[Samba] Bug 6870 resurfaced in Samba 4.2.10

Jeremy Allison jra at samba.org
Mon Oct 17 18:27:12 UTC 2016 

On Mon, Oct 17, 2016 at 07:13:46PM +0100, Rebecca Gellman via samba wrote:
>  
> 
> On 2016-10-17 18:13, Jeremy Allison wrote: 
> 
> > On Mon, Oct 17, 2016 at 09:41:10AM -0700, Jeremy Allison via samba wrote: On Mon, Oct 17, 2016 at 05:13:08PM +0100, Rebecca Gellman via samba wrote:  
> > 
> > Hi, 
> > 
> > So I did some digging into the source code, and I think I've found the
> > issue. Around line 120 of source3/libads/cldap.c: 
> > 
> > for (i=0; i<num_servers; i++) {
> > NTSTATUS status; 
> > 
> > status = cldap_socket_init(state->cldap,
> > NULL, /* local_addr */
> > state->servers[i],
> > &state->cldap[i]); 
> > 
> > if (tevent_req_nterror(req, status)) {
> > return tevent_req_post(req, ev);
> > } 
> > 
> > /* Code omitted for brevity */ 
> > 
> > } 
> > 
> > This is in cldap_multi_netlogon_send(), a function that sends CLDAP
> > requests to multiple DCs in one go. The loop here sets up a socket for
> > each DC. cldap_socket_init() in turn (possibly several calls deeper)
> > sets up the UDP socket, and calls connect() on it, which fails with
> > "Network unreachable". This bubbles up the chain and comes back to
> > cldap_multi_netlogon_send() as NT_STATUS_NETWORK_UNREACHABLE. 
> > 
> > Note however the return from the function: it returns an error if *any*
> > of the servers queried returned an error, even if any of them succeeded. 
> > Great analysis - thanks ! I'll look into a patch for this.
> > 
> > We'll need a new bug report for this one.
> 
> OK, here's the new bug:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12381
> 
> and here is (I think) the patch. Can you test this
> and let me know if it fixes your test case ?
> 
>  CC:ing to samba-technical for followups.
> 
> Cheers,
> 
>     Jeremy. 
> 
>  Results not good m'fraid. 
> 
> It seems cldap_socket_init() should be setting up the cldap_socket
> (param 3 is struct cldap_socket **), but obviously doesn't get this far.
> When this is passed to cldap_search_send() it segfaults on line 603: 
> 
> if (!cldap->connected) { 
> 
> This is going to be icky, isn't it? 

No, it's not so bad. libcli/cldap/cldap.c is clearly supposed to cope
with caller.cldap == NULL - you can see this in the function
cldap_search_state_destructor() which checks:

if (s->caller.cldap)

before doing anything. Can you try this (amended) patch ?

Thanks so much for your timely testing !

Cheers,

	Jeremy.

More information about the samba mailing list