Hello. samba/libsmbclient 3.6.23-20.el6 exhibits a segfault under cli_session_setup_nt1_send() call to NTLMv2_generate_names_blob(): workgroup=0x7f5fb46e7130 "MYGROUP") at libsmb/cliconnect.c:868 868 names_blob = NTLMv2_generate_names_blob( (gdb) l 863 * note that the 'workgroup' here is a best 864 * guess - we don't know the server's domain 865 * at this point. Windows clients also don't 866 * use hostname... 867 */ 868 names_blob = NTLMv2_generate_names_blob( 869 NULL, NULL, workgroup); This call to NTLMv2_generate_names_blob() sets NULL for the hostname parameter to msrpc_gen() (gdb) f 3 #3 0x00007f5fb3374dbc in NTLMv2_generate_names_blob (mem_ctx=0x0, hostname=0x0, domain=0x7f5fb46e7130 "MYGROUP") at ../libcli/auth/smbencrypt.c:358 358 (void)msrpc_gen(mem_ctx, &names_blob, (gdb) l 353 const char *domain) 354 { 355 DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0); 356 357 /* Deliberately ignore return here.. */ 358 (void)msrpc_gen(mem_ctx, &names_blob, 359 "aaa", 360 MsvAvNbDomainName, domain, 361 MsvAvNbComputerName, hostname, 362 MsvAvEOL, ""); (gdb) f 2 #2 0x00007f5fb33769c8 in msrpc_gen (mem_ctx=0x0, blob=0x7ffdc5185d10, format=0x7f5fb3686c56 "aaa") at ../libcli/auth/msrpc_parse.c:105 105 ret = push_ucs2_talloc( (gdb) l 100 break; 101 case 'a': 102 j = va_arg(ap, int); 103 intargs[i] = j; 104 s = va_arg(ap, char *); 105 ret = push_ucs2_talloc( 106 pointers, 107 (smb_ucs2_t **)(void *)&pointers[i].data, 108 s, &n); 109 if (!ret) { (gdb) p &pointers[i].data value has been optimized out (gdb) f 1 #1 0x00007f5fb3421b3c in push_ucs2_talloc (ctx=0x7f5fb470f230, dest=0x7f5fb470f240, src=0x0, converted_size=0x7ffdc5185c58) at lib/charcnv.c:1164 1164 size_t src_len = strlen(src)+1; (gdb) Here the NULL results in push_ucs2_talloc called with a NULL src argument, and leads to a NULL dereference.
This has been fixed by commit 96a49d23a4caebefcea66cfb855fadbae12ccf7c
Metze asked: I'd also like to know where and why: client NTLMv2 auth = yes client use spnego = no client max protocol = NT1 is used in production?
We do not have a customer who uses these values in production but with these options we are able to trigger the code. In production it has happened: libsmbclient-3.6.23-20.el6.x86_64 appears to break access to SMB fileshares hosted by Novell OES Linux servers. Specifically, with a python web application that allows access to SMB file servers running within uWSGI. smbclient fails with Segmentation fault (core dumped) when I trying to connect to iSeries IFS.