smbtorture RW1 test failure due read buffer lack (127K), samba 3.0.30

Volodymyr Khomenko Volodymyr.Khomenko at exanet.com
Mon Aug 4 14:15:36 GMT 2008 

Hi all,

I've found the issue with RW1 test of smbtorture: recent fix (security fix for CVE-2008-1105)
has changed the logic of range checking in function 'receive_smb_raw',
thus it cannot receive buffer more than cli->bufsize=127K, but it wants to receive up to 128K.

In more details...
'RW1' smbtorture's test write and read buffers of random length up to 128K (131072 bytes):

source/torture/torture.c:
static BOOL rw_torture2(struct cli_state *c1, struct cli_state *c2)
{
    ...
    char buf[131072];
    char buf_rd[131072];
    ...
    size_t buf_size = ((unsigned)sys_random()%(sizeof(buf)-1))+ 1;
    ...
    if (cli_write(c1, fnum1, 0, buf, 0, buf_size) != buf_size) {
     ...
    }
    if ((bytes_read = cli_read(c2, fnum2, buf_rd, 0, buf_size)) != buf_size) {
       ...
    }


But 'cli_read' uses 'cli_receive_smb', and 'cli_receive_smb' uses 'client_receive_smb' to receive buffer.
It passes 'cli->bufsize' as the maximal accepted length (3rd param):

source/libsmb/clientgen.c:
BOOL cli_receive_smb(struct cli_state *cli)
{
   ...
   again:
       ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);

Alas, cli->bufsize is only 127K, so 'client_receive_smb' cannot receive blocks lager than 130048 bytes.
So, if 'sys_random' bring us above 127K, RW1 test will FAIL...

cli->bufsize is set to CLI_SAMBA_MAX_LARGE_READX_SIZE=127K by function cli_negprot:

source/libsmb/cliconnect.c:
BOOL cli_negprot(struct cli_state *cli)
{
   ...
   cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE; /* For samba 3.0.30 */
   cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + LARGE_WRITEX_HDR_SIZE; /* For samba 3.0.31 */

We can receive only up to CLI_SAMBA_MAX_LARGE_READX_SIZE=127K in 3.0.30 and up to 
127K + 65 in samba 3.0.31.

For older samba (before CVE-2008-1105) we can receive
up to BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE=128K+65, so this problem has appeared only here:

security fix for CVE-2008-1105: Boundary failure when parsing SMB responses:

--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -1173,17 +1172,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
                return status;
        }
 
-       /*
-        * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
-        * of header. Don't print the error if this fits.... JRA.
-        */
-
-       if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+       if (len > buflen) {
                DEBUG(0,("Invalid packet length! (%lu bytes).\n",
                                        (unsigned long)len));
-               if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        if(len > 0) {

>From my point of view, we should fix RW tests (rw_torture2/rw_torture3 functions)
to not use so large buffers (at least less than 127K).
Otherwise we should fix 'cli_negprot' function to apply 128K buffer limitation.

Thanks.

More information about the samba-technical mailing list