Attachment 17990 Details for Bug 15426 – fake smb server that triggers a use-after-free in smbclient

fake smb server that triggers a use-after-free in smbclient

smc1b.c (text/x-csrc), 1.27 KB, created by Robert Morris on 2023-07-20 14:41:26 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Morris

Created: 2023-07-20 14:41:26 UTC

Size: 1.27 KB

patch

obsolete

>#include <stdio.h>
>#include <string.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <sys/time.h>
>#include <sys/types.h>
>#include <sys/ioctl.h>
>#include <netinet/in.h>
>#include <sys/wait.h>
>#include <sys/resource.h>
>#include <arpa/inet.h>
>#include <assert.h>
>#include <ctype.h>
>#include <fcntl.h>
>#include <signal.h>
>
>
>int s = -1;
>
>int
>readn(void *bufx, int n)
>{
>  char *buf = bufx;
>  while(n > 0){
>    int cc = read(s, buf, n);
>    if(cc <= 0)
>      return -1;
>    n -= cc;
>    buf += cc;
>  }
>  return 0;
>}
>
>int
>readmsg(void *bufx)
>{
>  unsigned char *buf = bufx;
>  if(readn(buf, 4) < 0)
>    return -1;
>  int n = (buf[2] << 8) | buf[3];
>  if(readn(buf+4, n) < 0)
>    return -1;
>  return n + 4;
>}
>  
>
>int
>main()
>{
>  signal(SIGPIPE, SIG_IGN);
>
>  struct sockaddr_in sin;
>  memset(&sin, 0, sizeof(sin));
>  sin.sin_family = AF_INET;
>  sin.sin_port = htons(445); // SMB over TCP
>
>  int ss = socket(AF_INET, SOCK_STREAM, 0);
>  int yes = 1;
>  setsockopt(ss, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));
>  if(bind(ss, (struct sockaddr *)&sin, sizeof(sin)) < 0){
>    perror("bind");
>    exit(1);
>  }
>  listen(ss, 10);
>
>  socklen_t sinlen = sizeof(sin);
>  s = accept(ss, (struct sockaddr *)&sin, &sinlen);
>  if(s < 0){
>    perror("accept");
>    exit(1);
>  }
>  close(ss);
>
>  sleep(100);
>}

Actions: View

Attachments on bug 15426: 17990 | 18066