 10 char ........."A...U. hex 00 00 00 00 00 00 04 00 03 22 41 00 15 04 55 aa
> 20 char Bob Weller's Mac hex 42 6f 62 20 57 65 6c 6c 65 72 27 73 20 4d 61 63
As we can see PetitBilouch is using macs on his network. Hey, we got
the same problem with mac's and DAVE 2.5.2.
> 5ce0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 5cf0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 5d00 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 5d10 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 5d20 char ..===============================================================
No-one considered it wrong that this is that long?
> [2001/04/24 11:36:49, 0] lib/fault.c:fault_report(41)
> INTERNAL ERROR: Signal 11 in pid 332 (2.2.0)
> Please read the file BUGS.txt in the distribution
> [2001/04/24 11:36:49, 0] lib/fault.c:fault_report(43)
> ===============================================================
>
> Thanks a whole lot, my windows users are becoming crazy when they
> can't see the printers. I have to lock myself in my office and get
> out at night for food.
>
> Claude
> __________________________________________________________________
> Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
On Tue, Apr 24, 2001 at 12:04:26PM -0400, Jeremy Allison wrote:
> Well spotted ! Here's a patch for this. It'll be in 2.2.1.
>
> Thanks a *LOT* for that backtrace !
>
> Cheers,
>
> Jeremy Allison,
> Samba Team.
>
> Index: nmbd/nmbd_packets.c
> ===================================================================
> RCS file: /data/cvs/samba/source/nmbd/nmbd_packets.c,v
> retrieving revision 1.40.2.2
> diff -u -r1.40.2.2 nmbd_packets.c
> --- nmbd/nmbd_packets.c 2001/01/08 20:37:45 1.40.2.2
> +++ nmbd/nmbd_packets.c 2001/04/24 18:00:41
> @@ -107,12 +107,14 @@
>
> for (j = 0; j < 16; j++)
> {
> - unsigned char x = outbuf[i+j];
> + unsigned char x;
> + if (i+j >= len)
> + break;
> +
> + x = outbuf[i+j];
> if (x < 32 || x > 127)
> x = '.';
>
> - if (i+j >= len)
> - break;
> DEBUGADD( 4, ( "%c", x ) );
> }
> --
This patch fixes a long lingering bug in debug_browse_data, which will
probable *never* make nmbd crash.
The problem is bigger:
Changing the source/nmbd/nmbd_packets.c:process_dgram() DEBUG output into:
DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d and dgramdatasize=%d and dgm_length=%d\n",
nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),
inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len,dgram->datasize,dgram->header.dgm_length));
got me this:
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
foind_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
debug_browse_data(0x80e0890,198):
Yes, the data part says the size is 30k, but the datagram parts both
say the size <200 bytes. Hence debug_browse_data SEGV's.
The bug's are obvious:
1) DAVE 2.5.2 is generating incorrect size headers
2) Samba happily believes what the client says is true, there is no
client data sanity checking.
My current workaround is to reject the package in source/nmbd/nmbd_packets.c:process_dgram():
(right under the debug line)
if(len > dgram->datasize) {
debug_browse_data(dgram,dgram->header.dgm_length);
unexpected_packet(p);
return;
}
The attached diff contains above patch, some more debug info, and this fix.
But now for the real technical guys that can dream the package structs, this is what dave gives us
with the above workaround:
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
debug_browse_data(0x80e0890,198):
0 char ................ hex 11 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
10 char ................ hex b1 02 00 00 c0 a8 01 15 8a 00 00 00 c6 00 00 00
20 char ....MAC2........ hex 00 00 00 00 4d 41 43 32 00 00 00 00 00 00 00 00
30 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
60 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
70 char ........ ...TEM. hex 00 00 00 00 00 00 00 00 20 00 00 00 54 45 4d 00
80 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
90 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
a0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
b0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c0 char ...... hex 00 00 00 00 00 00
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
find_workgroup_on_subnet: workgroup search for TEM on subnet 192.168.1.9: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
find_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
find_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
debug_browse_data(0x80e0890,198):
0 char ................ hex 11 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
10 char ................ hex b2 02 00 00 c0 a8 01 15 8a 00 00 00 c6 00 00 00
20 char ....MAC2........ hex 00 00 00 00 4d 41 43 32 00 00 00 00 00 00 00 00
30 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
60 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
70 char ........ ...TEM. hex 00 00 00 00 00 00 00 00 20 00 00 00 54 45 4d 00
80 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
90 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
a0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
b0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c0 char ...... hex 00 00 00 00 00 00
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
find_workgroup_on_subnet: workgroup search for TEM on subnet 192.168.1.9: found.
--
<ard at telegraafnet.nl> Telegraaf Elektronische Media (http://wwwijzer.nl)
http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html
Let your government know you value your freedom. Sign the petition:
http://petition.eurolinux.org/
-------------- next part --------------
--- samba2/samba-2.2.0.final/source/nmbd/nmbd_packets.c Mon Jan 8 21:37:45 2001
+++ samba/samba-2.2.0.final/source/nmbd/nmbd_packets.c Tue May 1 16:52:16 2001
@@ -100,19 +100,21 @@
{
int i,j;
- DEBUG( 4, ( "debug_browse_data():\n" ) );
+ DEBUG( 4, ( "debug_browse_data(%p,%d):\n",outbuf,len) );
for (i = 0; i < len; i+= 16)
{
DEBUGADD( 4, ( "%3x char ", i ) );
for (j = 0; j < 16; j++)
{
- unsigned char x = outbuf[i+j];
+ unsigned char x;
+ if(i+j >= len)
+ break;
+
+ x = outbuf[i+j];
if (x < 32 || x > 127)
x = '.';
- if (i+j >= len)
- break;
DEBUGADD( 4, ( "%c", x ) );
}
@@ -1263,13 +1265,19 @@
len = SVAL(buf,smb_vwv11);
buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);
- DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",
+ DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d and dgramdatasize=%d and dgm_length=%d\n",
nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),
- inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len));
+ inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len,dgram->datasize,dgram->header.dgm_length));
if (len <= 0)
return;
+
+ if(len > dgram->datasize) {
+ debug_browse_data(dgram,dgram->header.dgm_length);
+ unexpected_packet(p);
+ return;
+ }
/* Datagram packet received for the browser mailslot */
if (strequal(smb_buf(buf),BROWSE_MAILSLOT))
More information about the samba-technical
mailing list