Patch: Attempt to fix segfaults in push_ucs2_talloc when domain, workgroup etc are NULL in creds

Richard Sharpe realrichardsharpe at
Tue Aug 18 16:32:17 UTC 2015

Hi folks,

the following small piece of Python:

  from samba.credentials import Credentials
  from samba import param
  lp = param.LoadParm()

Causes the following segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f2e62f in __strlen_sse42 () from /lib64/
(gdb) where
#0  0x00007ffff6f2e62f in __strlen_sse42 () from /lib64/
#1  0x00007ffff02a5475 in push_ucs2_talloc (ctx=0x708960, dest=0x7089a0,
    src=0x0, converted_size=0x7fffffffcfd0)
    at ../lib/util/charset/pull_push.c:41
#2  0x00007fffebba9532 in msrpc_gen (mem_ctx=0x707520, blob=0x7fffffffd540,
    format=0x7fffe9c4ee0c "CdBBUUUBd") at ../libcli/auth/msrpc_parse.c:75
#3  0x00007fffe9c3db5f in ntlmssp_client_challenge (gensec_security=0x706060,
    out_mem_ctx=0x705e20, in=..., out=0x7fffffffd540)
    at ../auth/ntlmssp/ntlmssp_client.c:300
#4  0x00007fffe9c3c3bd in gensec_ntlmssp_update (gensec_security=0x706060,
    out_mem_ctx=0x705e20, ev=0x6fbf70, input=..., out=0x7fffffffd540)
    at ../auth/ntlmssp/ntlmssp.c:163
#5  0x00007fffe9c43e05 in gensec_update_ev (gensec_security=0x706060,
    out_mem_ctx=0x705e20, ev=0x6fbf70, in=..., out=0x7fffffffd540)
    at ../auth/gensec/gensec.c:235
#6  0x00007fffe9c3858d in gensec_spnego_update (gensec_security=0x7059e0,
    out_mem_ctx=0x705e20, ev=0x6fbf70, in=..., out=0x705e70)
    at ../auth/gensec/spnego.c:1070
#7  0x00007fffe9c38d93 in gensec_spnego_update_wrapper (
    gensec_security=0x7059e0, out_mem_ctx=0x701630, ev=0x6fbf70, in=...,
    out=0x7fffffffd730) at ../auth/gensec/spnego.c:1312
#8  0x00007fffe9c43e05 in gensec_update_ev (gensec_security=0x7059e0,
    out_mem_ctx=0x701630, ev=0x6fbf70, in=..., out=0x7fffffffd730)
    at ../auth/gensec/gensec.c:235
#9  0x00007fffe895d4e3 in ldap_bind_sasl (conn=0x700090, creds=0x6f37a0,
    lp_ctx=0x6ea250) at ../source4/libcli/ldap/ldap_bind.c:330
#10 0x00007fffe2d85486 in ildb_connect (ldb=0x6fbc20,
    url=0x7ffff7f264ec "ldap://", flags=0, options=0x0,
    _module=0x6fbc20) at ../lib/ldb-samba/ldb_ildap.c:851
#11 0x00007fffee372a06 in ldb_module_connect_backend (ldb=0x6fbc20,
    url=0x7ffff7f264ec "ldap://", options=0x0,
    backend_module=0x6fbc20) at ../common/ldb_modules.c:217
#12 0x00007fffee389859 in ldb_connect (ldb=0x6fbc20,
    url=0x7ffff7f264ec "ldap://", flags=<value optimized out>,
    options=0x0) at ../common/ldb.c:260
#13 0x00007fffee7a0995 in py_ldb_connect (self=<value optimized out>,
    args=<value optimized out>, kwargs=<value optimized out>)
    at ../pyldb.c:1071
#14 0x00007ffff7b0c9e4 in PyEval_EvalFrameEx ()
   from /usr/lib64/
#15 0x00007ffff7b0e657 in PyEval_EvalCodeEx ()
   from /usr/lib64/

Here is a possible fix for it. It is caused because I did not set the
workgroup or workstation parts of the creds:

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index f99257d..1f22241 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -146,7 +146,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *ge
        DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
        NTSTATUS nt_status;
        int flags = 0;
-       const char *user, *domain;
+       const char *user, *domain, *workstation;

        TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
        if (!mem_ctx) {
@@ -224,6 +224,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *g
        cli_credentials_get_ntlm_username_domain(gensec_security->credentials, m
                                                 &user, &domain);

+       workstation = cli_credentials_get_workstation(gensec_security->credentia
+       if (user = NULL || domain == NULL || workstation == NULL) {
+               DEBUG(10, ("One or more of user, domain or workstation is NULL\n
+               return NT_STATUS_INVALID_PARAMETER;
+       }
        if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
                flags |= CLI_CRED_NTLM2;
@@ -305,7 +312,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *ge
             , nt_response.length,
-                      cli_credentials_get_workstation(gensec_security->credenti
+                      workstation,
             , encrypted_session_key.length,
        if (!NT_STATUS_IS_OK(nt_status)) {

I imagine there will be comments ...

Richard Sharpe

More information about the samba-technical mailing list