Bug 10100 - rpcclient crashes when sending the 'netshareenum 502' command
rpcclient crashes when sending the 'netshareenum 502' command
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools
x64 Linux
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2013-08-20 17:45 UTC by Alexander Sack
Modified: 2013-08-21 14:33 UTC (History)
0 users

See Also:

wireshark pcap file showing the problem. (16.71 KB, application/vnd.tcpdump.pcap)
2013-08-20 17:51 UTC, Jeremy Allison
no flags Details
Trace showing WERR_MORE_DATA case (16.38 KB, application/octet-stream)
2013-08-21 14:31 UTC, Alexander Sack
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Sack 2013-08-20 17:45:06 UTC
I am on Fedora 13 x64-64 running with samba-client-3.6.13. When I issue the following command:

$ rpcclient -U Administrator%<pass> -c 'netshareenum 502'<FQDN of server>
Segmentation fault (core dumped)

The problem is the "totalentries" count is larger than the actual size of the array of SHARE_502_INFO structures. This condition causes rpcclient to shoot past the end of the array and SEGV.

A small snippet of gdb for illustration purposes notes while in cmd_srvsvc_net_share_enum_int (source3/rpcclient/cmd_srvsvc.c):

(gdb) p *info_ctr.ctr.ctr502
$9 = {
  count = 34, 
  array = 0x67a140
(gdb) p totalentries 
$10 = 35

The "count" needs to be used for the loop that displays the results, not total entries.
Comment 1 Jeremy Allison 2013-08-20 17:51:14 UTC
Created attachment 9153 [details]
wireshark pcap file showing the problem.
Comment 2 Alexander Sack 2013-08-21 14:31:30 UTC
Created attachment 9155 [details]
Trace showing WERR_MORE_DATA case
Comment 3 Alexander Sack 2013-08-21 14:33:18 UTC
Added an attachment that shows WERR_MORE_DATA case on a Windows 2008 server.

Total number of shares is only 26 but via info level 2 command.

Looking more at the code, it seems NetShareEnum isn't really equipped to handle WERR_MORE_DATA scenarios.

Still investigating.