Bug 11342 - Codenomicon crash in do_smb_load_module()
Codenomicon crash in do_smb_load_module()
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-18 17:15 UTC by Jeremy Allison
Modified: 2015-07-07 21:45 UTC (History)
5 users (show)

See Also:


Attachments
git-am cherry-pick from master for 4.2.next, 4.1.next. (1.46 KB, patch)
2015-06-22 18:11 UTC, Jeremy Allison
jra: review? (ira)
obnox: review+
jra: review? (asn)
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2015-06-18 17:15:20 UTC
Inside api_pipe_bind_req() we look for a pipe module name using

dcerpc_default_transport_endpoint(pkt,
                                NCACN_NP, table)

which returns NULL when given invalid pkt data from the Codenomicon fuzzer.

This gets passed directly to smb_probe_module(), which then calls do_smb_load_module() which tries to deref the (NULL) module name.

Fix to follow.
Comment 1 Jeremy Allison 2015-06-22 18:11:54 UTC
Created attachment 11183 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.
Comment 2 Jeremy Allison 2015-06-24 16:12:42 UTC
Comment on attachment 11183 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.

Widening out reviewers. Let's get this fixed... :-).
Comment 3 Guenther Deschner 2015-06-24 16:42:12 UTC
Comment on attachment 11183 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.

LGTM
Comment 4 Jeremy Allison 2015-06-24 17:24:48 UTC
Reassigning to Karolin for inclusion in 4.2.next, 4.1.next.
Comment 5 Karolin Seeger 2015-06-29 20:10:31 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-[1|2]-test.
Comment 6 Karolin Seeger 2015-07-05 19:09:19 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!