Bug 14205 - Prevent smbd crash after invalid SMB1 negprot.
Summary: Prevent smbd crash after invalid SMB1 negprot.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-26 17:24 UTC by Jeremy Allison
Modified: 2019-12-17 12:02 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for master. (15.60 KB, patch)
2019-11-26 21:31 UTC, Jeremy Allison
no flags Details
git-am fix for 4.11.next. (21.98 KB, patch)
2019-12-04 23:51 UTC, Jeremy Allison
slow: review+
Details
git-am fix for 4.10.next (22.14 KB, patch)
2019-12-05 00:17 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2019-11-26 17:24:25 UTC
Fuzzing detected a case where an invalid SMB1 negprot followed by a sessionsetup causes the connected smbd to crash, indirecting a NULL pointer.

This happens because we set the internal flag "smb1.negprot.done = true" too early in the SMB1 negprot processing. We should only set this on successful completion. If we set this flag true it allows subsequent sessionsetup processing without the required global tables having been initialized.

Found in fuzzing tests by Michael Hanselmann <public@hansmi.ch>.

base64 -d <<'EOF' | socat -ls -d stdio tcp-connect:localhost:445
AAAA1P9TTUJyAAAAABhDyAAAAAAAAAAAAAAAACcA/v8AAAAAALEAAlBDIE5F
VFdPUksgUFJPR1JBTSD//jAAAk1JQ1JPU09GVCBOR1RXT1JLUyAxLjANDAJN
SR3hkXOl0mb+QXW4Da/jp0f+AAAA1P9TTUJyAAAAABgDyAAABDQAAAAAAAAA
ACcA/v8AAAAAALEAAlBDIE5FVFdPUksgUFJPR1JBFBX//jAAAk1JQ1JPU09G
VCBOR1RXT1JLUyAxLjANDAJNSR3hkUal0mb+QXW4Da/jp0f+AAAA1P9TTUJz
LTE0OEF1uA2v46dH/gqAIIwiAoRiVHWgODu8OdksJQAAAAAnAP7/AAAAAACx
AAJQQyBORVRXT1JLIFBST0dSQU0g//4wAAJNSUNST1NPRlQgTkdUV09SS1Mg
MS4wDQwCTUkd4ZFGpdJm/kF1uA2v46dH/gAAANT/U01Ccy0xNDgyMTIyOTE3
Nzk2MzIAAAAAGAPIAAAAAAAAAAAAAAAAJwD+/wAAAAAAsQACUEMgTkVUV09S
SyBQUk9HUkFNIP/+MAACTUlDUk9TT0ZUIE5HVFdPUktTIDEuMA0GAAAAAAAA
AKXSZv5BdbgNr+OnR/4AAADU/1NNQnMtMTQ4MjEyMjkxNzc5NjMyNDQ4NDNA
ujcyNjgAsQACUEMgTkVUF09SSyAgAAAAAAAAAP/+MAACTUlDUk9TT0bAIE5H
BwAtMjMxODIxMjE4MTM5OTU0ODA2OP5BdbgNr+OnR/4KgCCMIgKEYlR1oDg7
vDnZLCWy
EOF

Have patch, need bugnumber.
Comment 1 Jeremy Allison 2019-11-26 21:31:56 UTC
Created attachment 15634 [details]
git-am fix for master.

Fixes crash. Currently in CI. Posted here so I don't lose it.
Comment 2 Jeremy Allison 2019-11-27 00:20:00 UTC
MR is: https://gitlab.com/samba-team/samba/merge_requests/946
Comment 3 Jeremy Allison 2019-12-04 23:51:39 UTC
Created attachment 15667 [details]
git-am fix for 4.11.next.

Cherry-picked from the fix that went into master.
Comment 4 Jeremy Allison 2019-12-05 00:17:59 UTC
Created attachment 15668 [details]
git-am fix for 4.10.next

Back-ported from master.
Comment 5 Ralph Böhme 2019-12-11 19:45:45 UTC
Reassigning to Karolin for inclusion in 4.10 and 4.11.
Comment 6 Karolin Seeger 2019-12-13 10:36:08 UTC
(In reply to Ralph Böhme from comment #5)
Pushed to autobuild-v4-{11,10}-test.
Comment 7 Karolin Seeger 2019-12-17 12:02:43 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.

Thanks!