patch to prevent segmentation fault on joining a very long domain name in samba-3.0.32

bhaskar jain bhaskar.jain2002 at gmail.com
Sun Mar 15 16:42:56 GMT 2009 

Hello All,

Problem
======

Example -
With AD Server:vmw035-win08.wga
AD Domain:VERYBERRYDOMAIN.ACTIVEDIRECTORYDOMAIN123ACTIVEDIRECTORYDOMAIN123

Trying to join this domain, first try you get 'Cannot join domain:Operations
error'. Again and any subsequent attempts result in segmentation fault and
core dump consistently.

gdb) bt
#0  0x081dcbae in pull_netlogon_string (ret=0xbfbfb528 "", ptr=0x827b08b
<Address 0x827b08b out of bounds>,
    data=0x826b100 "\027") at libads/cldap.c:86
#1  0x081dd507 in recv_cldap_netlogon (sock=6, reply=0xbfbfad10) at
libads/cldap.c:274
#2  0x081dd68a in ads_cldap_netlogon (server=0x8268810 "10.7.2.115",
    realm=0x826a080
"VERYBERRYDOMAIN.ACTIVEDIRECTORYDOMAIN123ACTIVEDIRECTORYDOMAIN123",
reply=0xbfbfad10)
    at libads/cldap.c:311
#3  0x081cf1d3 in ads_try_connect ()
#4  0x081d29c9 in ads_connect ()
#5  0x081e3f4e in get_dc_name ()
#6  0x08083102 in net_ads_join ()
#7  0x0807f693 in net_run_function ()
#8  0x0808599d in net_ads ()
#9  0x0807f693 in net_run_function ()
#10 0x08080c84 in main ()


(gdb) f 0
#0  0x081dcbae in pull_netlogon_string (ret=0xbfbfb528 "", ptr=0x827b08b
<Address 0x827b08b out of bounds>,
    data=0x826b100 "\027") at libads/cldap.c:86
86              } while (*ptr);
(gdb)


(gdb) print ptr
$1 = 0x827b08b <Address 0x827b08b out of bounds>

Analysis
======

We have len = ((ptr[0] & 0x3f) << 8) | ptr[1]; in libads/cldap.c line 63.

gdb) x/2b ptr
0x826e2a4:    0xc0    0x8b

So 0xc0 & 0x3f = 0
0 << 8 = 0
it should be 0x8b = 139.
len actually becomes 65419

so on doing ptr=data+len, ptr goes out of bound and in (while *ptr) we seg
fault.


After this patch,

len has been explicitly typecast,
len = (((uint8) ptr[0] & 0x3f) << 8) | (uint8) ptr[1];

after this change ptr does not go out of bound
gdb) p len
$2 = 139

(gdb) x/2b ptr
0x826b18b:    0x17    0x44

(gdb) p ptr
$4 = 0x826b18b "\027Default-First-Site-Name"


Root Cause ( by Shibu)
=======

When multiple dns entries with a same common part  are contained in
the same dns reply, they are send as message compressed (rfc 1035, section
4.1.4) in which a pointer (byte offset) to the common portion is kept in
each dns entry instead of having the common part repeated in itself. This
 patch fixes a flaw in calculating the byte offset for walking through the
packet when pointers are contained in it, instead of absolute dns labels.

This can additionally verified by capturing the n/w traffic while
join-domain
and see that the packet contains a message compressed dns entries instead
of absolute dns labels.

For e.g.
For the dns entries we fetch in a single packet for say google.com,
smtp4.google.com
smtp3.google.com
smtp2.google.com
smtp1.google.com

The capture should look some thing similar to,

18:50:25.686202 IP dns-blr2.cisco.com.domain >
dhcp-64-104-134-206.cisco.com.56215: 17400 4/4/8 MX smtp4.google.com.
10, MX smtp1.google.com. 10, MX smtp2.google.com. 10, MX
smtp3.google.com. 10 (316)
    0x0000:  4500 0158 3199 0000 3a11 bd96 48a3 808c  E..X1...:...H...
    0x0010:  4068 86ce 0035 db97 0144 c3af 43f8 8180  @h...5...D..C...
    0x0020:  0001 0004 0004 0008 0667 6f6f 676c 6503  .........google.
    0x0030:  636f 6d00 000f 0001 c00c 000f 0001 0000  com.............
    0x0040:  2a30 000a 000a 0573 6d74 7034 c00c c00c  *0.....smtp4....
    0x0050:  000f 0001 0000 2a30 000a 000a 0573 6d74  ......*0.....smt
    0x0060:  7031 c00c c00c 000f 0001 0000 2a30 000a  p1..........*0..
    0x0070:  000a 0573 6d74 7032 c00c c00c 000f 0001  ...smtp2........
    0x0080:  0000 2a30 000a 000a 0573 6d74 7033 c00c  ..*0.....smtp3..


After this patch, trying to join the long domain every time we get 'could
not join domain:Operations Error'

Please find the attached patch and please comment/provide your thoughts.

Regards,
 Bhaskar Jain.
 bhajain at ironport.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: application/octet-stream
Size: 387 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090315/73474a0e/patch.obj

More information about the samba-technical mailing list