Created attachment 17995 [details] client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done() In reply_exit_done() in source3/smbd/smb1_reply.c: status = smb1srv_session_lookup(xconn, smb1req->vuid, now, &session); if (!NT_STATUS_IS_OK(status)) { reply_force_doserror(smb1req, ERRSRV, ERRinvnid); smb_request_done(smb1req); END_PROFILE(SMBexit); } ...; if (session->global->auth_session_info != NULL) { I think there's a missing "return" at the end of the if block. As a result, the attached client program, which sends a SMB_COM_PROCESS_EXIT after negotiating, causes smbd to dereference a NULL session and crash.
Acknowledged. I'll add this to the (growing) list.
Created attachment 18043 [details] WIP patches for master.
This bug was referenced in samba master: 63895e03c4e8ed79a3b2cda928f58ec278cd6608 d79d0508a4b8bdc4582a350d109181ecae0bf1e2
Created attachment 18048 [details] git-am fix for 4.19.next, 4.18.next. Cherry-picked from master. NB. These patches only apply after the patches from: https://bugzilla.samba.org/show_bug.cgi?id=15420 have been applied first.
Created attachment 18049 [details] git-am fix for 4.17.next Back-ported from master. NB. The patches for 4.17.next from: https://bugzilla.samba.org/show_bug.cgi?id=15420 must be applied first.
Comment on attachment 18048 [details] git-am fix for 4.19.next, 4.18.next. lgtm
reassigning to Jule for inclusion in 4.17,4.18,4.19 but maybe I have done it too early as bug #15420 (and associated patches need to be in first) sorry if so
Pushed to autobuild-v4-{19,18,17}-test.
This bug was referenced in samba v4-19-test: 2c6179611686c8181329d64ca04ddb3edf42ebee 19dc2bf8e97dc82dd5f0344d80c49c55163840ef
This bug was referenced in samba v4-17-test: 7da254ffa186e9e61ef3c3f65ece714ff5b43b71 eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20
This bug was referenced in samba v4-18-test: 122afc377246f722306df2d8c1b4ca5eb0aa7bb0 320d654041d8f867f7bf3767486a028948136aa8
This bug was referenced in samba v4-18-stable (Release samba-4.18.6): 122afc377246f722306df2d8c1b4ca5eb0aa7bb0 320d654041d8f867f7bf3767486a028948136aa8
Closing out bug report. Thanks!
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc3): 2c6179611686c8181329d64ca04ddb3edf42ebee 19dc2bf8e97dc82dd5f0344d80c49c55163840ef
This bug was referenced in samba v4-17-stable (Release samba-4.17.11): 7da254ffa186e9e61ef3c3f65ece714ff5b43b71 eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20