Bug 11793 - Add regression test for a segfault in the NTLMv2_generate_names_blob() call
Summary: Add regression test for a segfault in the NTLMv2_generate_names_blob() call
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 trivial (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-03-14 15:42 UTC by Robin Hack
Modified: 2018-05-07 12:06 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Robin Hack 2016-03-14 15:42:59 UTC

samba/libsmbclient 3.6.23-20.el6 exhibits a segfault under cli_session_setup_nt1_send() call to NTLMv2_generate_names_blob():

workgroup=0x7f5fb46e7130 "MYGROUP") at libsmb/cliconnect.c:868
868                             names_blob = NTLMv2_generate_names_blob(
(gdb) l
863                              * note that the 'workgroup' here is a best
864                              * guess - we don't know the server's domain
865                              * at this point. Windows clients also don't
866                              * use hostname...
867                              */
868                             names_blob = NTLMv2_generate_names_blob(
869                                     NULL, NULL, workgroup);

This call to NTLMv2_generate_names_blob() sets NULL for the hostname parameter to msrpc_gen()

(gdb) f 3
#3  0x00007f5fb3374dbc in NTLMv2_generate_names_blob (mem_ctx=0x0, hostname=0x0, domain=0x7f5fb46e7130 "MYGROUP")
    at ../libcli/auth/smbencrypt.c:358
358             (void)msrpc_gen(mem_ctx, &names_blob,
(gdb) l
353                                          const char *domain)
354     {
355             DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
357             /* Deliberately ignore return here.. */
358             (void)msrpc_gen(mem_ctx, &names_blob,
359                       "aaa",
360                       MsvAvNbDomainName, domain,
361                       MsvAvNbComputerName, hostname,
362                       MsvAvEOL, "");

(gdb) f 2
#2  0x00007f5fb33769c8 in msrpc_gen (mem_ctx=0x0, blob=0x7ffdc5185d10, format=0x7f5fb3686c56 "aaa")
    at ../libcli/auth/msrpc_parse.c:105
105                             ret = push_ucs2_talloc(
(gdb) l
100                             break;
101                     case 'a':
102                             j = va_arg(ap, int);
103                             intargs[i] = j;
104                             s = va_arg(ap, char *);
105                             ret = push_ucs2_talloc(
106                                     pointers,
107                                     (smb_ucs2_t **)(void *)&pointers[i].data,
108                                     s, &n);
109                             if (!ret) {
(gdb) p &pointers[i].data
value has been optimized out
(gdb) f 1
#1  0x00007f5fb3421b3c in push_ucs2_talloc (ctx=0x7f5fb470f230, dest=0x7f5fb470f240, src=0x0, 
    converted_size=0x7ffdc5185c58) at lib/charcnv.c:1164
1164            size_t src_len = strlen(src)+1;

Here the NULL results in push_ucs2_talloc called with a NULL src argument, and leads to a NULL dereference.
Comment 1 Andreas Schneider 2016-03-14 16:00:57 UTC
This has been fixed by commit 96a49d23a4caebefcea66cfb855fadbae12ccf7c
Comment 2 Andreas Schneider 2016-03-14 16:02:28 UTC
Metze asked:

I'd also like to know where and why:

client NTLMv2 auth = yes
client use spnego = no
client max protocol = NT1

is used in production?
Comment 3 Andreas Schneider 2016-03-14 16:06:01 UTC
We do not have a customer who uses these values in production but with these options we are able to trigger the code.

In production it has happened:

libsmbclient-3.6.23-20.el6.x86_64 appears to break access to SMB fileshares hosted by Novell OES Linux servers. Specifically, with a python web application that allows access to SMB file servers running within uWSGI.

smbclient fails with Segmentation fault (core dumped) when I trying to connect to iSeries IFS.