Created attachment 17996 [details] fake smb server that causes smbclient -L to crash smb2cli_read_done() can execute successfully but leave state->data equal to NULL and state->data_length greater than zero. This happens when the read response from the smb server supplies a DataOffset of zero and a DataLength that's non-zero. This causes smb2cli_read_done()'s call to smb2cli_parse_dyn_buffer() to return OK without setting data_buffer.data: if (buffer_offset == 0) { ...; return NT_STATUS_OK; state->data == NULL but state->data_length > 0 causes a crash in smbclient -L when setting up the named pipe, when tstream_smbXcli_np_readv_read_done()'s successful call to smb2cli_read_recv() is expected to have set rcvbuf, but actually sets it to state->data and thus NULL. I've attached a demo server which causes this crash in smbclient -L, with this backtrace: #0 0x00002eae87b15f2c in memcpy (dstx=0x2eb6c26f7d10, srcx=0x0, len=2) #1 0x00002eae8793e8ea in tstream_smbXcli_np_readv_read_done ( subreq=0x2eb6c26f5520) at ../../libcli/smb/tstream_smbXcli_np.c:1106 #2 0x00002eae871bc036 in _tevent_req_notify_callback (req=0x2eb6c26f5520, location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149") at ../../lib/tevent/tevent_req.c:151 #3 0x00002eae871bc1f4 in tevent_req_finish (req=0x2eb6c26f5520, state=TEVENT_REQ_DONE, location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149") at ../../lib/tevent/tevent_req.c:203 #4 0x00002eae871bc0b2 in _tevent_req_done (req=0x2eb6c26f5520, location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149") at ../../lib/tevent/tevent_req.c:209 #5 0x00002eae8793749c in smb2cli_read_done (subreq=0x0) at ../../libcli/smb/smb2cli_read.c:149 #6 0x00002eae871bc036 in _tevent_req_notify_callback (req=0x2eb6c26f5a80, location=0x2eae86a55d5a "../../libcli/smb/smbXcli_base.c:4089") at ../../lib/tevent/tevent_req.c:151 #7 0x00002eae871bc1f4 in tevent_req_finish (req=0x2eb6c26f5a80, state=TEVENT_REQ_DONE, location=0x2eae86a55d5a "../../libcli/smb/smbXcli_base.c:4089") at ../../lib/tevent/tevent_req.c:203 #8 0x00002eae871bc347 in tevent_req_trigger (ev=0x2eb6c26edf70, im=0x2eb6c26f6000, private_data=0x2eb6c26f5a80) at ../../lib/tevent/tevent_req.c:260 #9 0x00002eae871ba832 in tevent_common_invoke_immediate_handler ( im=0x2eb6c26f6000, removed=0x0) at ../../lib/tevent/tevent_immediate.c:190 #10 0x00002eae871ba9a9 in tevent_common_loop_immediate (ev=0x2eb6c26edf70) at ../../lib/tevent/tevent_immediate.c:236 #11 0x00002eae871bf01b in poll_event_loop_once (ev=0x2eb6c26edf70, location=0x2eae86860901 "../../lib/tevent/tevent_req.c:310") at ../../lib/tevent/tevent_poll.c:617 #12 0x00002eae871b81d4 in _tevent_loop_once (ev=0x2eb6c26edf70, location=0x2eae86860901 "../../lib/tevent/tevent_req.c:310") at ../../lib/tevent/tevent.c:823 #13 0x00002eae871bc546 in tevent_req_poll (req=0x2eb6c26ee350, ev=0x2eb6c26edf70) at ../../lib/tevent/tevent_req.c:310 #14 0x00002eae86d567cf in tevent_req_poll_ntstatus (req=0x2eb6c26ee350, ev=0x2eb6c26edf70, status=0x2eb6a81710f0) at ../../lib/util/tevent_ntstatus.c:109 #15 0x00002eae871956df in rpc_pipe_bind (cli=0x2eb6c26e2840, auth=0x2eb6c26e7220) at ../../source3/rpc_client/cli_pipe.c:2055 #16 0x00002eae87197d2f in cli_rpc_pipe_open_noauth_transport ( cli=0x2eb6c26b96b0, transport=NCACN_NP, table=0x2eae87d05cc8 <ndr_table_srvsvc>, remote_name=0x2eb6c26b9cd0 "x", remote_sockaddr=0x2eb6c26b9a18, presult=0x2eb6a8171298) at ../../source3/rpc_client/cli_pipe.c:3390 #17 0x00002eae87198034 in cli_rpc_pipe_open_noauth (cli=0x2eb6c26b96b0, table=0x2eae87d05cc8 <ndr_table_srvsvc>, presult=0x2eb6a8171298) at ../../source3/rpc_client/cli_pipe.c:3427 #18 0x00002eae87b13631 in browse_host_rpc (sort=true) at ../../source3/client/client.c:4888 #19 0x00002eae87b13316 in browse_host (sort=true) at ../../source3/client/client.c:4943 #20 0x00002eae87b04e28 in do_host_query (query_host=0x2eb6c26a3270 "x") at ../../source3/client/client.c:6230 #21 0x00002eae87b04860 in main (argc=8, argv=0x2eb6a8171930) at ../../source3/client/client.c:6724
Again, thanks for this work ! It is much appreciated.