Bug 1011 - Segfault in libsmbclient (smbdes.c:smbhash) when cli_session_setup_nt1 gets NULL cli->secblob.data
Segfault in libsmbclient (smbdes.c:smbhash) when cli_session_setup_nt1 gets N...
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: libsmbclient
3.0.1
Other other
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-27 19:15 UTC by David Wuertele
Modified: 2005-08-24 10:23 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Wuertele 2004-01-27 19:15:53 UTC
in cliconnect.c:cli_session_setup_nt1(), on line 314:

	SMBNTencrypt(pass,cli->secblob.data,nt_response.data);

passes a cli->secblob.data that is zero.  Eventually, smbhash tries to
dereference this, which causes a segfault.  Here's the backtrace.  Note that the
 argument "in=0x0" is dereferenced as an array on line smbdes.c:290.

(gdb) bt
#0  0x400938c2 in smbhash (out=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats
11 times>, in=0x0, 
    key=0xbfffcf08 "1ÖÏàÑjé1·<Y×àÀ\211À", forw=1) at libsmb/smbdes.c:290
#1  0x400939cc in E_P24 (p21=0xbfffcf08 "1ÖÏàÑjé1·<Y×àÀ\211À", c8=0x0, 
    p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at
libsmb/smbdes.c:316
#2  0x400942f2 in SMBOWFencrypt (passwd=0xbfffcf4c "1ÖÏàÑjé1·<Y×àÀ\211À", c8=0x0, 
    p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at
libsmb/smbencrypt.c:179
#3  0x400943ec in SMBNTencrypt (passwd=0xbfffdf80 "", c8=0x0, 
    p24=0x80f38a8 "È#\023BÈ#\023Bd talloc", ' ' <repeats 11 times>) at
libsmb/smbencrypt.c:210
#4  0x4007a710 in cli_session_setup_nt1 (cli=0x80f4b60, user=0xbfffdb80 "guest",
pass=0xbfffdf80 "", 
    passlen=1, ntpass=0xbfffdf80 "", ntpasslen=1, workgroup=0x80627a0
"WORKGROUP") at libsmb/cliconnect.c:314
#5  0x4007b0db in cli_session_setup (cli=0x80f4b60, user=0xbfffdb80 "guest",
pass=0xbfffdf80 "", passlen=1, 
    ntpass=0xbfffdf80 "", ntpasslen=1, workgroup=0x80627a0 "WORKGROUP") at
libsmb/cliconnect.c:817
#6  0x4007c4d9 in cli_full_connection (output_cli=0xbfffd644, my_name=0xbfffd74c
"rave", 
    dest_host=0xbfffe4b0 "NAS", dest_ip=0xbfffe3ac, port=0, service=0x400e4a6f
"IPC$", 
    service_type=0x400e8037 "IPC", user=0xbfffdb80 "guest", domain=0x80627a0
"WORKGROUP", 
    password=0xbfffdf80 "", flags=4, signing_state=-1, retry=0x0) at
libsmb/cliconnect.c:1407
#7  0x4007c9f4 in get_ipc_connect (server=0xbfffe4b0 "NAS",
server_ip=0xbfffe3ac, user_info=0xbfffdb80)
    at libsmb/cliconnect.c:1563
#8  0x0804a57e in find_groups () at smbdiscover.c:524
#9  0x0804bdd4 in main (argc=4, argv=0xbfffe8a4) at smbdiscover.c:937
#10 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) 

Here are the last two frames seen on the wire before this segfault happens. 
Host 192.168.5.1 is the client that is running the code that segfaults.  Host
192.168.5.252 is a Triton NAS server that appears to be embedded Linux
(presumably running some version of smbd).

