nmbd INTERNAL ERROR in 2.2.0

Ard van Breemen ard at telegraafnet.nl
Tue May 1 15:54:42 GMT 2001 

On Tue, Apr 24, 2001 at 01:44:11PM -0400, PetitBilouch at netscape.net wrote:
> nmbd has stopped to work properly for me and rashes consistently a fews
> minutes after started. My system is Ultra1/Solaris 5.5.1.
<snip>
> [2001/04/24 11:36:48, 4] nmbd/nmbd_packets.c:process_dgram(1268)
>   process_dgram: datagram from ANTARES<20> to ELECTRONICS<1d> IP yyy.yyy.yyy.yyy for \MAILSLOT\BROWSE of type 1 len=25912
Notice the len=
> [2001/04/24 11:36:48, 8] lib/util.c:is_myname(1407)
>   is_myname("ANTARES") returns 0
> [2001/04/24 11:36:48, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
>   debug_browse_data():
>     0 char ......ANTARES... hex 01 01 a0 bb 0d 00 41 4e 54 41 52 45 53 00 00 00
>    10 char ........."A...U. hex 00 00 00 00 00 00 04 00 03 22 41 00 15 04 55 aa
>    20 char Bob Weller's Mac hex 42 6f 62 20 57 65 6c 6c 65 72 27 73 20 4d 61 63
As we can see PetitBilouch is using macs on his network. Hey, we got
the same problem with mac's and DAVE 2.5.2.

>   5ce0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   5cf0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   5d00 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   5d10 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   5d20 char ..===============================================================
No-one considered it wrong that this is that long?
> [2001/04/24 11:36:49, 0] lib/fault.c:fault_report(41)
>   INTERNAL ERROR: Signal 11 in pid 332 (2.2.0)
>   Please read the file BUGS.txt in the distribution
> [2001/04/24 11:36:49, 0] lib/fault.c:fault_report(43)
>   ===============================================================
> 
> Thanks a whole lot, my windows users are becoming crazy when they
> can't see the printers. I have to lock myself in my office and get
> out at night for food.
> 
> Claude
> __________________________________________________________________
> Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/

On Tue, Apr 24, 2001 at 12:04:26PM -0400, Jeremy Allison wrote:
> Well spotted ! Here's a patch for this. It'll be in 2.2.1.
> 
> Thanks a *LOT* for that backtrace !
> 
> Cheers,
> 
> 	Jeremy Allison,
> 	Samba Team.
> 
> Index: nmbd/nmbd_packets.c
> ===================================================================
> RCS file: /data/cvs/samba/source/nmbd/nmbd_packets.c,v
> retrieving revision 1.40.2.2
> diff -u -r1.40.2.2 nmbd_packets.c
> --- nmbd/nmbd_packets.c 2001/01/08 20:37:45     1.40.2.2
> +++ nmbd/nmbd_packets.c 2001/04/24 18:00:41
> @@ -107,12 +107,14 @@
> 
>      for (j = 0; j < 16; j++)
>      {
> -      unsigned char x = outbuf[i+j];
> +      unsigned char x;
> +      if (i+j >= len)
> +        break;
> +
> +      x = outbuf[i+j];
>        if (x < 32 || x > 127)
>          x = '.';
> 
> -      if (i+j >= len)
> -        break;
>        DEBUGADD( 4, ( "%c", x ) );
>      }
> -- 
This patch fixes a long lingering bug in debug_browse_data, which will
probable *never* make nmbd crash.
The problem is bigger:
Changing the source/nmbd/nmbd_packets.c:process_dgram() DEBUG output into:
DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d and dgramdatasize=%d and dgm_length=%d\n",
     nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),
     inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len,dgram->datasize,dgram->header.dgm_length));

got me this:
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
  foind_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
  process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
  debug_browse_data(0x80e0890,198):

Yes, the data part says the size is 30k, but the datagram parts both
say the size <200 bytes.  Hence debug_browse_data SEGV's.

The bug's are obvious:
1) DAVE 2.5.2 is generating incorrect size headers
2) Samba happily believes what the client says is true, there is no
client data sanity checking.

