Bug 15430 - missing return in reply_exit_done()
Summary: missing return in reply_exit_done()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 15420
Blocks: 15432
  Show dependency treegraph
 
Reported: 2023-07-24 09:05 UTC by Robert Morris
Modified: 2023-09-07 09:03 UTC (History)
1 user (show)

See Also:


Attachments
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done() (5.54 KB, text/x-csrc)
2023-07-24 09:05 UTC, Robert Morris
no flags Details
WIP patches for master. (12.49 KB, patch)
2023-08-11 22:23 UTC, Jeremy Allison
no flags Details
git-am fix for 4.19.next, 4.18.next. (8.25 KB, patch)
2023-08-14 22:25 UTC, Jeremy Allison
npower: review+
Details
git-am fix for 4.17.next (8.24 KB, patch)
2023-08-14 22:26 UTC, Jeremy Allison
npower: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-24 09:05:35 UTC
Created attachment 17995 [details]
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done()

In reply_exit_done() in source3/smbd/smb1_reply.c:

        status = smb1srv_session_lookup(xconn,
                                        smb1req->vuid,
                                        now,
                                        &session);
        if (!NT_STATUS_IS_OK(status)) {
                reply_force_doserror(smb1req, ERRSRV, ERRinvnid);
                smb_request_done(smb1req);
                END_PROFILE(SMBexit);
        }
        ...;
        if (session->global->auth_session_info != NULL) {

I think there's a missing "return" at the end of the if block. As a
result, the attached client program, which sends a
SMB_COM_PROCESS_EXIT after negotiating, causes smbd to dereference a
NULL session and crash.
Comment 1 Jeremy Allison 2023-07-24 15:56:32 UTC
Acknowledged. I'll add this to the (growing) list.
Comment 2 Jeremy Allison 2023-08-11 22:23:14 UTC
Created attachment 18043 [details]
WIP patches for master.
Comment 3 Samba QA Contact 2023-08-14 19:53:03 UTC
This bug was referenced in samba master:

63895e03c4e8ed79a3b2cda928f58ec278cd6608
d79d0508a4b8bdc4582a350d109181ecae0bf1e2
Comment 4 Jeremy Allison 2023-08-14 22:25:44 UTC
Created attachment 18048 [details]
git-am fix for 4.19.next, 4.18.next.

Cherry-picked from master.

NB. These patches only apply after the patches from:

https://bugzilla.samba.org/show_bug.cgi?id=15420

have been applied first.
Comment 5 Jeremy Allison 2023-08-14 22:26:31 UTC
Created attachment 18049 [details]
git-am fix for 4.17.next

Back-ported from master. NB. The patches for 4.17.next from:

https://bugzilla.samba.org/show_bug.cgi?id=15420

must be applied first.
Comment 6 Noel Power 2023-08-15 08:51:21 UTC
Comment on attachment 18048 [details]
git-am fix for 4.19.next, 4.18.next.

lgtm
Comment 7 Noel Power 2023-08-15 13:23:10 UTC
reassigning to Jule for inclusion in 4.17,4.18,4.19 but maybe I have done it too early as bug #15420 (and associated patches need to be in first) sorry if so
Comment 8 Jule Anger 2023-08-15 14:19:33 UTC
Pushed to autobuild-v4-{19,18,17}-test.
Comment 9 Samba QA Contact 2023-08-15 15:21:12 UTC
This bug was referenced in samba v4-19-test:

2c6179611686c8181329d64ca04ddb3edf42ebee
19dc2bf8e97dc82dd5f0344d80c49c55163840ef
Comment 10 Samba QA Contact 2023-08-16 09:48:04 UTC
This bug was referenced in samba v4-17-test:

7da254ffa186e9e61ef3c3f65ece714ff5b43b71
eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20
Comment 11 Samba QA Contact 2023-08-16 11:50:29 UTC
This bug was referenced in samba v4-18-test:

122afc377246f722306df2d8c1b4ca5eb0aa7bb0
320d654041d8f867f7bf3767486a028948136aa8
Comment 12 Samba QA Contact 2023-08-16 16:58:35 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

122afc377246f722306df2d8c1b4ca5eb0aa7bb0
320d654041d8f867f7bf3767486a028948136aa8
Comment 13 Jule Anger 2023-08-17 07:42:54 UTC
Closing out bug report.

Thanks!
Comment 14 Samba QA Contact 2023-08-18 11:21:54 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc3):

2c6179611686c8181329d64ca04ddb3edf42ebee
19dc2bf8e97dc82dd5f0344d80c49c55163840ef
Comment 15 Samba QA Contact 2023-09-07 09:03:01 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.11):

7da254ffa186e9e61ef3c3f65ece714ff5b43b71
eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20