The Samba-Bugzilla – Attachment 15668 Details for
Bug 14205
Prevent smbd crash after invalid SMB1 negprot.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.10.next
bug-14205-4.10 (text/plain), 22.14 KB, created by
Jeremy Allison
on 2019-12-05 00:17:59 UTC
(
hide
)
Description:
git-am fix for 4.10.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2019-12-05 00:17:59 UTC
Size:
22.14 KB
patch
obsolete
>From f14e25822b777ca3583b4b719e39c6f8aa525b5a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:14:29 -0800 >Subject: [PATCH 1/7] s3: smbd: Allow smbd_smb2_process_negprot() to return > NTSTATUS as it can fail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 868bc05cf5d575e20edcce241e3af1d0fa6d9824) >--- > source3/smbd/globals.h | 2 +- > source3/smbd/smb2_server.c | 15 ++++++++------- > 2 files changed, 9 insertions(+), 8 deletions(-) > >diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h >index 02f1e58b77b..0a4fcd96b43 100644 >--- a/source3/smbd/globals.h >+++ b/source3/smbd/globals.h >@@ -239,7 +239,7 @@ NTSTATUS smbd_add_connection(struct smbXsrv_client *client, int sock_fd, > > void reply_smb2002(struct smb_request *req, uint16_t choice); > void reply_smb20ff(struct smb_request *req, uint16_t choice); >-void smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, >+NTSTATUS smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, > uint64_t expected_seq_low, > const uint8_t *inpdu, size_t size); > >diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c >index 24d96dec534..b65880a9562 100644 >--- a/source3/smbd/smb2_server.c >+++ b/source3/smbd/smb2_server.c >@@ -3570,7 +3570,7 @@ static NTSTATUS smbd_smb2_request_next_incoming(struct smbXsrv_connection *xconn > return NT_STATUS_OK; > } > >-void smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, >+NTSTATUS smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, > uint64_t expected_seq_low, > const uint8_t *inpdu, size_t size) > { >@@ -3584,25 +3584,25 @@ void smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, > status = smbd_initialize_smb2(xconn, expected_seq_low); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > status = smbd_smb2_request_create(xconn, inpdu, size, &req); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > status = smbd_smb2_request_validate(req); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > status = smbd_smb2_request_setup_out(req); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > #ifdef WITH_PROFILE >@@ -3617,16 +3617,17 @@ void smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, > status = smbd_smb2_request_dispatch(req); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > status = smbd_smb2_request_next_incoming(xconn); > if (!NT_STATUS_IS_OK(status)) { > smbd_server_connection_terminate(xconn, nt_errstr(status)); >- return; >+ return status; > } > > sconn->num_requests++; >+ return NT_STATUS_OK; > } > > static int socket_error_from_errno(int ret, >-- >2.24.0.393.g34dc348eaf-goog > > >From 75463cbb4dfbcb557b99de5cbe53b146c8b1798e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:17:29 -0800 >Subject: [PATCH 2/7] s3: smbd: Ensure we exit on smbd_smb2_process_negprot() > fail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit a2d81d77c111379cbb6bd732c717307974eace0a) >--- > source3/smbd/process.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/process.c b/source3/smbd/process.c >index 99693ed1315..4cd431bd017 100644 >--- a/source3/smbd/process.c >+++ b/source3/smbd/process.c >@@ -1961,7 +1961,14 @@ static void process_smb(struct smbXsrv_connection *xconn, > if (smbd_is_smb2_header(inbuf, nread)) { > const uint8_t *inpdu = inbuf + NBT_HDR_SIZE; > size_t pdulen = nread - NBT_HDR_SIZE; >- smbd_smb2_process_negprot(xconn, 0, inpdu, pdulen); >+ NTSTATUS status = smbd_smb2_process_negprot( >+ xconn, >+ 0, >+ inpdu, >+ pdulen); >+ if (!NT_STATUS_IS_OK(status)) { >+ exit_server_cleanly("SMB2 negprot fail"); >+ } > return; > } > if (nread >= smb_size && valid_smb_header(inbuf) >-- >2.24.0.393.g34dc348eaf-goog > > >From 0e1626dc2f78eeb44062205b3a5c311c4ec21c14 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:21:06 -0800 >Subject: [PATCH 3/7] s3: smbd: Change reply_smb20xx() to return NTSTATUS. > >Not yet used. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 836219c479b047403d2b0839a6b92ad637dbaea0) >--- > source3/smbd/smb2_negprot.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index 2b725f30f75..fc0d884ad1d 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -36,7 +36,7 @@ extern fstring remote_proto; > * this is the entry point if SMB2 is selected via > * the SMB negprot and the given dialect. > */ >-static void reply_smb20xx(struct smb_request *req, uint16_t dialect) >+static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect) > { > uint8_t *smb2_inpdu; > uint8_t *smb2_hdr; >@@ -48,7 +48,7 @@ static void reply_smb20xx(struct smb_request *req, uint16_t dialect) > if (smb2_inpdu == NULL) { > DEBUG(0, ("Could not push spnego blob\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > smb2_hdr = smb2_inpdu; > smb2_body = smb2_hdr + SMB2_HDR_BODY; >@@ -64,8 +64,7 @@ static void reply_smb20xx(struct smb_request *req, uint16_t dialect) > > req->outbuf = NULL; > >- smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len); >- return; >+ return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len); > } > > /* >-- >2.24.0.393.g34dc348eaf-goog > > >From fc25087301dec48fbdd44022db80455425beff41 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:43:25 -0800 >Subject: [PATCH 4/7] s3: smbd: Change (*proto_reply_fn()) to return an > NTSTATUS. > >That way the caller can know if the negprot really >succeeded or not. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit f4caa4159bd3db5127e114718e606867348a4f47) >--- > source3/smbd/globals.h | 4 ++-- > source3/smbd/negprot.c | 29 +++++++++++++++-------------- > source3/smbd/smb2_negprot.c | 8 ++++---- > 3 files changed, 21 insertions(+), 20 deletions(-) > >diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h >index 0a4fcd96b43..9bb7b1f49c8 100644 >--- a/source3/smbd/globals.h >+++ b/source3/smbd/globals.h >@@ -237,8 +237,8 @@ bool smbd_smb2_is_compound(const struct smbd_smb2_request *req); > NTSTATUS smbd_add_connection(struct smbXsrv_client *client, int sock_fd, > struct smbXsrv_connection **_xconn); > >-void reply_smb2002(struct smb_request *req, uint16_t choice); >-void reply_smb20ff(struct smb_request *req, uint16_t choice); >+NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice); >+NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice); > NTSTATUS smbd_smb2_process_negprot(struct smbXsrv_connection *xconn, > uint64_t expected_seq_low, > const uint8_t *inpdu, size_t size); >diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c >index 2d5edf1282c..3b2555e3d21 100644 >--- a/source3/smbd/negprot.c >+++ b/source3/smbd/negprot.c >@@ -66,7 +66,7 @@ static void get_challenge(struct smbXsrv_connection *xconn, uint8_t buff[8]) > Reply for the lanman 1.0 protocol. > ****************************************************************************/ > >-static void reply_lanman1(struct smb_request *req, uint16_t choice) >+static NTSTATUS reply_lanman1(struct smb_request *req, uint16_t choice) > { > int secword=0; > time_t t = time(NULL); >@@ -100,7 +100,7 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice) > status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1); > if (!NT_STATUS_IS_OK(status)) { > reply_nterror(req, status); >- return; >+ return status; > } > > /* Reply, SMBlockread, SMBwritelock supported. */ >@@ -115,14 +115,14 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice) > > srv_put_dos_date((char *)req->outbuf,smb_vwv8,t); > >- return; >+ return NT_STATUS_OK; > } > > /**************************************************************************** > Reply