13215 – smbd can panic if the client-supplied channel sequence number wraps

Bug 13215 - smbd can panic if the client-supplied channel sequence number wraps

Summary: smbd can panic if the client-supplied channel sequence number wraps

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-12 10:02 UTC by Volker Lendecke
Modified:	2020-12-11 08:22 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Patches for v4-7-test (16.80 KB, patch) 2018-03-07 10:56 UTC, Stefan Metzmacher	slow: review+ metze: review? (jra)	Details
Patches for v4-6-test (16.78 KB, patch) 2018-03-07 10:56 UTC, Stefan Metzmacher	slow: review+ metze: review? (jra)	Details
Patch (3.77 KB, patch) 2018-04-11 15:57 UTC, Volker Lendecke	no flags	Details
correct patch (5.60 KB, patch) 2018-04-11 15:58 UTC, Volker Lendecke	vl: review? (metze)	Details
fix for 4.8 (cherry-picked from master) (5.91 KB, patch) 2018-04-12 13:08 UTC, Björn Baumbach	metze: review+	Details
fix for 4.7 (cherry-picked from master) (5.91 KB, patch) 2018-04-12 13:09 UTC, Björn Baumbach	metze: review+	Details
fix for 4.6 (cherry-picked from master) (5.90 KB, patch) 2018-04-12 13:10 UTC, Björn Baumbach	metze: review+	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volker Lendecke 2018-01-12 10:02:58 UTC

Comment 1 Stefan Metzmacher 2018-03-07 10:56:21 UTC

Created attachment 14022 [details]
Patches for v4-7-test

Comment 2 Stefan Metzmacher 2018-03-07 10:56:52 UTC

Created attachment 14023 [details]
Patches for v4-6-test

Comment 3 Stefan Metzmacher 2018-03-08 09:46:07 UTC

Pushed to autobuild-v4-{6,7}-test.

Comment 4 Stefan Metzmacher 2018-03-13 13:18:41 UTC

Pushed to v4-{6,7}-test

Comment 5 Stefan Metzmacher 2018-04-11 12:10:28 UTC

The problem can still happen.

req->request_counters_updated = false; needs to move from
smbd_smb2_request_dispatch_update_counts() to
smbd_smb2_request_reply_update_counts().

Otherwise a failing compounded request can trigger
smbd_smb2_request_reply_update_counts() twice, while
smbd_smb2_request_dispatch_update_counts() was just called
once.

Comment 6 Volker Lendecke 2018-04-11 15:57:14 UTC

Created attachment 14122 [details]
Patch

Fix from metze (already reviewed by me), together with a test by me (not reviewed yet)

Comment 7 Volker Lendecke 2018-04-11 15:58:15 UTC

Created attachment 14123 [details]
correct patch

Both patches now

Comment 8 Björn Baumbach 2018-04-12 13:08:42 UTC

Created attachment 14127 [details]
fix for 4.8 (cherry-picked from master)

Comment 9 Björn Baumbach 2018-04-12 13:09:40 UTC

Created attachment 14128 [details]
fix for 4.7 (cherry-picked from master)

Comment 10 Björn Baumbach 2018-04-12 13:10:18 UTC

Created attachment 14129 [details]
fix for 4.6 (cherry-picked from master)

Comment 11 Stefan Metzmacher 2018-04-12 13:33:17 UTC

Pushed to autobuild-v4-{6,7,8}-test.

Comment 12 Karolin Seeger 2018-04-19 09:27:46 UTC

(In reply to Stefan Metzmacher from comment #11)
Pushed to all branches.
Closing out bug report.

Thanks!