[PATCH] Fix panic when running 'smbtorture smb.base'
Ralph Wuerthner
ralphw at de.ibm.com
Tue Apr 9 02:41:05 MDT 2013
Hello list,
when running 'smbtorture smb.base' on a recent Samba 4 I noticed the following panic:
[2013/02/23 19:22:58.524698, 0] lib/util.c:810(smb_panic_s3)
PANIC (pid 2109097): sec_len == -1 in pull_ucs2_base_talloc
[2013/02/23 19:22:58.563334, 0] lib/util.c:921(log_stack_trace)
BACKTRACE: 22 stack frames:
#0 smbd(log_stack_trace+0x1a) [0x7f3dfe84022a]
#1 smbd(smb_panic_s3+0x25) [0x7f3dfe8402f5]
#2 smbd(smb_panic+0x1a1) [0x7f3dfe8321a1]
#3 smbd(+0x466298) [0x7f3dfe82f298]
#4 smbd(srvstr_get_path_wcard+0x42) [0x7f3dfe51a802]
#5 smbd(srvstr_get_path_req_wcard+0x3c) [0x7f3dfe51a8cc]
#6 smbd(srvstr_get_path_req+0x12) [0x7f3dfe51ba22]
#7 smbd(reply_mkdir+0x53) [0x7f3dfe51bdf3]
#8 smbd(+0x199a7b) [0x7f3dfe562a7b]
#9 smbd(+0x19a864) [0x7f3dfe563864]
#10 smbd(+0x19b709) [0x7f3dfe564709]
#11 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
#12 smbd(+0x486580) [0x7f3dfe84f580]
#13 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
#14 smbd(smbd_process+0xc77) [0x7f3dfe561c07]
#15 smbd(+0x7202dc) [0x7f3dfeae92dc]
#16 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
#17 smbd(+0x486580) [0x7f3dfe84f580]
#18 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
#19 smbd(main+0x1381) [0x7f3dfeaead11]
#20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f3dfb396cdd]
#21 smbd(+0x106a19) [0x7f3dfe4cfa19]
[2013/02/23 19:22:58.563848, 0] lib/dumpcore.c:317(dump_core)
dumping core in /var/log/samba/cores/smbd
smb.base submits requests without any parameters and for a couple of SMB1 requests (SMBmkdir, SMBrmdir, SMBgetatr, SMBcheckpath, SMBfcloserequests) we try to access data behind req->buf+req->buflen, resulting in above panic.
Attached patch set adds additional checks to prevent this invalid access.
Regards
Ralph Wuerthner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-smbd-do-not-access-data-behind-req-buf-req-buflen.patch
Type: text/x-patch
Size: 1238 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-smbd-convert-srvstr_pull_req_talloc-into-a-functi.patch
Type: text/x-patch
Size: 2724 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s3-smbd-do-not-access-data-behind-req-buf-req-buflen.patch
Type: text/x-patch
Size: 1034 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment-0002.bin>
More information about the samba-technical
mailing list