Bug 15426 - clidfs.c do_connect() missing a "return" after a cli_shutdown() call
Summary: clidfs.c do_connect() missing a "return" after a cli_shutdown() call
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-20 14:41 UTC by Robert Morris
Modified: 2023-10-17 09:16 UTC (History)
2 users (show)

See Also:


Attachments
fake smb server that triggers a use-after-free in smbclient (1.27 KB, text/x-csrc)
2023-07-20 14:41 UTC, Robert Morris
no flags Details
git-am fix for 4.19.next (1.05 KB, patch)
2023-08-24 16:10 UTC, Jeremy Allison
asn: review+
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-20 14:41:26 UTC
Created attachment 17990 [details]
fake smb server that triggers a use-after-free in smbclient

In this part of do_connect() in source3/libsmb/clidfs.c:

        status = smbXcli_negprot(c->conn, c->timeout,
                                 lp_client_min_protocol(),
                                 lp_client_max_protocol());
        if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
                ...;
                cli_shutdown(c);
        } else if (!NT_STATUS_IS_OK(status)) {
                ...;
                cli_shutdown(c);
                return status;
        }
        protocol = smbXcli_conn_protocol(c->conn);

The first arm of the "if" is missing a "return status". As a
result, if smbclient times out during negotiation, cli_shutdown() can free c
but then try to pass c->conn to smbXcli_conn_protocol().

A backtrace (with a debugging malloc that fills freed blocks with
0x7a):

#0  0x0000000002365c1c in smbXcli_conn_protocol (conn=0x7a7a7a7a7a7a7a7a)
    at ../../libcli/smb/smbXcli_base.c:483
#1  0x0000000001cf0d4a in do_connect (ctx=0x80424be90, server=0x80426c452 "x", 
    share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe048)
    at ../../source3/libsmb/clidfs.c:214
#2  0x0000000001ced971 in cli_cm_connect (ctx=0x80424be90, referring_cli=0x0, 
    server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x7fffffffe0d8)
    at ../../source3/libsmb/clidfs.c:316
#3  0x0000000001ced706 in cli_cm_open (ctx=0x80424be90, referring_cli=0x0, 
    server=0x0, share=0x8042592e0 "\\\\x\\x", creds=0x804257980, 
    dest_ss=0x27835e8 <dest_ss>, port=0, name_type=32, pcli=0x27835a0 <cli>)
    at ../../source3/libsmb/clidfs.c:424
#4  0x00000000025533b2 in process (base_directory=0x0)
    at ../../source3/client/client.c:6180
#5  0x00000000025529ab in main (argc=9, argv=0x7fffffffe6d0)
    at ../../source3/client/client.c:6727
Comment 1 Samba QA Contact 2023-08-23 09:30:05 UTC
This bug was referenced in samba master:

86f67f59eafc95ad5312fd711b0295a94237e036
Comment 2 Jeremy Allison 2023-08-24 16:10:38 UTC
Created attachment 18066 [details]
git-am fix for 4.19.next

Bug only exists in 4.19.next code.
Comment 3 Ralph Böhme 2023-09-20 02:13:24 UTC
Comment on attachment 18066 [details]
git-am fix for 4.19.next

It's missing the reviewed-by thingy, but as we can't fix master and that's all I care about I guess we can just push this as is to 4.19.
Comment 4 Ralph Böhme 2023-09-20 02:14:11 UTC
Reassigning to Jule for inclusion in 4.19.
Comment 5 Jule Anger 2023-09-20 15:28:33 UTC
Pushed to autobuild-v4-19-test.
Comment 6 Samba QA Contact 2023-09-20 16:24:03 UTC
This bug was referenced in samba v4-19-test:

d70374c347953d64e9a6cf56db178d42f985227d
Comment 7 Jule Anger 2023-09-20 16:29:55 UTC
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2023-10-16 14:19:27 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.2):

d70374c347953d64e9a6cf56db178d42f985227d