for the lanman 2.0 protocol. > ****************************************************************************/ > >-static void reply_lanman2(struct smb_request *req, uint16_t choice) >+static NTSTATUS reply_lanman2(struct smb_request *req, uint16_t choice) > { > int secword=0; > time_t t = time(NULL); >@@ -158,7 +158,7 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice) > status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2); > if (!NT_STATUS_IS_OK(status)) { > reply_nterror(req, status); >- return; >+ return status; > } > > /* Reply, SMBlockread, SMBwritelock supported. */ >@@ -169,6 +169,7 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice) > SSVAL(req->outbuf,smb_vwv5,raw); /* readbraw and/or writebraw */ > SSVAL(req->outbuf,smb_vwv10, set_server_zone_offset(t)/60); > srv_put_dos_date((char *)req->outbuf,smb_vwv8,t); >+ return NT_STATUS_OK; > } > > /**************************************************************************** >@@ -266,7 +267,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn) > Reply for the nt protocol. > ****************************************************************************/ > >-static void reply_nt1(struct smb_request *req, uint16_t choice) >+static NTSTATUS reply_nt1(struct smb_request *req, uint16_t choice) > { > /* dual names + lock_and_read + nt SMBs + remote API calls */ > int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ| >@@ -359,7 +360,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > status = smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1); > if (!NT_STATUS_IS_OK(status)) { > reply_nterror(req, status); >- return; >+ return status; > } > > SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */ >@@ -385,7 +386,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > if (ret == -1) { > DEBUG(0, ("Could not push challenge\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > SCVAL(req->outbuf, smb_vwv16+1, ret); > } >@@ -395,7 +396,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > if (ret == -1) { > DEBUG(0, ("Could not push workgroup string\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > ret = message_push_string(&req->outbuf, lp_netbios_name(), > STR_UNICODE|STR_TERMINATE >@@ -403,7 +404,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > if (ret == -1) { > DEBUG(0, ("Could not push netbios name string\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > DEBUG(3,("not using SPNEGO\n")); > } else { >@@ -411,14 +412,14 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > > if (spnego_blob.data == NULL) { > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > > ret = message_push_blob(&req->outbuf, spnego_blob); > if (ret == -1) { > DEBUG(0, ("Could not push spnego blob\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); >- return; >+ return NT_STATUS_NO_MEMORY; > } > data_blob_free(&spnego_blob); > >@@ -426,7 +427,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) > DEBUG(3,("using SPNEGO\n")); > } > >- return; >+ return NT_STATUS_OK; > } > > /* these are the protocol lists used for auto architecture detection: >@@ -540,7 +541,7 @@ protocol [SMB 2.???] > static const struct { > const char *proto_name; > const char *short_name; >- void (*proto_reply_fn)(struct smb_request *req, uint16_t choice); >+ NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice); > int protocol_level; > } supported_protocols[] = { > {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10}, >diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c >index fc0d884ad1d..1785fcf5ee8 100644 >--- a/source3/smbd/smb2_negprot.c >+++ b/source3/smbd/smb2_negprot.c >@@ -71,20 +71,20 @@ static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect) > * this is the entry point if SMB2 is selected via > * the SMB negprot and the "SMB 2.002" dialect. > */ >-void reply_smb2002(struct smb_request *req, uint16_t