patch to prevent segmentation fault on joining a very long domain
name in samba-3.0.32
bhaskar jain
bhaskar.jain2002 at gmail.com
Sun Mar 15 16:42:56 GMT 2009
Hello All,
Problem
======
Example -
With AD Server:vmw035-win08.wga
AD Domain:VERYBERRYDOMAIN.ACTIVEDIRECTORYDOMAIN123ACTIVEDIRECTORYDOMAIN123
Trying to join this domain, first try you get 'Cannot join domain:Operations
error'. Again and any subsequent attempts result in segmentation fault and
core dump consistently.
gdb) bt
#0 0x081dcbae in pull_netlogon_string (ret=0xbfbfb528 "", ptr=0x827b08b
<Address 0x827b08b out of bounds>,
data=0x826b100 "\027") at libads/cldap.c:86
#1 0x081dd507 in recv_cldap_netlogon (sock=6, reply=0xbfbfad10) at
libads/cldap.c:274
#2 0x081dd68a in ads_cldap_netlogon (server=0x8268810 "10.7.2.115",
realm=0x826a080
"VERYBERRYDOMAIN.ACTIVEDIRECTORYDOMAIN123ACTIVEDIRECTORYDOMAIN123",
reply=0xbfbfad10)
at libads/cldap.c:311
#3 0x081cf1d3 in ads_try_connect ()
#4 0x081d29c9 in ads_connect ()
#5 0x081e3f4e in get_dc_name ()
#6 0x08083102 in net_ads_join ()
#7 0x0807f693 in net_run_function ()
#8 0x0808599d in net_ads ()
#9 0x0807f693 in net_run_function ()
#10 0x08080c84 in main ()
(gdb) f 0
#0 0x081dcbae in pull_netlogon_string (ret=0xbfbfb528 "", ptr=0x827b08b
<Address 0x827b08b out of bounds>,
data=0x826b100 "\027") at libads/cldap.c:86
86 } while (*ptr);
(gdb)
(gdb) print ptr
$1 = 0x827b08b <Address 0x827b08b out of bounds>
Analysis
======
We have len = ((ptr[0] & 0x3f) << 8) | ptr[1]; in libads/cldap.c line 63.
gdb) x/2b ptr
0x826e2a4: 0xc0 0x8b
So 0xc0 & 0x3f = 0
0 << 8 = 0
it should be 0x8b = 139.
len actually becomes 65419
so on doing ptr=data+len, ptr goes out of bound and in (while *ptr) we seg
fault.
After this patch,
len has been explicitly typecast,
len = (((uint8) ptr[0] & 0x3f) << 8) | (uint8) ptr[1];
after this change ptr does not go out of bound
gdb) p len
$2 = 139
(gdb) x/2b ptr
0x826b18b: 0x17 0x44
(gdb) p ptr
$4 = 0x826b18b "\027Default-First-Site-Name"
Root Cause ( by Shibu)
=======
When multiple dns entries with a same common part are contained in
the same dns reply, they are send as message compressed (rfc 1035, section
4.1.4) in which a pointer (byte offset) to the common portion is kept in
each dns entry instead of having the common part repeated in itself. This
patch fixes a flaw in calculating the byte offset for walking through the
packet when pointers are contained in it, instead of absolute dns labels.
This can additionally verified by capturing the n/w traffic while
join-domain
and see that the packet contains a message compressed dns entries instead
of absolute dns labels.
For e.g.
For the dns entries we fetch in a single packet for say google.com,
smtp4.google.com
smtp3.google.com
smtp2.google.com
smtp1.google.com
The capture should look some thing similar to,
18:50:25.686202 IP dns-blr2.cisco.com.domain >
dhcp-64-104-134-206.cisco.com.56215: 17400 4/4/8 MX smtp4.google.com.
10, MX smtp1.google.com. 10, MX smtp2.google.com. 10, MX
smtp3.google.com. 10 (316)
0x0000: 4500 0158 3199 0000 3a11 bd96 48a3 808c E..X1...:...H...
0x0010: 4068 86ce 0035 db97 0144 c3af 43f8 8180 @h...5...D..C...
0x0020: 0001 0004 0004 0008 0667 6f6f 676c 6503 .........google.
0x0030: 636f 6d00 000f 0001 c00c 000f 0001 0000 com.............
0x0040: 2a30 000a 000a 0573 6d74 7034 c00c c00c *0.....smtp4....
0x0050: 000f 0001 0000 2a30 000a 000a 0573 6d74 ......*0.....smt
0x0060: 7031 c00c c00c 000f 0001 0000 2a30 000a p1..........*0..
0x0070: 000a 0573 6d74 7032 c00c c00c 000f 0001 ...smtp2........
0x0080: 0000 2a30 000a 000a 0573 6d74 7033 c00c ..*0.....smtp3..
After this patch, trying to join the long domain every time we get 'could
not join domain:Operations Error'
Please find the attached patch and please comment/provide your thoughts.
Regards,
Bhaskar Jain.
bhajain at ironport.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: application/octet-stream
Size: 387 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090315/73474a0e/patch.obj
More information about the samba-technical
mailing list