in cliconnect.c:cli_session_setup_nt1(), on line 314: SMBNTencrypt(pass,cli->secblob.data,nt_response.data); passes a cli->secblob.data that is zero. Eventually, smbhash tries to dereference this, which causes a segfault. Here's the backtrace. Note that the argument "in=0x0" is dereferenced as an array on line smbdes.c:290. (gdb) bt #0 0x400938c2 in smbhash (out=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>, in=0x0, key=0xbfffcf08 "1ÖÏàÑjé1·<Y×àÀ\211À", forw=1) at libsmb/smbdes.c:290 #1 0x400939cc in E_P24 (p21=0xbfffcf08 "1ÖÏàÑjé1·<Y×àÀ\211À", c8=0x0, p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at libsmb/smbdes.c:316 #2 0x400942f2 in SMBOWFencrypt (passwd=0xbfffcf4c "1ÖÏàÑjé1·<Y×àÀ\211À", c8=0x0, p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at libsmb/smbencrypt.c:179 #3 0x400943ec in SMBNTencrypt (passwd=0xbfffdf80 "", c8=0x0, p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at libsmb/smbencrypt.c:210 #4 0x4007a710 in cli_session_setup_nt1 (cli=0x80f4b60, user=0xbfffdb80 "guest", pass=0xbfffdf80 "", passlen=1, ntpass=0xbfffdf80 "", ntpasslen=1, workgroup=0x80627a0 "WORKGROUP") at libsmb/cliconnect.c:314 #5 0x4007b0db in cli_session_setup (cli=0x80f4b60, user=0xbfffdb80 "guest", pass=0xbfffdf80 "", passlen=1, ntpass=0xbfffdf80 "", ntpasslen=1, workgroup=0x80627a0 "WORKGROUP") at libsmb/cliconnect.c:817 #6 0x4007c4d9 in cli_full_connection (output_cli=0xbfffd644, my_name=0xbfffd74c "rave", dest_host=0xbfffe4b0 "NAS", dest_ip=0xbfffe3ac, port=0, service=0x400e4a6f "IPC$", service_type=0x400e8037 "IPC", user=0xbfffdb80 "guest", domain=0x80627a0 "WORKGROUP", password=0xbfffdf80 "", flags=4, signing_state=-1, retry=0x0) at libsmb/cliconnect.c:1407 #7 0x4007c9f4 in get_ipc_connect (server=0xbfffe4b0 "NAS", server_ip=0xbfffe3ac, user_info=0xbfffdb80) at libsmb/cliconnect.c:1563 #8 0x0804a57e in find_groups () at smbdiscover.c:524 #9 0x0804bdd4 in main (argc=4, argv=0xbfffe8a4) at smbdiscover.c:937 #10 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6 (gdb) Here are the last two frames seen on the wire before this segfault happens. Host 192.168.5.1 is the client that is running the code that segfaults. Host 192.168.5.252 is a Triton NAS server that appears to be embedded Linux (presumably running some version of smbd). Frame 39 (147 bytes on wire, 147 bytes captured) Arrival Time: Jan 27, 2004 19:04:00.732491000 Time delta from previous packet: 0.004977000 seconds Time relative to first packet: 0.989795000 seconds Frame Number: 39 Packet Length: 147 bytes Capture Length: 147 bytes Ethernet II, Src: 00:73:85:a8:7a:85, Dst: 00:e0:81:27:66:5b Destination: 00:e0:81:27:66:5b (Tyan_Com_27:66:5b) Source: 00:73:85:a8:7a:85 (00:73:85:a8:7a:85) Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.5.252 (192.168.5.252), Dst Addr: 192.168.5.1 (192.168.5.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 133 Identification: 0x1000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x9e25 (correct) Source: 192.168.5.252 (192.168.5.252) Destination: 192.168.5.1 (192.168.5.1) Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 48965 (48965), Seq: 706763381, Ack: 96649095, Len: 81 Source port: netbios-ssn (139) Destination port: 48965 (48965) Sequence number: 706763381 Next sequence number: 706763462 Acknowledgement number: 96649095 Header length: 32 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 6432 Checksum: 0x373a (correct) Options: (12 bytes) NOP NOP Time stamp: tsval 1332626, tsecr 175497797 NetBIOS Session Service Message Type: Session message Flags: 0x00 .... ...0 = Add 0 to length Length: 77 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 38 Time from request: 0.004977000 seconds SMB Command: Negotiate Protocol (0x72) Error Class: Success (0x00) Reserved: 00 Error Code: No Error Flags: 0x88 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0x0001 