Bug 1004 - If server string contains a single quote the server is not on the browse list
If server string contains a single quote the server is not on the browse list
Status: RESOLVED DUPLICATE of bug 1221
Product: Samba 3.0
Classification: Unclassified
Component: nmbd
3.0.1
All Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
: 1006 1104 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-25 13:20 UTC by Hugo Van den Berg
Modified: 2005-11-14 09:29 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hugo Van den Berg 2004-01-25 13:20:53 UTC
If the server comment, contained in the smb.conf parameter "server string"
contains a single quote, the server disappears from the browse list. This proble
appeared between 3.0.1RC1 and 3.0.1RC2. I have not reported this earlier because
I was unable to determine wether the disappearing server was caused by an actual
bug or something had changed in the config that I missed. I am now able to
reproduce the error consistently from 3.0.1RC2 up until 3.0.2RC1. Both the
binary builds from ie.samba.org and "home grown" rpm's exibit this behavior.
PII, PIII and athlon machines all have this problem. I use redhat9, fully
patched with all official RedHat patches on all machines.
Comment 1 Hugo Van den Berg 2004-01-26 11:06:09 UTC
The problem also occurs if you put a single quote in the description of a W2K
client.

The description/server string shows up properly in browse.dat, in other words,
the problem does not appear to be in the receiving of the description.
Comment 2 James Shanks 2004-02-26 06:37:50 UTC
This problem persists in 3.02 and 3.02a.  It seems that it may be a bit more 
serious than reported.  I've found that invalid characters in the Windows XP 
or 2000 registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter\srv
comment
can cause strange behavior of the Samba server itself.  This is the key that 
stores the "server string".
While I was testing it last night, I noticed that if I included the | symbol 
in a combination with other odd symbols including a "'", I could cause the 
server to dump the string buffer back to the workstations on the network, 
which caused the workstation to lockup browsing the network.  It seems 
the "server string" value is being treated, at least by nmbd as a trusted and 
properly formed text string, and there is no checking to see if that is so.  
Also, since anyone with a small bit of information can edit this registry key 
on their workstation, there is no way to enforce integrity of this value.

I'm not sure if this is a security problem, but it definatly can cause an 
overflow condition which could lead to a security problem.  Not being familier 
with the samba code (and not a great C programmer), I don't know where to 
start looking for the problem, but it should be addressed.
Comment 3 Gerald (Jerry) Carter 2004-03-04 10:19:48 UTC
*** Bug 1006 has been marked as a duplicate of this bug. ***
Comment 4 Gerald (Jerry) Carter 2004-03-18 10:16:26 UTC
*** Bug 1104 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter 2004-03-31 07:22:05 UTC
Bug 1221 has a patch.  closing this one.

*** This bug has been marked as a duplicate of 1221 ***
Comment 6 Gerald (Jerry) Carter 2005-11-14 09:29:07 UTC
database cleanup