[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27]

simo idra at samba.org
Fri Nov 16 16:16:57 GMT 2007 

I already found that and discussed it with Jeremy, we thought that the
code path that pass -1 could never be really taken.

Are we sure the patch used by the report is my latest patch with the
lanman.c fix ?

If so then our analysis was probably not 100% correct, but this is
strange as I didn't experience any segfault during package testing.

Simo.

On Fri, 2007-11-16 at 16:36 +0100, Michael Adam wrote:
> Hi Jeremy and Jerry,
> 
> Samba 3.0.27 panics ("push_ascii - dest_len == -1").
> 
> How do we proceed with this one? We have to find all the calls
> that eventually lead to push_ascii called with dest_len == -1.
> My analysis has produced quite a few (see below). 
> 
> I can't fix all that right now, but I could do some more work on 
> that later.
> 
> Michael
> 
> ----- Forwarded message from samba-bugs at samba.org -----
> 
> Subject: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27
> To: samba-qa at samba.org
> From: samba-bugs at samba.org
> Date: Fri, 16 Nov 2007 09:20:46 -0600 (CST)
> 
> https://bugzilla.samba.org/show_bug.cgi?id=5087
> 
> 
> 
> 
> 
> ------- Comment #10 from obnox at samba.org  2007-11-16 09:20 CST -------
> Analysis of the problem:
> 
> The panic was introduced by the patch for CVE-2007-4572:
> 
> push_ascii() now panics when called with "-1" as dest_len parameter.
> (In order to avoid buffer overflows - This -1 used to mean unlimited 
> dest len before.)
> 
> Now there are (at least) roughly 100 indirect callers of push_ascii 
> left that explicitly pass -1 for dest_len:
> roughly 40 through srvstr_push and roughly 60 through clistr_push.
> 
> This is too much for a really quick fix.
> I would like to hear Jeremy's opinion on this.
> 
> Michael
> 
> 
> -- 
> Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the QA contact for the bug, or are watching the QA contact.
> 
> ----- End forwarded message -----
> 
-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>

More information about the samba-technical mailing list