My current workaround is to reject the package in source/nmbd/nmbd_packets.c:process_dgram():
(right under the debug line)
  if(len > dgram->datasize) {
    debug_browse_data(dgram,dgram->header.dgm_length);
    unexpected_packet(p);
    return; 
  }

The attached diff contains above patch, some more debug info, and this fix.

But now for the real technical guys that can dream the package structs, this is what dave gives us
with the above workaround:

[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
  process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
  debug_browse_data(0x80e0890,198):
    0 char ................ hex 11 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
   10 char ................ hex b1 02 00 00 c0 a8 01 15 8a 00 00 00 c6 00 00 00
   20 char ....MAC2........ hex 00 00 00 00 4d 41 43 32 00 00 00 00 00 00 00 00
   30 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   40 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   50 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   60 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   70 char ........ ...TEM. hex 00 00 00 00 00 00 00 00 20 00 00 00 54 45 4d 00
   80 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   90 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   a0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   b0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   c0 char ......           hex 00 00 00 00 00 00
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
  find_workgroup_on_subnet: workgroup search for TEM on subnet 192.168.1.9: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
  find_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
  find_workgroup_on_subnet: workgroup search for TEM on subnet UNICAST_SUBNET: found.
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:process_dgram(1270)
  process_dgram: datagram from MAC2<20> to TEM<1d> IP 192.168.1.21 for \MAILSLOT\BROWSE of type 1 len=30044 and dgramdatasize=130 and dgm_length=198
[2001/05/01 17:20:34, 4] nmbd/nmbd_packets.c:debug_browse_data(103)
  debug_browse_data(0x80e0890,198):
    0 char ................ hex 11 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
   10 char ................ hex b2 02 00 00 c0 a8 01 15 8a 00 00 00 c6 00 00 00
   20 char ....MAC2........ hex 00 00 00 00 4d 41 43 32 00 00 00 00 00 00 00 00
   30 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   40 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   50 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   60 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   70 char ........ ...TEM. hex 00 00 00 00 00 00 00 00 20 00 00 00 54 45 4d 00
   80 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   90 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   a0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   b0 char ................ hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   c0 char ......           hex 00 00 00 00 00 00
[2001/05/01 17:20:34, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(164)
  find_workgroup_on_subnet: workgroup search for TEM on subnet 192.168.1.9: found.

-- 
<ard at telegraafnet.nl> Telegraaf Elektronische Media (http://wwwijzer.nl)
http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html 
Let your government know you value your freedom. Sign the petition:
http://petition.eurolinux.org/
-------------- next part --------------
--- samba2/samba-2.2.0.final/source/nmbd/nmbd_packets.c	Mon Jan  8 21:37:45 2001
+++ samba/samba-2.2.0.final/source/nmbd/nmbd_packets.c	Tue May  1 16:52:16 2001
@@ -100,19 +100,21 @@
 {
   int i,j;
 
-  DEBUG( 4, ( "debug_browse_data():\n" ) );
+  DEBUG( 4, ( "debug_browse_data(%p,%d):\n",outbuf,len) );
   for (i = 0; i < len; i+= 16)
   {
     DEBUGADD( 4, ( "%3x char ", i ) );
 
     for (j = 0; j < 16; j++)
     {
-      unsigned char x = outbuf[i+j];
+      unsigned char x;
+	  if(i+j >= len)
+		  break;
+
+	  x = outbuf[i+j];
       if (x < 32 || x > 127) 
         x = '.';
 	    
-      if (i+j >= len)
-        break;
       DEBUGADD( 4, ( "%c", x ) );
     }
 
@@ -1263,13 +1265,19 @@
   len = SVAL(buf,smb_vwv11);
   buf2 = smb_base(buf) + SVAL(buf,smb_vwv12);
 
-  DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n",
+  DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d and dgramdatasize=%d and dgm_length=%d\n",
 	   nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name),
-	   inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len));
+	   inet_ntoa(p->ip), smb_buf(buf),CVAL(buf2,0),len,dgram->datasize,dgram->header.dgm_length));
 
  
   if (len <= 0)
     return;
+
+  if(len > dgram->datasize) {
+	debug_browse_data(dgram,dgram->header.dgm_length);
+	unexpected_packet(p);
+	return;
+  }
 
   /* Datagram packet received for the browser mailslot */
   if (strequal(smb_buf(buf),BROWSE_MAILSLOT))

More information about the samba-technical mailing list