[PATCH] Fix panic when running 'smbtorture smb.base'

Ralph Wuerthner ralphw at de.ibm.com
Tue Apr 9 02:41:05 MDT 2013


Hello list,

when running 'smbtorture smb.base' on a recent Samba 4 I noticed the following panic:

[2013/02/23 19:22:58.524698,  0] lib/util.c:810(smb_panic_s3)
  PANIC (pid 2109097): sec_len == -1 in pull_ucs2_base_talloc
[2013/02/23 19:22:58.563334,  0] lib/util.c:921(log_stack_trace)
  BACKTRACE: 22 stack frames:
   #0 smbd(log_stack_trace+0x1a) [0x7f3dfe84022a]
   #1 smbd(smb_panic_s3+0x25) [0x7f3dfe8402f5]
   #2 smbd(smb_panic+0x1a1) [0x7f3dfe8321a1]
   #3 smbd(+0x466298) [0x7f3dfe82f298]
   #4 smbd(srvstr_get_path_wcard+0x42) [0x7f3dfe51a802]
   #5 smbd(srvstr_get_path_req_wcard+0x3c) [0x7f3dfe51a8cc]
   #6 smbd(srvstr_get_path_req+0x12) [0x7f3dfe51ba22]
   #7 smbd(reply_mkdir+0x53) [0x7f3dfe51bdf3]
   #8 smbd(+0x199a7b) [0x7f3dfe562a7b]
   #9 smbd(+0x19a864) [0x7f3dfe563864]
   #10 smbd(+0x19b709) [0x7f3dfe564709]
   #11 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #12 smbd(+0x486580) [0x7f3dfe84f580]
   #13 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #14 smbd(smbd_process+0xc77) [0x7f3dfe561c07]
   #15 smbd(+0x7202dc) [0x7f3dfeae92dc]
   #16 smbd(run_events_poll+0x376) [0x7f3dfe84f0d6]
   #17 smbd(+0x486580) [0x7f3dfe84f580]
   #18 smbd(_tevent_loop_once+0x90) [0x7f3dfe84f900]
   #19 smbd(main+0x1381) [0x7f3dfeaead11]
   #20 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f3dfb396cdd]
   #21 smbd(+0x106a19) [0x7f3dfe4cfa19]
[2013/02/23 19:22:58.563848,  0] lib/dumpcore.c:317(dump_core)
  dumping core in /var/log/samba/cores/smbd

smb.base submits requests without any parameters and for a couple of SMB1 requests (SMBmkdir, SMBrmdir, SMBgetatr, SMBcheckpath, SMBfcloserequests) we try to access data behind req->buf+req->buflen, resulting in above panic.

Attached patch set adds additional checks to prevent this invalid access.

Regards

	Ralph Wuerthner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-smbd-do-not-access-data-behind-req-buf-req-buflen.patch
Type: text/x-patch
Size: 1238 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-smbd-convert-srvstr_pull_req_talloc-into-a-functi.patch
Type: text/x-patch
Size: 2724 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s3-smbd-do-not-access-data-behind-req-buf-req-buflen.patch
Type: text/x-patch
Size: 1034 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130409/d2747555/attachment-0002.bin>


More information about the samba-technical mailing list