The Samba-Bugzilla – Attachment 18047 Details for
Bug 15420
reply_sesssetup_and_X() can dereference uninitialized tmp pointer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.17.next
bug-15420-4.17.patch (text/plain), 13.15 KB, created by
Jeremy Allison
on 2023-08-14 17:14:41 UTC
(
hide
)
Description:
git-am fix for 4.17.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2023-08-14 17:14:41 UTC
Size:
13.15 KB
patch
obsolete
>From ab79ecf317bb86f5b44886f59f860d86a0aca405 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Aug 2023 10:38:23 -0700 >Subject: [PATCH 1/5] s3: smbd: Deliberately currupt an uninitialized pointer. > >We will need this to show smbd crashing in the test code. >This will be removed once we're passing the test. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit e7bf94b4e3a7f994aa6f0b859089c5add2ad380f) >--- > source3/smbd/smb1_sesssetup.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/smb1_sesssetup.c b/source3/smbd/smb1_sesssetup.c >index 78dd09199aa..785c9d5da13 100644 >--- a/source3/smbd/smb1_sesssetup.c >+++ b/source3/smbd/smb1_sesssetup.c >@@ -581,7 +581,7 @@ void reply_sesssetup_and_X(struct smb_request *req) > struct reply_sesssetup_and_X_state *state = NULL; > uint64_t sess_vuid; > uint16_t smb_bufsize; >- char *tmp; >+ char *tmp = (char *)0xDEADBEEF; > fstring sub_user; /* Sanitised username for substitution */ > const char *native_os; > const char *native_lanman; >-- >2.34.1 > > >From cb485070395a6d1c4d76dbc16d2168a71b5ab596 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Aug 2023 10:39:36 -0700 >Subject: [PATCH 2/5] s3: torture: Add SMB1-TRUNCATED-SESSSETUP test. > >Shows that we indirect through an uninitialized pointer and the client crashes >it's own smbd. > >Add knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(back-ported from commit 963fd8aa9b76361ab9aeb63307773f2498b17879) >--- > selftest/knownfail.d/smb1_truncated_sessetup | 1 + > source3/selftest/tests.py | 11 ++ > source3/torture/torture.c | 181 +++++++++++++++++++ > 3 files changed, 193 insertions(+) > create mode 100644 selftest/knownfail.d/smb1_truncated_sessetup > >diff --git a/selftest/knownfail.d/smb1_truncated_sessetup b/selftest/knownfail.d/smb1_truncated_sessetup >new file mode 100644 >index 00000000000..2ecdbd867a9 >--- /dev/null >+++ b/selftest/knownfail.d/smb1_truncated_sessetup >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP.smbtorture\(fileserver_smb1\) >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 360351336a2..dbf70bbe715 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -203,6 +203,17 @@ plantestsuite("samba3.smbtorture_s3.hidenewfiles(fileserver_smb1)", > "", > "-l $LOCAL_PATH"]) > >+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP", >+ "fileserver_smb1", >+ [os.path.join(samba3srcdir, >+ "script/tests/test_smbtorture_s3.sh"), >+ 'SMB1-TRUNCATED-SESSSETUP', >+ '//$SERVER_IP/tmp', >+ '$USERNAME', >+ '$PASSWORD', >+ smbtorture3, >+ "-mNT1"]) >+ > # > # MSDFS attribute tests. > # >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index cd32156ae42..e6b34c4a43c 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -14638,6 +14638,182 @@ static bool run_local_canonicalize_path(int dummy) > } > return true; > } >+struct session_setup_nt1_truncated_state { >+ uint16_t vwv[13]; >+ uint8_t bytes[20]; >+}; >+ >+static void smb1_session_setup_nt1_truncated_done(struct tevent_req *subreq); >+ >+static struct tevent_req *smb1_session_setup_nt1_truncated_send( >+ TALLOC_CTX *mem_ctx, >+ struct tevent_context *ev, >+ struct smbXcli_conn *conn) >+{ >+ uint16_t *vwv = NULL; >+ uint8_t *bytes = NULL; >+ const char *pass = "12345678"; >+ const char *uname = "z"; >+ struct session_setup_nt1_truncated_state *state = NULL; >+ struct tevent_req *req = NULL; >+ struct tevent_req *subreq = NULL; >+ >+ req = tevent_req_create(mem_ctx, >+ &state, >+ struct session_setup_nt1_truncated_state); >+ if (req == NULL) { >+ return NULL; >+ } >+ vwv = &state->vwv[0]; >+ bytes = &state->bytes[0]; >+ >+ SCVAL(vwv+0, 0, 0xff); >+ SCVAL(vwv+0, 1, 0); >+ SSVAL(vwv+1, 0, 0); >+ SSVAL(vwv+2, 0, 8192); >+ SSVAL(vwv+3, 0, 2); >+ SSVAL(vwv+4, 0, 1); >+ SIVAL(vwv+5, 0, 0); >+ SSVAL(vwv+7, 0, strlen(pass)); /* OEMPasswordLen */ >+ SSVAL(vwv+8, 0, 0); /* UnicodePasswordLen */ >+ SSVAL(vwv+9, 0, 0); /* reserved */ >+ SSVAL(vwv+10, 0, 0); /* reserved */ >+ SIVAL(vwv+11, 0, CAP_STATUS32); >+ >+ memcpy(bytes, pass, strlen(pass)); >+ bytes += strlen(pass); >+ memcpy(bytes, uname, strlen(uname)+1); >+ >+ subreq = smb1cli_req_send(state, ev, conn, >+ SMBsesssetupX, >+ 0, /* additional_flags */ >+ 0, /* clear_flags */ >+ 0, /* additional_flags2 */ >+ 0, /* clear_flags2 */ >+ 10000, /* timeout_msec */ >+ getpid(), >+ NULL, /* tcon */ >+ NULL, /* session */ >+ 13, /* wct */ >+ state->vwv, >+ strlen(pass), /* Truncate length at password. */ >+ state->bytes); >+ if (tevent_req_nomem(subreq, req)) { >+ return tevent_req_post(req, ev); >+ } >+ tevent_req_set_callback(subreq, >+ smb1_session_setup_nt1_truncated_done, >+ req); >+ return req; >+} >+ >+static void smb1_session_setup_nt1_truncated_done(struct tevent_req *subreq) >+{ >+ struct tevent_req *req = >+ tevent_req_callback_data(subreq, >+ struct tevent_req); >+ struct session_setup_nt1_truncated_state *state = >+ tevent_req_data(req, >+ struct session_setup_nt1_truncated_state); >+ NTSTATUS status; >+ struct smb1cli_req_expected_response expected[] = { >+ { >+ .status = NT_STATUS_OK, >+ .wct = 3, >+ }, >+ }; >+ >+ status = smb1cli_req_recv(subreq, state, >+ NULL, >+ NULL, >+ NULL, >+ NULL, >+ NULL, /* pvwv_offset */ >+ NULL, >+ NULL, >+ NULL, /* pbytes_offset */ >+ NULL, >+ expected, ARRAY_SIZE(expected)); >+ TALLOC_FREE(subreq); >+ if (tevent_req_nterror(req, status)) { >+ return; >+ } >+ tevent_req_done(req); >+} >+ >+static NTSTATUS smb1_session_setup_nt1_truncated_recv(struct tevent_req *req) >+{ >+ return tevent_req_simple_recv_ntstatus(req); >+} >+ >+static bool run_smb1_truncated_sesssetup(int dummy) >+{ >+ struct tevent_context *ev; >+ struct tevent_req *req; >+ struct smbXcli_conn *conn; >+ struct sockaddr_storage ss; >+ NTSTATUS status; >+ int fd; >+ bool ok; >+ >+ printf("Starting send truncated SMB1 sesssetup.