libsmbclient: smbc_stat buffer overflow

Johannes Bauer dfnsonfsduifb at gmx.de
Wed Apr 25 23:58:45 GMT 2007


Hello list,

I've recently encountered a problem with libsmbclient which causes the
smb_stat function to write over the "struct stat" buffer exactly 8 bytes
on x86_32 (i686) systems. x86_64 seems not to be affected.

Affected versions:
  3.0.22 (Ubuntu)
  3.0.24 (Gentoo)
  3.0.24 (Gentoo, different system)

This program demonstrates the problem (replace //joeserver/transfer by a
valid samba share, of course):

#include <stdio.h>
#include <errno.h>
#include <sys/time.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <libsmbclient.h>

struct smbstat {
	struct stat stat;
	unsigned char pad[16];
};

static void Authentication_Function(const char *pServer, const char
*pShare, char *pWorkgroup, int workgroup_len, char *pUsername, int
username_len, char *pPassword, int password_len) {
    strncpy(pUsername, "guest", username_len);
    strncpy(pPassword, "", password_len);
}

int main(int argc, char **argv) {
	int dir;
	struct smbc_dirent *Directory_Entry;
	char Buffer[256];

	if (smbc_init(Authentication_Function, 0) != 0) {
		fprintf(stderr, "smblister: Could not initialize smbc-library.\n");
		exit(6);
	}

	dir = smbc_opendir("smb://joeserver/transfer");
	
	while ((Directory_Entry = smbc_readdir(dir)) != NULL) {
		if (Directory_Entry->smbc_type == SMBC_FILE) {
			int i;
			off_t Filesize;
			struct smbstat Filestats;
			memset(&Filestats, 0x63, sizeof(struct smbstat));
			snprintf(Buffer, sizeof(Buffer), "smb://joeserver/transfer/%s",
Directory_Entry->name);
			if (!smbc_stat(Buffer, (struct stat*)&Filestats)) {
				Filesize = Filestats.stat.st_size;
			} else {
				Filesize = 0;
			}
			printf("%s %ld\n", Directory_Entry->name, Filesize);
			for (i = 0; i < 16; i++) printf("%02x ", Filestats.pad[i]);
			printf("\n");
		}
	}
	
	smbc_closedir(dir);
	return 0;
}

And the output on an i686 machine:

out.bmp 3932214
16 2f 00 00 00 00 00 00 63 63 63 63 63 63 63 63
x.pdf 296844
14 09 00 00 00 00 00 00 63 63 63 63 63 63 63 63

Clearly it can be seen that the first eight bytes of "pad" become
overwritten.

I've traced this error down to this point - it has, of course,
catastrophal consequences: programs using the smb_stat sometimes showed
chrashing (segfaults) und undefined behaviour (defect samba contexts).
Exploitation of this bug seems unlinkely, however.

Please tell me what you think.
Thank you,
Greetings,
Johannes




More information about the samba-technical mailing list