Fuzzing detected a case where an invalid SMB1 negprot followed by a sessionsetup causes the connected smbd to crash, indirecting a NULL pointer. This happens because we set the internal flag "smb1.negprot.done = true" too early in the SMB1 negprot processing. We should only set this on successful completion. If we set this flag true it allows subsequent sessionsetup processing without the required global tables having been initialized. Found in fuzzing tests by Michael Hanselmann <public@hansmi.ch>. base64 -d <<'EOF' | socat -ls -d stdio tcp-connect:localhost:445 AAAA1P9TTUJyAAAAABhDyAAAAAAAAAAAAAAAACcA/v8AAAAAALEAAlBDIE5F VFdPUksgUFJPR1JBTSD//jAAAk1JQ1JPU09GVCBOR1RXT1JLUyAxLjANDAJN SR3hkXOl0mb+QXW4Da/jp0f+AAAA1P9TTUJyAAAAABgDyAAABDQAAAAAAAAA ACcA/v8AAAAAALEAAlBDIE5FVFdPUksgUFJPR1JBFBX//jAAAk1JQ1JPU09G VCBOR1RXT1JLUyAxLjANDAJNSR3hkUal0mb+QXW4Da/jp0f+AAAA1P9TTUJz LTE0OEF1uA2v46dH/gqAIIwiAoRiVHWgODu8OdksJQAAAAAnAP7/AAAAAACx AAJQQyBORVRXT1JLIFBST0dSQU0g//4wAAJNSUNST1NPRlQgTkdUV09SS1Mg MS4wDQwCTUkd4ZFGpdJm/kF1uA2v46dH/gAAANT/U01Ccy0xNDgyMTIyOTE3 Nzk2MzIAAAAAGAPIAAAAAAAAAAAAAAAAJwD+/wAAAAAAsQACUEMgTkVUV09S SyBQUk9HUkFNIP/+MAACTUlDUk9TT0ZUIE5HVFdPUktTIDEuMA0GAAAAAAAA AKXSZv5BdbgNr+OnR/4AAADU/1NNQnMtMTQ4MjEyMjkxNzc5NjMyNDQ4NDNA ujcyNjgAsQACUEMgTkVUF09SSyAgAAAAAAAAAP/+MAACTUlDUk9TT0bAIE5H BwAtMjMxODIxMjE4MTM5OTU0ODA2OP5BdbgNr+OnR/4KgCCMIgKEYlR1oDg7 vDnZLCWy EOF Have patch, need bugnumber.
Created attachment 15634 [details] git-am fix for master. Fixes crash. Currently in CI. Posted here so I don't lose it.
MR is: https://gitlab.com/samba-team/samba/merge_requests/946
Created attachment 15667 [details] git-am fix for 4.11.next. Cherry-picked from the fix that went into master.
Created attachment 15668 [details] git-am fix for 4.10.next Back-ported from master.
Reassigning to Karolin for inclusion in 4.10 and 4.11.
(In reply to Ralph Böhme from comment #5) Pushed to autobuild-v4-{11,10}-test.
(In reply to Karolin Seeger from comment #6) Pushed to both branches. Closing out bug report. Thanks!