smbtorture RW1 test failure due read buffer lack (127K),
samba 3.0.30
Volodymyr Khomenko
Volodymyr.Khomenko at exanet.com
Mon Aug 4 14:15:36 GMT 2008
Hi all,
I've found the issue with RW1 test of smbtorture: recent fix (security fix for CVE-2008-1105)
has changed the logic of range checking in function 'receive_smb_raw',
thus it cannot receive buffer more than cli->bufsize=127K, but it wants to receive up to 128K.
In more details...
'RW1' smbtorture's test write and read buffers of random length up to 128K (131072 bytes):
source/torture/torture.c:
static BOOL rw_torture2(struct cli_state *c1, struct cli_state *c2)
{
...
char buf[131072];
char buf_rd[131072];
...
size_t buf_size = ((unsigned)sys_random()%(sizeof(buf)-1))+ 1;
...
if (cli_write(c1, fnum1, 0, buf, 0, buf_size) != buf_size) {
...
}
if ((bytes_read = cli_read(c2, fnum2, buf_rd, 0, buf_size)) != buf_size) {
...
}
But 'cli_read' uses 'cli_receive_smb', and 'cli_receive_smb' uses 'client_receive_smb' to receive buffer.
It passes 'cli->bufsize' as the maximal accepted length (3rd param):
source/libsmb/clientgen.c:
BOOL cli_receive_smb(struct cli_state *cli)
{
...
again:
ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
Alas, cli->bufsize is only 127K, so 'client_receive_smb' cannot receive blocks lager than 130048 bytes.
So, if 'sys_random' bring us above 127K, RW1 test will FAIL...
cli->bufsize is set to CLI_SAMBA_MAX_LARGE_READX_SIZE=127K by function cli_negprot:
source/libsmb/cliconnect.c:
BOOL cli_negprot(struct cli_state *cli)
{
...
cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE; /* For samba 3.0.30 */
cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + LARGE_WRITEX_HDR_SIZE; /* For samba 3.0.31 */
We can receive only up to CLI_SAMBA_MAX_LARGE_READX_SIZE=127K in 3.0.30 and up to
127K + 65 in samba 3.0.31.
For older samba (before CVE-2008-1105) we can receive
up to BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE=128K+65, so this problem has appeared only here:
security fix for CVE-2008-1105: Boundary failure when parsing SMB responses:
--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -1173,17 +1172,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
return status;
}
- /*
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
- * of header. Don't print the error if this fits.... JRA.
- */
-
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+ if (len > buflen) {
DEBUG(0,("Invalid packet length! (%lu bytes).\n",
(unsigned long)len));
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
+ return NT_STATUS_INVALID_PARAMETER;
}
if(len > 0) {
>From my point of view, we should fix RW tests (rw_torture2/rw_torture3 functions)
to not use so large buffers (at least less than 127K).
Otherwise we should fix 'cli_negprot' function to apply 128K buffer limitation.
Thanks.
More information about the samba-technical
mailing list