0... .... .... .... = Unicode Strings: Strings are ASCII .0.. .... .... .... = Error Code Type: Error codes are DOS error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..0. = Extended Attributes: Extended attributes are not supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Reserved: 000000000000000000000000 Tree ID: 0 Process ID: 7699 User ID: 0 Multiplex ID: 2 Negotiate Protocol Response (0x72) Word Count (WCT): 17 Dialect Index: 7, greater than LANMAN2.1 Security Mode: 0x03 .... ...1 = Mode: USER security mode .... ..1. = Password: ENCRYPTED password. Use challenge/response .... .0.. = Signatures: Security signatures NOT enabled .... 0... = Sig Req: Security signatures NOT required Max Mpx Count: 2 Max VCs: 1 Max Buffer Size: 65535 Max Raw Buffer: 65535 Session Key: 0x00000057 Capabilities: 0x00000309 .... .... .... .... .... .... .... ...1 = Raw Mode: Read Raw and Write Raw are supported .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported .... .... .... .... .... .... .... .0.. = Unicode: Unicode strings are not supported .... .... .... .... .... .... .... 1... = Large Files: Large files are supported .... .... .... .... .... .... ...0 .... = NT SMBs: NT SMBs are not supported .... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC remote APIs are not supported .... .... .... .... .... .... .0.. .... = NT Status Codes: NT status codes are not supported .... .... .... .... .... .... 0... .... = Level 2 Oplocks: Level 2 oplocks are not supported .... .... .... .... .... ...1 .... .... = Lock and Read: Lock and Read is supported .... .... .... .... .... ..1. .... .... = NT Find: NT Find is supported .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported .... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT information level request passthrough is not supported .... .... .... .... .0.. .... .... .... = Large ReadX: Large Read andX is not supported .... .... .... .... 0... .... .... .... = Large WriteX: Large Write andX is not supported .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported .... ..0. .... .... .... .... .... .... = Reserved: Reserved ..0. .... .... .... .... .... .... .... = Bulk Transfer: Bulk Read and Bulk Write are not supported .0.. .... .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported 0... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are not supported System Time: No time specified (0) Server Time Zone: -480 min from UTC Key Length: 8 Byte Count (BCC): 0 Frame 40 (66 bytes on wire, 66 bytes captured) Arrival Time: Jan 27, 2004 19:04:00.762721000 Time delta from previous packet: 0.030230000 seconds Time relative to first packet: 1.020025000 seconds Frame Number: 40 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II, Src: 00:e0:81:27:66:5b, Dst: 00:73:85:a8:7a:85 Destination: 00:73:85:a8:7a:85 (00:73:85:a8:7a:85) Source: 00:e0:81:27:66:5b (Tyan_Com_27:66:5b) Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.5.1 (192.168.5.1), Dst Addr: 192.168.5.252 (192.168.5.252) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0x5cc9 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x51ad (correct) Source: 192.168.5.1 (192.168.5.1) Destination: 192.168.5.252 (192.168.5.252) Transmission Control Protocol, Src Port: 48965 (48965), Dst Port: netbios-ssn (139), Seq: 96649095, Ack: 706763462, Len: 0 Source port: 48965 (48965) Destination port: netbios-ssn (139) Sequence number: 96649095 Acknowledgement number: 706763462 Header length: 32 bytes Flags: 0x0010 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 5840 Checksum: 0x8739 (correct) Options: (12 bytes) NOP NOP Time stamp: tsval 175497801, tsecr 1332626
I think this was fixed in 3.0.2a. Can you confirm or refute that ? Thanks.
no response. Assuming fixed.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.