choice) >+NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice) > { >- reply_smb20xx(req, SMB2_DIALECT_REVISION_202); >+ return reply_smb20xx(req, SMB2_DIALECT_REVISION_202); > } > > /* > * this is the entry point if SMB2 is selected via > * the SMB negprot and the "SMB 2.???" dialect. > */ >-void reply_smb20ff(struct smb_request *req, uint16_t choice) >+NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice) > { > struct smbXsrv_connection *xconn = req->xconn; > xconn->smb2.allow_2ff = true; >- reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF); >+ return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF); > } > > enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn, >-- >2.24.0.393.g34dc348eaf-goog > > >From b0121ac2903308d7606423367bf16b1b18dc9669 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:46:16 -0800 >Subject: [PATCH 5/7] s3: smbd: Ensure we exit if > supported_protocols[protocol].proto_reply_fn() fails. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit e84910d919e02feab2a297fccbbf95f333e32119) >--- > source3/smbd/negprot.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c >index 3b2555e3d21..8317dc49086 100644 >--- a/source3/smbd/negprot.c >+++ b/source3/smbd/negprot.c >@@ -580,6 +580,7 @@ void reply_negprot(struct smb_request *req) > bool signing_required = true; > int max_proto; > int min_proto; >+ NTSTATUS status; > > START_PROFILE(SMBnegprot); > >@@ -768,7 +769,11 @@ void reply_negprot(struct smb_request *req) > > fstrcpy(remote_proto,supported_protocols[protocol].short_name); > reload_services(sconn, conn_snum_used, true); >- supported_protocols[protocol].proto_reply_fn(req, choice); >+ status = supported_protocols[protocol].proto_reply_fn(req, choice); >+ if (!NT_STATUS_IS_OK(status)) { >+ exit_server_cleanly("negprot function failed\n"); >+ } >+ > DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name)); > > DBG_INFO("negprot index=%zu\n", choice); >-- >2.24.0.393.g34dc348eaf-goog > > >From bd6cf876ea4d90a2296894e7343cca46f486678c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 2 Dec 2019 17:23:21 -0800 >Subject: [PATCH 6/7] python: tests. Add test for fuzzing smbd crash bug. > >Mark knownfail for now. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 46899ecf836d350c0c29b615869851da7d0ad6fb) >--- > python/samba/tests/smbd_fuzztest.py | 77 +++++++++++++++++++++++++++++ > selftest/knownfail.d/smb1_fuzz_smbd | 1 + > selftest/tests.py | 1 + > 3 files changed, 79 insertions(+) > create mode 100644 python/samba/tests/smbd_fuzztest.py > create mode 100644 selftest/knownfail.d/smb1_fuzz_smbd > >diff --git a/python/samba/tests/smbd_fuzztest.py b/python/samba/tests/smbd_fuzztest.py >new file mode 100644 >index 00000000000..900cddf3880 >--- /dev/null >+++ b/python/samba/tests/smbd_fuzztest.py >@@ -0,0 +1,77 @@ >+# Unix SMB/CIFS implementation. Tests for smbd fuzzing. >+# Copyright (C) Jeremy Allison 2019. >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import samba >+import os >+import binascii >+import socket >+ >+class fuzzsmbd(samba.tests.TestCase): >+ def test_bug_14205(self): >+ # >+ # badblob consists of an incorrectly >+ # terminated SMB1 Negprot, with a valid SessionSetup after. >+ # BUG: #14205 causes the smbd server to crash. >+ # >+ state = True; >+ badblob = binascii.a2b_base64("AAAA1P9TTUJyAAAAABhDyAAAAAAAAAAAAAAAACcA/v8AAAAAALEAAlBDIE5F" >+ "VFdPUksgUFJPR1JBTSD//jAAAk1JQ1JPU09GVCBOR1RXT1JLUyAxLjANDAJN" >+ "SR3hkXOl0mb+QXW4Da/jp0f+AAAA1P9TTUJyAAAAABgDyAAABDQAAAAAAAAA" >+ "ACcA/v8AAAAAALEAAlBDIE5FVFdPUksgUFJPR1JBFBX//jAAAk1JQ1JPU09G" >+ "VCBOR1RXT1JLUyAxLjANDAJNSR3hkUal0mb+QXW4Da/jp0f+AAAA1P9TTUJz" >+ "LTE0OEF1uA2v46dH/gqAIIwiAoRiVHWgODu8OdksJQAAAAAnAP7/AAAAAACx" >+ "AAJQQyBORVRXT1JLIFBST0dSQU0g//4wAAJNSUNST1NPRlQgTkdUV09SS1Mg" >+ "MS4wDQwCTUkd4ZFGpdJm/kF1uA2v46dH/gAAANT/U01Ccy0xNDgyMTIyOTE3" >+ "Nzk2MzIAAAAAGAPIAAAAAAAAAAAAAAAAJwD+/wAAAAAAsQACUEMgTkVUV09S" >+ "SyBQUk9HUkFNIP/+MAACTUlDUk9TT0ZUIE5HVFdPUktTIDEuMA0GAAAAAAAA" >+ "AKXSZv5BdbgNr+OnR/4AAADU/1NNQnMtMTQ4MjEyMjkxNzc5NjMyNDQ4NDNA" >+ "ujcyNjgAsQACUEMgTkVUF09SSyAgAAAAAAAAAP/+MAACTUlDUk9TT0bAIE5H" >+ "BwAtMjMxODIxMjE4MTM5OTU0ODA2OP5BdbgNr+OnR/4KgCCMIgKEYlR1oDg7" >+ "vDnZLCWy") >+ s = None >+ try: >+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >+ s.connect(("fileserver", 445)) >+ s.send(badblob) >+ # Read the 39-byte SMB1 reply to the SMB1 Negprot. >+ # This is an error message saying the Negprot was >+ # invalid. >+ rb = s.recv(1024) >+ try: >+ # Read again to wait for the server to exit. >+ rb = s.recv(1024) >+ except socket.error as e: >+ # We expect a socket error here as >+ # in both success and fail cases the >+ # server just resets the connection. >+ pass >+ finally: >+ pass >+ finally: >+ if s is not None: >+ s.close() >+ # >+ # If the server crashed there is the >+ # following message in the debug log. >+ # >+ for line in open(os.environ['SMBD_TEST_LOG']): >+ if "INTERNAL ERROR: Signal 11 in pid" in line: >+ print("Found crash in smbd log") >+ state = False; >+ break >+ self.assertTrue(state) >diff --git a/selftest/knownfail.d/smb1_fuzz_smbd b/selftest/knownfail.d/smb1_fuzz_smbd >new file mode 100644 >index 00000000000..82b1b26254f >--- /dev/null >+++ b/selftest/knownfail.d/smb1_fuzz_smbd >@@ -0,0 +1 @@ >+^samba.tests.smbd_fuzztest >diff --git a/selftest/tests.py b/selftest/tests.py >index c9529328359..5d7d8eebeda 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -87,6 +87,7 @@ planpythontestsuite("none", "samba.tests.s3registry", py3_compatible=True) > planpythontestsuite("none", "samba.tests.s3windb", py3_compatible=True) > planpythontestsuite("none", "samba.tests.s3idmapdb", py3_compatible=True) > planpythontestsuite("none", "samba.tests.samba3sam") >+planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest") > planpythontestsuite( > "none", "wafsamba.tests.test_suite", > extra_path=[os.path.join(samba4srcdir, "..", "buildtools"), >-- >2.24.0.393.g34dc348eaf-goog > > >From 7b8f051579068c61fd5387e92632f29ba62de437 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 26 Nov 2019 12:53:09 -0800 >Subject: [PATCH 7/7] s3: smbd: Only set xconn->smb1.negprot.done = true after > supported_protocols[protocol].proto_reply_fn() succeeds. > >Otherwise we can end up with negprot.done set, but >without smbXsrv_connection_init_tables() being called. > >This can cause a client self-crash. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Dec 4 21:27:24 UTC 2019 on sn-devel-184 > >(cherry picked from commit 8db0c1bff6f42feabd2e4d9dfb13ae12cc29607b) >--- > selftest/knownfail.d/smb1_fuzz_smbd | 1 - > source3/smbd/negprot.c | 3 ++- > 2 files changed, 2 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/smb1_fuzz_smbd > >diff --git a/selftest/knownfail.d/smb1_fuzz_smbd b/selftest/knownfail.d/smb1_fuzz_smbd >deleted file mode 100644 >index 82b1b26254f..00000000000 >--- a/selftest/knownfail.d/smb1_fuzz_smbd >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.smbd_fuzztest >diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c >index 8317dc49086..e77c8f52261 100644 >--- a/source3/smbd/negprot.c >+++ b/source3/smbd/negprot.c >@@ -588,7 +588,6 @@ void reply_negprot(struct smb_request *req) > END_PROFILE(SMBnegprot); > exit_server_cleanly("multiple negprot's are not permitted"); > } >- xconn->smb1.negprot.done = true; > > if (req->buflen == 0) { > DEBUG(0, ("negprot got no protocols\n")); >@@ -778,6 +777,8 @@ void reply_negprot(struct smb_request *req) > > DBG_INFO("negprot index=%zu\n", choice); > >+ xconn->smb1.negprot.done = true; >+ > /* We always have xconn->smb1.signing_state also for >= SMB2_02 */ > signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state); > if (signing_required && (chosen_level < PROTOCOL_NT1)) { >-- >2.24.0.393.g34dc348eaf-goog >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14205
:
15634
|
15667
| 15668