Bug 15430 - missing return in reply_exit_done()
Summary: missing return in reply_exit_done()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 15420
Blocks: 15432
  Show dependency treegraph
 
Reported: 2023-07-24 09:05 UTC by Robert Morris
Modified: 2023-09-07 09:03 UTC (History)
1 user (show)

See Also:

Attachments
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done() (5.54 KB, text/x-csrc)
2023-07-24 09:05 UTC, Robert Morris 		no flags Details
WIP patches for master. (12.49 KB, patch)
2023-08-11 22:23 UTC, Jeremy Allison 		no flags Details
git-am fix for 4.19.next, 4.18.next. (8.25 KB, patch)
2023-08-14 22:25 UTC, Jeremy Allison 		npower: review+
Details
git-am fix for 4.17.next (8.24 KB, patch)
2023-08-14 22:26 UTC, Jeremy Allison 		npower: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-24 09:05:35 UTC 
Created attachment 17995 [details]
client that sends an SMB_COM_PROCESS_EXIT that causes smbd to crash due to a missing return in reply_exit_done()

In reply_exit_done() in source3/smbd/smb1_reply.c:

        status = smb1srv_session_lookup(xconn,
                                        smb1req->vuid,
                                        now,
                                        &session);
        if (!NT_STATUS_IS_OK(status)) {
                reply_force_doserror(smb1req, ERRSRV, ERRinvnid);
                smb_request_done(smb1req);
                END_PROFILE(SMBexit);
        }
        ...;
        if (session->global->auth_session_info != NULL) {

I think there's a missing "return" at the end of the if block. As a
result, the attached client program, which sends a
SMB_COM_PROCESS_EXIT after negotiating, causes smbd to dereference a
NULL session and crash.
Comment 1 Jeremy Allison 2023-07-24 15:56:32 UTC 
Acknowledged. I'll add this to the (growing) list.
Comment 2 Jeremy Allison 2023-08-11 22:23:14 UTC 
Created attachment 18043 [details]
WIP patches for master.
Comment 3 Samba QA Contact 2023-08-14 19:53:03 UTC 
This bug was referenced in samba master:

63895e03c4e8ed79a3b2cda928f58ec278cd6608
d79d0508a4b8bdc4582a350d109181ecae0bf1e2
Comment 4 Jeremy Allison 2023-08-14 22:25:44 UTC 
Created attachment 18048 [details]
git-am fix for 4.19.next, 4.18.next.

Cherry-picked from master.

NB. These patches only apply after the patches from:

https://bugzilla.samba.org/show_bug.cgi?id=15420

have been applied first.
Comment 5 Jeremy Allison 2023-08-14 22:26:31 UTC 
Created attachment 18049 [details]
git-am fix for 4.17.next

Back-ported from master. NB. The patches for 4.17.next from:

https://bugzilla.samba.org/show_bug.cgi?id=15420

must be applied first.
Comment 6 Noel Power 2023-08-15 08:51:21 UTC 
Comment on attachment 18048 [details]
git-am fix for 4.19.next, 4.18.next.

lgtm
Comment 7 Noel Power 2023-08-15 13:23:10 UTC 
reassigning to Jule for inclusion in 4.17,4.18,4.19 but maybe I have done it too early as bug #15420 (and associated patches need to be in first) sorry if so
Comment 8 Jule Anger 2023-08-15 14:19:33 UTC 
Pushed to autobuild-v4-{19,18,17}-test.
Comment 9 Samba QA Contact 2023-08-15 15:21:12 UTC 
This bug was referenced in samba v4-19-test:

2c6179611686c8181329d64ca04ddb3edf42ebee
19dc2bf8e97dc82dd5f0344d80c49c55163840ef
Comment 10 Samba QA Contact 2023-08-16 09:48:04 UTC 
This bug was referenced in samba v4-17-test:

7da254ffa186e9e61ef3c3f65ece714ff5b43b71
eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20
Comment 11 Samba QA Contact 2023-08-16 11:50:29 UTC 
This bug was referenced in samba v4-18-test:

122afc377246f722306df2d8c1b4ca5eb0aa7bb0
320d654041d8f867f7bf3767486a028948136aa8
Comment 12 Samba QA Contact 2023-08-16 16:58:35 UTC 
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

122afc377246f722306df2d8c1b4ca5eb0aa7bb0
320d654041d8f867f7bf3767486a028948136aa8
Comment 13 Jule Anger 2023-08-17 07:42:54 UTC 
Closing out bug report.

Thanks!
Comment 14 Samba QA Contact 2023-08-18 11:21:54 UTC 
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc3):

2c6179611686c8181329d64ca04ddb3edf42ebee
19dc2bf8e97dc82dd5f0344d80c49c55163840ef
Comment 15 Samba QA Contact 2023-09-07 09:03:01 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.11):

7da254ffa186e9e61ef3c3f65ece714ff5b43b71
eb95b15b1ba06ad8fefaa71ff2cfec6f8973bd20