\n"); >+ >+ ok = resolve_name(host, &ss, 0x20, true); >+ if (!ok) { >+ d_fprintf(stderr, "Could not resolve name %s\n", host); >+ return false; >+ } >+ >+ status = open_socket_out(&ss, 445, 10000, &fd); >+ if (!NT_STATUS_IS_OK(status)) { >+ d_fprintf(stderr, "open_socket_out failed: %s\n", >+ nt_errstr(status)); >+ return false; >+ } >+ >+ conn = smbXcli_conn_create(talloc_tos(), fd, host, SMB_SIGNING_OFF, 0, >+ NULL, 0, NULL); >+ if (conn == NULL) { >+ d_fprintf(stderr, "smbXcli_conn_create failed\n"); >+ return false; >+ } >+ >+ status = smbXcli_negprot(conn, 0, PROTOCOL_NT1, PROTOCOL_NT1); >+ if (!NT_STATUS_IS_OK(status)) { >+ d_fprintf(stderr, "smbXcli_negprot failed!\n"); >+ return false; >+ } >+ >+ ev = samba_tevent_context_init(talloc_tos()); >+ if (ev == NULL) { >+ d_fprintf(stderr, "samba_tevent_context_init failed\n"); >+ return false; >+ } >+ >+ req = smb1_session_setup_nt1_truncated_send(ev, ev, conn); >+ if (req == NULL) { >+ d_fprintf(stderr, "smb1_session_setup_nt1_truncated_send failed\n"); >+ return false; >+ } >+ >+ ok = tevent_req_poll_ntstatus(req, ev, &status); >+ if (!ok) { >+ d_fprintf(stderr, "tevent_req_poll failed with status %s\n", >+ nt_errstr(status)); >+ return false; >+ } >+ >+ status = smb1_session_setup_nt1_truncated_recv(req); >+ if (!NT_STATUS_IS_OK(status)) { >+ d_fprintf(stderr, "smb1_session_setup_nt1_truncated_recv returned " >+ "%s, expected NT_STATUS_OK\n", >+ nt_errstr(status)); >+ return false; >+ } >+ >+ TALLOC_FREE(conn); >+ return true; >+} > > static bool run_ign_bad_negprot(int dummy) > { >@@ -14714,6 +14890,7 @@ static bool run_ign_bad_negprot(int dummy) > return true; > } > >+ > static double create_procs(bool (*fn)(int), bool *result) > { > int i, status; >@@ -15366,6 +15543,10 @@ static struct { > .name = "OPLOCK-CANCEL", > .fn = run_oplock_cancel, > }, >+ { >+ .name = "SMB1-TRUNCATED-SESSSETUP", >+ .fn = run_smb1_truncated_sesssetup, >+ }, > { > .name = "PIDHIGH", > .fn = run_pidhigh, >-- >2.34.1 > > >From 4d637a6cf4613b4800f9307143e62b36e719289e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Aug 2023 10:42:41 -0700 >Subject: [PATCH 3/5] s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs > out *dest. > >Robert Morris <rtm@lcs.mit.edu> noticed that in the case >where srvstr_pull_req_talloc() is being called with >buffer remaining == 0, we don't NULL out the destination >pointed which is *always* done in the codepaths inside >pull_string_talloc(). This prevents a crash in the caller. > >Remove knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 9220c45cc191b34e293190f6a923ba463edd5db9) >--- > selftest/knownfail.d/smb1_truncated_sessetup | 1 - > source3/smbd/smb2_reply.c | 1 + > 2 files changed, 1 insertion(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/smb1_truncated_sessetup > >diff --git a/selftest/knownfail.d/smb1_truncated_sessetup b/selftest/knownfail.d/smb1_truncated_sessetup >deleted file mode 100644 >index 2ecdbd867a9..00000000000 >--- a/selftest/knownfail.d/smb1_truncated_sessetup >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.smb1.SMB1-TRUNCATED-SESSSETUP.smbtorture\(fileserver_smb1\) >diff --git a/source3/smbd/smb2_reply.c b/source3/smbd/smb2_reply.c >index abd9b928b7e..16d132e0acf 100644 >--- a/source3/smbd/smb2_reply.c >+++ b/source3/smbd/smb2_reply.c >@@ -548,6 +548,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, > ssize_t bufrem = smbreq_bufrem(req, src); > > if (bufrem == 0) { >+ *dest = NULL; > return 0; > } > >-- >2.34.1 > > >From dd1eae67d81b8d3db6911f0fba845eaa90f03f7f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Aug 2023 10:47:28 -0700 >Subject: [PATCH 4/5] s3: smbd: Uncorrupt the pointer we were using to prove a > crash. > >Rather than restore to uninitialized, set to NULL as per >modern coding practices. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 >Reviewed-by: Volker Lendecke <vl@samba.org> > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >(cherry picked from commit 5bc50d2ea4444244721e72b4264311c7005d2f3c) >--- > source3/smbd/smb1_sesssetup.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/smbd/smb1_sesssetup.c b/source3/smbd/smb1_sesssetup.c >index 785c9d5da13..29302f9c56b 100644 >--- a/source3/smbd/smb1_sesssetup.c >+++ b/source3/smbd/smb1_sesssetup.c >@@ -581,7 +581,7 @@ void reply_sesssetup_and_X(struct smb_request *req) > struct reply_sesssetup_and_X_state *state = NULL; > uint64_t sess_vuid; > uint16_t smb_bufsize; >- char *tmp = (char *)0xDEADBEEF; >+ char *tmp = NULL; > fstring sub_user; /* Sanitised username for substitution */ > const char *native_os; > const char *native_lanman; >-- >2.34.1 > > >From c52f2b8542630015e3659100f19ba1766e6ff269 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Aug 2023 10:52:31 -0700 >Subject: [PATCH 5/5] s3: smbd: Ensure all callers to srvstr_pull_req_talloc() > pass a zeroed-out dest pointer. > >Now we've fixed srvstr_pull_req_talloc() this isn't >strictly needed, but ensuring pointers are initialized >is best practice to avoid future bugs. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Volker Lendecke <vl@samba.org> >Autobuild-Date(master): Mon Aug 14 15:55:43 UTC 2023 on atb-devel-224 > >(cherry picked from commit 5379b8d557a9a16b81eafb87b60b81debc4bfccb) >--- > source3/smbd/smb1_ipc.c | 2 +- > source3/smbd/smb1_message.c | 2 +- > source3/smbd/smb1_sesssetup.c | 2 +- > 3 files changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/smb1_ipc.c b/source3/smbd/smb1_ipc.c >index 1f289e4fc3a..66e58e6c099 100644 >--- a/source3/smbd/smb1_ipc.c >+++ b/source3/smbd/smb1_ipc.c >@@ -688,7 +688,7 @@ void reply_trans(struct smb_request *req) > return; > } > >- if ((state = talloc(conn, struct trans_state)) == NULL) { >+ if ((state = talloc_zero(conn, struct trans_state)) == NULL) { > DEBUG(0, ("talloc failed\n")); > reply_nterror(req, NT_STATUS_NO_MEMORY); > END_PROFILE(SMBtrans); >diff --git a/source3/smbd/smb1_message.c b/source3/smbd/smb1_message.c >index 6894aa52ec0..edce398dd7e 100644 >--- a/source3/smbd/smb1_message.c >+++ b/source3/smbd/smb1_message.c >@@ -161,7 +161,7 @@ void reply_sends(struct smb_request *req) > return; > } > >- state = talloc(talloc_tos(), struct msg_state); >+ state = talloc_zero(talloc_tos(), struct msg_state); > > p = req->buf + 1; > p += srvstr_pull_req_talloc( >diff --git a/source3/smbd/smb1_sesssetup.c b/source3/smbd/smb1_sesssetup.c >index 29302f9c56b..a812d375d63 100644 >--- a/source3/smbd/smb1_sesssetup.c >+++ b/source3/smbd/smb1_sesssetup.c >@@ -86,7 +86,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > DATA_BLOB in_blob; > DATA_BLOB out_blob = data_blob_null; > size_t bufrem; >- char *tmp; >+ char *tmp = NULL; > const char *native_os; > const char *native_lanman; > const char *primary_domain; >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 15420
:
17984
|
18042
|
18044
|
18046
| 18047