The Samba-Bugzilla – Bug 1004
If server string contains a single quote the server is not on the browse list
Last modified: 2005-11-14 09:29:07 UTC
If the server comment, contained in the smb.conf parameter "server string"
contains a single quote, the server disappears from the browse list. This proble
appeared between 3.0.1RC1 and 3.0.1RC2. I have not reported this earlier because
I was unable to determine wether the disappearing server was caused by an actual
bug or something had changed in the config that I missed. I am now able to
reproduce the error consistently from 3.0.1RC2 up until 3.0.2RC1. Both the
binary builds from ie.samba.org and "home grown" rpm's exibit this behavior.
PII, PIII and athlon machines all have this problem. I use redhat9, fully
patched with all official RedHat patches on all machines.
The problem also occurs if you put a single quote in the description of a W2K
The description/server string shows up properly in browse.dat, in other words,
the problem does not appear to be in the receiving of the description.
This problem persists in 3.02 and 3.02a. It seems that it may be a bit more
serious than reported. I've found that invalid characters in the Windows XP
or 2000 registry key:
can cause strange behavior of the Samba server itself. This is the key that
stores the "server string".
While I was testing it last night, I noticed that if I included the | symbol
in a combination with other odd symbols including a "'", I could cause the
server to dump the string buffer back to the workstations on the network,
which caused the workstation to lockup browsing the network. It seems
the "server string" value is being treated, at least by nmbd as a trusted and
properly formed text string, and there is no checking to see if that is so.
Also, since anyone with a small bit of information can edit this registry key
on their workstation, there is no way to enforce integrity of this value.
I'm not sure if this is a security problem, but it definatly can cause an
overflow condition which could lead to a security problem. Not being familier
with the samba code (and not a great C programmer), I don't know where to
start looking for the problem, but it should be addressed.
*** Bug 1006 has been marked as a duplicate of this bug. ***
*** Bug 1104 has been marked as a duplicate of this bug. ***
Bug 1221 has a patch. closing this one.
*** This bug has been marked as a duplicate of 1221 ***