Bug 15431 - SMB read reply with offset 0 can cause smbclient -L to crash
Summary: SMB read reply with offset 0 can cause smbclient -L to crash
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-07-24 11:00 UTC by Robert Morris
Modified: 2023-07-24 15:57 UTC (History)
0 users

See Also:

fake smb server that causes smbclient -L to crash (14.10 KB, text/x-csrc)
2023-07-24 11:00 UTC, Robert Morris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-24 11:00:08 UTC
Created attachment 17996 [details]
fake smb server that causes smbclient -L to crash

smb2cli_read_done() can execute successfully but leave state->data
equal to NULL and state->data_length greater than zero. This happens
when the read response from the smb server supplies a DataOffset of
zero and a DataLength that's non-zero. This causes
smb2cli_read_done()'s call to smb2cli_parse_dyn_buffer() to return OK
without setting data_buffer.data:

        if (buffer_offset == 0) {
                return NT_STATUS_OK;

state->data == NULL but state->data_length > 0 causes a crash in
smbclient -L when setting up the named pipe, when
tstream_smbXcli_np_readv_read_done()'s successful call to
smb2cli_read_recv() is expected to have set rcvbuf, but actually sets
it to state->data and thus NULL.

I've attached a demo server which causes this crash in smbclient -L,
with this backtrace:

#0  0x00002eae87b15f2c in memcpy (dstx=0x2eb6c26f7d10, srcx=0x0, len=2)
#1  0x00002eae8793e8ea in tstream_smbXcli_np_readv_read_done (
    subreq=0x2eb6c26f5520) at ../../libcli/smb/tstream_smbXcli_np.c:1106
#2  0x00002eae871bc036 in _tevent_req_notify_callback (req=0x2eb6c26f5520, 
    location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149")
    at ../../lib/tevent/tevent_req.c:151
#3  0x00002eae871bc1f4 in tevent_req_finish (req=0x2eb6c26f5520, 
    location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149")
    at ../../lib/tevent/tevent_req.c:203
#4  0x00002eae871bc0b2 in _tevent_req_done (req=0x2eb6c26f5520, 
    location=0x2eae8681fcc5 "../../libcli/smb/smb2cli_read.c:149")
    at ../../lib/tevent/tevent_req.c:209
#5  0x00002eae8793749c in smb2cli_read_done (subreq=0x0)
    at ../../libcli/smb/smb2cli_read.c:149
#6  0x00002eae871bc036 in _tevent_req_notify_callback (req=0x2eb6c26f5a80, 
    location=0x2eae86a55d5a "../../libcli/smb/smbXcli_base.c:4089")
    at ../../lib/tevent/tevent_req.c:151
#7  0x00002eae871bc1f4 in tevent_req_finish (req=0x2eb6c26f5a80, 
    location=0x2eae86a55d5a "../../libcli/smb/smbXcli_base.c:4089")
    at ../../lib/tevent/tevent_req.c:203
#8  0x00002eae871bc347 in tevent_req_trigger (ev=0x2eb6c26edf70, 
    im=0x2eb6c26f6000, private_data=0x2eb6c26f5a80)
    at ../../lib/tevent/tevent_req.c:260
#9  0x00002eae871ba832 in tevent_common_invoke_immediate_handler (
    im=0x2eb6c26f6000, removed=0x0) at ../../lib/tevent/tevent_immediate.c:190
#10 0x00002eae871ba9a9 in tevent_common_loop_immediate (ev=0x2eb6c26edf70)
    at ../../lib/tevent/tevent_immediate.c:236
#11 0x00002eae871bf01b in poll_event_loop_once (ev=0x2eb6c26edf70, 
    location=0x2eae86860901 "../../lib/tevent/tevent_req.c:310")
    at ../../lib/tevent/tevent_poll.c:617
#12 0x00002eae871b81d4 in _tevent_loop_once (ev=0x2eb6c26edf70, 
    location=0x2eae86860901 "../../lib/tevent/tevent_req.c:310")
    at ../../lib/tevent/tevent.c:823
#13 0x00002eae871bc546 in tevent_req_poll (req=0x2eb6c26ee350, 
    ev=0x2eb6c26edf70) at ../../lib/tevent/tevent_req.c:310
#14 0x00002eae86d567cf in tevent_req_poll_ntstatus (req=0x2eb6c26ee350, 
    ev=0x2eb6c26edf70, status=0x2eb6a81710f0)
    at ../../lib/util/tevent_ntstatus.c:109
#15 0x00002eae871956df in rpc_pipe_bind (cli=0x2eb6c26e2840, 
    auth=0x2eb6c26e7220) at ../../source3/rpc_client/cli_pipe.c:2055
#16 0x00002eae87197d2f in cli_rpc_pipe_open_noauth_transport (
    cli=0x2eb6c26b96b0, transport=NCACN_NP, 
    table=0x2eae87d05cc8 <ndr_table_srvsvc>, remote_name=0x2eb6c26b9cd0 "x", 
    remote_sockaddr=0x2eb6c26b9a18, presult=0x2eb6a8171298)
    at ../../source3/rpc_client/cli_pipe.c:3390
#17 0x00002eae87198034 in cli_rpc_pipe_open_noauth (cli=0x2eb6c26b96b0, 
    table=0x2eae87d05cc8 <ndr_table_srvsvc>, presult=0x2eb6a8171298)
    at ../../source3/rpc_client/cli_pipe.c:3427
#18 0x00002eae87b13631 in browse_host_rpc (sort=true)
    at ../../source3/client/client.c:4888
#19 0x00002eae87b13316 in browse_host (sort=true)
    at ../../source3/client/client.c:4943
#20 0x00002eae87b04e28 in do_host_query (query_host=0x2eb6c26a3270 "x")
    at ../../source3/client/client.c:6230
#21 0x00002eae87b04860 in main (argc=8, argv=0x2eb6a8171930)
    at ../../source3/client/client.c:6724
Comment 1 Jeremy Allison 2023-07-24 15:57:16 UTC
Again, thanks for this work ! It is much appreciated.