[samba-bugs@samba.org: DO NOT REPLY [Bug 5087] Crash of smbd
after upgrade to 3.0.27]
Michael Adam
ma at sernet.de
Fri Nov 16 16:34:50 GMT 2007
Hi Simo,
the reporter checked the tarball from www.samba.org and 3.0.26a with
patches. And it has also been reproduced by Magnus and me with the
3.0.27 tarball downloaded from samba.org as follows:
client:
1. mount -t smbfs //server/share /mnt/
2. cd /mnt
=> ls: reading directory .: Input/output error
3. mount shows //server/share on /mnt type smbfs (rw)
But it is good to know that you have already checked most code paths.
Michael
simo wrote:
> I already found that and discussed it with Jeremy, we thought that the
> code path that pass -1 could never be really taken.
>
> Are we sure the patch used by the report is my latest patch with the
> lanman.c fix ?
>
> If so then our analysis was probably not 100% correct, but this is
> strange as I didn't experience any segfault during package testing.
>
> Simo.
>
> On Fri, 2007-11-16 at 16:36 +0100, Michael Adam wrote:
> > Hi Jeremy and Jerry,
> >
> > Samba 3.0.27 panics ("push_ascii - dest_len == -1").
> >
> > How do we proceed with this one? We have to find all the calls
> > that eventually lead to push_ascii called with dest_len == -1.
> > My analysis has produced quite a few (see below).
> >
> > I can't fix all that right now, but I could do some more work on
> > that later.
> >
> > Michael
> >
> > ----- Forwarded message from samba-bugs at samba.org -----
> >
> > Subject: DO NOT REPLY [Bug 5087] Crash of smbd after upgrade to 3.0.27
> > To: samba-qa at samba.org
> > From: samba-bugs at samba.org
> > Date: Fri, 16 Nov 2007 09:20:46 -0600 (CST)
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=5087
> >
> >
> >
> >
> >
> > ------- Comment #10 from obnox at samba.org 2007-11-16 09:20 CST -------
> > Analysis of the problem:
> >
> > The panic was introduced by the patch for CVE-2007-4572:
> >
> > push_ascii() now panics when called with "-1" as dest_len parameter.
> > (In order to avoid buffer overflows - This -1 used to mean unlimited
> > dest len before.)
> >
> > Now there are (at least) roughly 100 indirect callers of push_ascii
> > left that explicitly pass -1 for dest_len:
> > roughly 40 through srvstr_push and roughly 60 through clistr_push.
> >
> > This is too much for a really quick fix.
> > I would like to hear Jeremy's opinion on this.
> >
> > Michael
> >
> >
> > --
> > Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
> > ------- You are receiving this mail because: -------
> > You are the QA contact for the bug, or are watching the QA contact.
> >
> > ----- End forwarded message -----
> >
> --
> Simo Sorce
> Samba Team GPL Compliance Officer <simo at samba.org>
> Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
--
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071116/3f0b079e/attachment.bin
More information about the samba-technical
mailing list