Bug 15426 - clidfs.c do_connect() missing a "return" after a cli_shutdown() call
Summary: clidfs.c do_connect() missing a "return" after a cli_shutdown() call
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-20 14:41 UTC by Robert Morris
Modified: 2023-10-17 09:16 UTC (History)
2 users (show)

See Also:

Attachments
fake smb server that triggers a use-after-free in smbclient (1.27 KB, text/x-csrc)
2023-07-20 14:41 UTC, Robert Morris 		no flags Details
git-am fix for 4.19.next (1.05 KB, patch)
2023-08-24 16:10 UTC, Jeremy Allison 		asn: review+
slow: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-20 14:41:26 UTC 
Created attachment 17990 [details]
fake smb server that triggers a use-after-free in smbclient

In this part of do_connect() in source3/libsmb/clidfs.c:

        status = smbXcli_negprot(c->conn, c->timeout,
                                 lp_client_min_protocol(),
                                 lp_client_max_protocol());
        if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
                ...;
                cli_shutdown(c);
        } else if (!NT_STATUS_IS_OK(status)) {
                ...;
                cli_shutdown(c);
                return status;
        }
        protocol = smbXcli_conn_protocol(c->conn);

The first arm of the "if" is missing a "return status". As a
result, if smbclient times out during negotiation, cli_shutdown() can free c
but then try to pass c->conn to smbXcli_conn_protocol().

A backtrace (with a debugging malloc that fills freed blocks with
0x7a):

#0  0x0000000002365c1c in smbXcli_conn_protocol (conn=0x7a7a7a7a7a7a7a7a)
    at ../../libcli/smb/smbXcli_base.c:483
#1  0x0000000001cf0d4a in do_connect (ctx=0x80424be90, server=0x80426c452 "x", 
    share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe048)
    at ../../source3/libsmb/clidfs.c:214
#2  0x0000000001ced971 in cli_cm_connect (ctx=0x80424be90, referring_cli=0x0, 
    server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe0d8)
    at ../../source3/libsmb/clidfs.c:316
#3  0x0000000001ced706 in cli_cm_open (ctx=0x80424be90, referring_cli=0x0, 
    server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x27835a0 <cli>)
    at ../../source3/libsmb/clidfs.c:424
#4  0x00000000025533b2 in process (base_directory=0x0)
    at ../../source3/client/client.c:6180
#5  0x00000000025529ab in main (argc=9, argv=0x7fffffffe6d0)
    at ../../source3/client/client.c:6727
Comment 1 Samba QA Contact 2023-08-23 09:30:05 UTC 
This bug was referenced in samba master:

86f67f59eafc95ad5312fd711b0295a94237e036
Comment 2 Jeremy Allison 2023-08-24 16:10:38 UTC 
Created attachment 18066 [details]
git-am fix for 4.19.next

Bug only exists in 4.19.next code.
Comment 3 Ralph Böhme 2023-09-20 02:13:24 UTC 
Comment on attachment 18066 [details]
git-am fix for 4.19.next

It's missing the reviewed-by thingy, but as we can't fix master and that's all I care about I guess we can just push this as is to 4.19.
Comment 4 Ralph Böhme 2023-09-20 02:14:11 UTC 
Reassigning to Jule for inclusion in 4.19.
Comment 5 Jule Anger 2023-09-20 15:28:33 UTC 
Pushed to autobuild-v4-19-test.
Comment 6 Samba QA Contact 2023-09-20 16:24:03 UTC 
This bug was referenced in samba v4-19-test:

d70374c347953d64e9a6cf56db178d42f985227d
Comment 7 Jule Anger 2023-09-20 16:29:55 UTC 
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2023-10-16 14:19:27 UTC 
This bug was referenced in samba v4-19-stable (Release samba-4.19.2):

d70374c347953d64e9a6cf56db178d42f985227d