1004 – If server string contains a single quote the server is not on the browse list

Bug 1004 - If server string contains a single quote the server is not on the browse list

Summary: If server string contains a single quote the server is not on the browse list

Status:	RESOLVED DUPLICATE of bug 1221

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	nmbd (show other bugs)
Version:	3.0.1
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:

URL:
Keywords:

Duplicates (2):	1006 1104 (view as bug list)
Depends on:
Blocks:

Reported:	2004-01-25 13:20 UTC by Hugo Van den Berg
Modified:	2005-11-14 09:29 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hugo Van den Berg 2004-01-25 13:20:53 UTC

If the server comment, contained in the smb.conf parameter "server string"
contains a single quote, the server disappears from the browse list. This proble
appeared between 3.0.1RC1 and 3.0.1RC2. I have not reported this earlier because
I was unable to determine wether the disappearing server was caused by an actual
bug or something had changed in the config that I missed. I am now able to
reproduce the error consistently from 3.0.1RC2 up until 3.0.2RC1. Both the
binary builds from ie.samba.org and "home grown" rpm's exibit this behavior.
PII, PIII and athlon machines all have this problem. I use redhat9, fully
patched with all official RedHat patches on all machines.

Comment 1 Hugo Van den Berg 2004-01-26 11:06:09 UTC

The problem also occurs if you put a single quote in the description of a W2K
client.

The description/server string shows up properly in browse.dat, in other words,
the problem does not appear to be in the receiving of the description.

Comment 2 James Shanks 2004-02-26 06:37:50 UTC

This problem persists in 3.02 and 3.02a.  It seems that it may be a bit more 
serious than reported.  I've found that invalid characters in the Windows XP 
or 2000 registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter\srv
comment
can cause strange behavior of the Samba server itself.  This is the key that 
stores the "server string".
While I was testing it last night, I noticed that if I included the | symbol 
in a combination with other odd symbols including a "'", I could cause the 
server to dump the string buffer back to the workstations on the network, 
which caused the workstation to lockup browsing the network.  It seems 
the "server string" value is being treated, at least by nmbd as a trusted and 
properly formed text string, and there is no checking to see if that is so.  
Also, since anyone with a small bit of information can edit this registry key 
on their workstation, there is no way to enforce integrity of this value.

I'm not sure if this is a security problem, but it definatly can cause an 
overflow condition which could lead to a security problem.  Not being familier 
with the samba code (and not a great C programmer), I don't know where to 
start looking for the problem, but it should be addressed.

Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-03-04 10:19:48 UTC

*** Bug 1006 has been marked as a duplicate of this bug. ***

Comment 4 Gerald (Jerry) Carter (dead mail address) 2004-03-18 10:16:26 UTC

*** Bug 1104 has been marked as a duplicate of this bug. ***

Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-03-31 07:22:05 UTC

Bug 1221 has a patch.  closing this one.

*** This bug has been marked as a duplicate of 1221 ***

Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:29:07 UTC

database cleanup