Frame 39 (147 bytes on wire, 147 bytes captured)
    Arrival Time: Jan 27, 2004 19:04:00.732491000
    Time delta from previous packet: 0.004977000 seconds
    Time relative to first packet: 0.989795000 seconds
    Frame Number: 39
    Packet Length: 147 bytes
    Capture Length: 147 bytes
Ethernet II, Src: 00:73:85:a8:7a:85, Dst: 00:e0:81:27:66:5b
    Destination: 00:e0:81:27:66:5b (Tyan_Com_27:66:5b)
    Source: 00:73:85:a8:7a:85 (00:73:85:a8:7a:85)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.5.252 (192.168.5.252), Dst Addr:
192.168.5.1 (192.168.5.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 133
    Identification: 0x1000
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x9e25 (correct)
    Source: 192.168.5.252 (192.168.5.252)
    Destination: 192.168.5.1 (192.168.5.1)
Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 48965
(48965), Seq: 706763381, Ack: 96649095, Len: 81
    Source port: netbios-ssn (139)
    Destination port: 48965 (48965)
    Sequence number: 706763381
    Next sequence number: 706763462
    Acknowledgement number: 96649095
    Header length: 32 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 6432
    Checksum: 0x373a (correct)
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 1332626, tsecr 175497797
NetBIOS Session Service
    Message Type: Session message
    Flags: 0x00
        .... ...0 = Add 0 to length
    Length: 77
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response to: 38
        Time from request: 0.004977000 seconds
        SMB Command: Negotiate Protocol (0x72)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x88
            1... .... = Request/Response: Message is a response to the
client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0x0001
            0... .... .... .... = Unicode Strings: Strings are ASCII
            .0.. .... .... .... = Error Code Type: Error codes are DOS error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if
execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended
security negotiation is not supported
            .... .... .0.. .... = Long Names Used: Path names in request are not
long file names
            .... .... .... .0.. = Security Signatures: Security signatures are
not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are
not supported
            .... .... .... ...1 = Long Names Allowed: Long file names are
allowed in the response
        Reserved: 000000000000000000000000
        Tree ID: 0
        Process ID: 7699
        User ID: 0
        Multiplex ID: 2
    Negotiate Protocol Response (0x72)
        Word Count (WCT): 17
        Dialect Index: 7, greater than LANMAN2.1
        Security Mode: 0x03
            .... ...1 = Mode: USER security mode
            .... ..1. = Password: ENCRYPTED password. Use challenge/response
            .... .0.. = Signatures: Security signatures NOT enabled
            .... 0... = Sig Req: Security signatures NOT required
        Max Mpx Count: 2
        Max VCs: 1
        Max Buffer Size: 65535
        Max Raw Buffer: 65535
        Session Key: 0x00000057
        Capabilities: 0x00000309
            .... .... .... .... .... .... .... ...1 = Raw Mode: Read Raw and
Write Raw are supported
            .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and
Write Mpx are not supported
            .... .... .... .... .... .... .... .0.. = Unicode: Unicode strings
are not supported
            .... .... .... .... .... .... .... 1... = Large Files: Large files
are supported
            .... .... .... .... .... .... ...0 .... = NT SMBs: NT SMBs are not
supported
            .... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC
remote APIs are not supported
            .... .... .... .... .... .... .0.. .... = NT Status Codes: NT status
codes are not supported
            .... .... .... .... .... .... 0... .... = Level 2 Oplocks: Level 2
oplocks are not supported
            .... .... .... .... .... ...1 .... .... = Lock and Read: Lock and
Read is supported
            .... .... .... .... .... ..1. .... .... = NT Find: NT Find is supported
            .... .... .... .... ...0 .... .... .... = Dfs: Dfs is not supported
            .... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT
information level request passthrough is not supported
            .... .... .... .... .0.. .... .... .... = Large ReadX: Large Read
andX is not supported
            .... .... .... .... 0... .... .... .... = Large WriteX: Large Write
andX is not supported
            .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are
not supported
            .... ..0. .... .... .... .... .... .... = Reserved: Reserved
            ..0. .... .... .... .... .... .... .... = Bulk Transfer: Bulk Read
and Bulk Write are not supported
            .0.. .... .... .... .... .... .... .... = Compressed Data:
Compressed data transfer is not supported
            0... .... .... .... .... .... .... .... = Extended Security:
Extended security exchanges are not supported
        System Time: No time specified (0)
        Server Time Zone: -480 min from UTC
        Key Length: 8
        Byte Count (BCC): 0

Frame 40 (66 bytes on wire, 66 bytes captured)
    Arrival Time: Jan 27, 2004 19:04:00.762721000
    Time delta from previous packet: 0.030230000 seconds
    Time relative to first packet: 1.020025000 seconds
    Frame Number: 40
    Packet Length: 66 bytes
    Capture Length: 66 bytes
Ethernet II, Src: 00:e0:81:27:66:5b, Dst: 00:73:85:a8:7a:85
    Destination: 00:73:85:a8:7a:85 (00:73:85:a8:7a:85)
    Source: 00:e0:81:27:66:5b (Tyan_Com_27:66:5b)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.5.1 (192.168.5.1), Dst Addr: 192.168.5.252
(192.168.5.252)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 52
    Identification: 0x5cc9
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x51ad (correct)
    Source: 192.168.5.1 (192.168.5.1)
    Destination: 192.168.5.252 (192.168.5.252)
Transmission Control Protocol, Src Port: 48965 (48965), Dst Port: netbios-ssn
(139), Seq: 96649095, Ack: 706763462, Len: 0
    Source port: 48965 (48965)
    Destination port: netbios-ssn (139)
    Sequence number: 96649095
    Acknowledgement number: 706763462
    Header length: 32 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 5840
    Checksum: 0x8739 (correct)
    Options: (12 bytes)
        NOP
        NOP
        Time stamp: tsval 175497801, tsecr 1332626
Comment 1 Gerald (Jerry) Carter 2004-03-18 10:14:26 UTC
I think this was fixed in 3.0.2a.  Can you confirm or 
refute that ?  Thanks.
Comment 2 Gerald (Jerry) Carter 2004-04-19 07:27:13 UTC
no response.  Assuming fixed.
Comment 3 Gerald (Jerry) Carter 2005-08-24 10:23:13 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.