Created attachment 17997 [details] client that sends TREE_CONNECT without SETUP, potentially crashing smbd If the client sends a NEGOTIATE and then a TREE_CONNECT without a SETUP, req->session is never initialized, and reply_tcon()'s call to make_connect() can run into trouble when it dereferences req->session. reply_tcon_and_X() doesn't have this problem because it calls smb1srv_session_lookup() and discovers the invalid session before it would call make_connect(). I've attached a demo client. Here's a backtrace: Program received signal SIGBUS, Bus error. Object-specific hardware error. 0x0000000001c13933 in make_connection (req=0x81350b9a0, now=133347041815362820, service_in=0x81350bb80 "x", pdev=0x81350bca0 "A:", vuid=0, status=0x7fffffffdb58) at ../../source3/smbd/smb1_service.c:183 183 } else if ((session->homes_snum != -1) (gdb) where #0 0x0000000001c13933 in make_connection (req=0x816513e40, now=133346960127256700, service_in=0x81652a950 "", pdev=0x81652aa70 "", vuid=11131, status=0x7fffffffda28) at ../../source3/smbd/smb1_service.c:183 #1 0x0000000001bfcd69 in reply_tcon (req=0x816513e40) at ../../source3/smbd/smb1_reply.c:215 #2 0x0000000001c17515 in switch_message (type=112 'p', req=0x816513e40) at ../../source3/smbd/smb1_process.c:1289 #3 0x0000000001c17803 in smb_request_done (req=0x816513e40) at ../../source3/smbd/smb1_process.c:1425 #4 0x0000000001c040b3 in reply_ulogoffX_done (req=0x0) at ../../source3/smbd/smb1_reply.c:2372 #5 0x0000000001f3a6a6 in _tevent_req_notify_callback (req=0x8165290a0, location=0x130991b "../../source3/smbd/smb1_reply.c:2316") at ../../lib/tevent/tevent_req.c:151 #6 0x0000000001f3a864 in tevent_req_finish (req=0x8165290a0, state=TEVENT_REQ_DONE, location=0x130991b "../../source3/smbd/smb1_reply.c:2316") at ../../lib/tevent/tevent_req.c:203 #7 0x0000000001f3a722 in _tevent_req_done (req=0x8165290a0, location=0x130991b "../../source3/smbd/smb1_reply.c:2316") at ../../lib/tevent/tevent_req.c:209 #8 0x0000000001c130d0 in reply_ulogoffX_wait_done (subreq=0x0) at ../../source3/smbd/smb1_reply.c:2316 #9 0x0000000001f3a6a6 in _tevent_req_notify_callback (req=0x8165297c0, location=0x13d4c6d "../../lib/tevent/tevent_queue.c:371") at ../../lib/tevent/tevent_req.c:151 #10 0x0000000001f3a864 in tevent_req_finish (req=0x8165297c0, state=TEVENT_REQ_DONE, location=0x13d4c6d "../../lib/tevent/tevent_queue.c:371") at ../../lib/tevent/tevent_req.c:203 #11 0x0000000001f3a722 in _tevent_req_done (req=0x8165297c0, location=0x13d4c6d "../../lib/tevent/tevent_queue.c:371") at ../../lib/tevent/tevent_req.c:209 #12 0x0000000001f399f0 in tevent_queue_wait_trigger (req=0x8165297c0, private_data=0x0) at ../../lib/tevent/tevent_queue.c:371 #13 0x0000000001f39876 in tevent_queue_immediate_trigger (ev=0x80413b490, im=0x8165296b0, private_data=0x816529560) at ../../lib/tevent/tevent_queue.c:155 #14 0x0000000001f38ea2 in tevent_common_invoke_immediate_handler ( im=0x8165296b0, removed=0x0) at ../../lib/tevent/tevent_immediate.c:190 #15 0x0000000001f39019 in tevent_common_loop_immediate (ev=0x80413b490) at ../../lib/tevent/tevent_immediate.c:236 #16 0x0000000001f3d68b in poll_event_loop_once (ev=0x80413b490, location=0x153cfc9 "../../source3/smbd/smb2_process.c:2020") at ../../lib/tevent/tevent_poll.c:617 #17 0x0000000001f36844 in _tevent_loop_once (ev=0x80413b490, location=0x153cfc9 "../../source3/smbd/smb2_process.c:2020") at ../../lib/tevent/tevent.c:823 #18 0x0000000001f36c43 in tevent_common_loop_wait (ev=0x80413b490, location=0x153cfc9 "../../source3/smbd/smb2_process.c:2020") at ../../lib/tevent/tevent.c:949 #19 0x0000000001f36ce5 in _tevent_loop_wait (ev=0x80413b490, location=0x153cfc9 "../../source3/smbd/smb2_process.c:2020") at ../../lib/tevent/tevent.c:968 #20 0x0000000001b40580 in smbd_process (ev_ctx=0x80413b490, msg_ctx=0x80413bb20, sock_fd=26, interactive=true) at ../../source3/smbd/smb2_process.c:2020 #21 0x0000000001dbe9f8 in smbd_accept_connection (ev=0x80413b490, fde=0x813500850, flags=1, private_data=0x813500580) at ../../source3/smbd/server.c:978 #22 0x0000000001f38456 in tevent_common_invoke_fd_handler (fde=0x813500850, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:142 #23 0x0000000001f3de7a in poll_event_loop_poll (ev=0x80413b490, tvalp=0x7fffffffe478) at ../../lib/tevent/tevent_poll.c:569 #24 0x0000000001f3d6f4 in poll_event_loop_once (ev=0x80413b490, location=0x149c0ce "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_poll.c:626 #25 0x0000000001f36844 in _tevent_loop_once (ev=0x80413b490, location=0x149c0ce "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:823 #26 0x0000000001f36c43 in tevent_common_loop_wait (ev=0x80413b490, location=0x149c0ce "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:949 #27 0x0000000001f36ce5 in _tevent_loop_wait (ev=0x80413b490, location=0x149c0ce "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:968 #28 0x0000000001dbbe16 in smbd_parent_loop (ev_ctx=0x80413b490, parent=0x80414d190) at ../../source3/smbd/server.c:1373 #29 0x0000000001db98c4 in main (argc=2, argv=0x7fffffffea70) at ../../source3/smbd/server.c:2130
Sigh. Keep 'em coming (and thanks for all the *great* work !).
Created attachment 18045 [details] WIP patches for master.
This bug was referenced in samba master: f02f74e931f5821c7b7c1be2b8f0fb60c9a69b19 c32df3bb31ce6275cfb91107e34e2d6b3c2fba1b 4145bfb1b5a3639caf26a310d612aec29fc00117
Created attachment 18054 [details] git-am fix for 4.19.next Cherry-picked from master.
Created attachment 18055 [details] git-am fix for 4.18.next Back-ported from master.
Created attachment 18056 [details] git-am fix for 4.17.next Back-ported from master.
Comment on attachment 18055 [details] git-am fix for 4.18.next doesn't apply for me v4-18-test
Comment on attachment 18056 [details] git-am fix for 4.17.next doesn't apply for me against 4-17-test
Comment on attachment 18056 [details] git-am fix for 4.17.next applies now (since 4.17-test has been updated)
Comment on attachment 18055 [details] git-am fix for 4.18.next I'm assuming the apply fail is because of missing patches as yet not on the 4.18-test branch (as seen with 4.17-test) so rb+
Re-assigning to Jule for inclusion in 4.19.next, 4.18.next, 4.17.next. NB. That the patches for: https://bugzilla.samba.org/show_bug.cgi?id=15430 https://bugzilla.samba.org/show_bug.cgi?id=15420 Need to be applied in turn (#15420 first, then #15430) for these to apply correctly. Thanks !
Pushed to autobuild-v4-{19,18,17}-test.
This bug was referenced in samba v4-19-test: c7b1876ac53fc82283c0673ff04b1e47de34a78b 34291111df272c8a8396b54ff86e6e839c7ab3ff 6a4622c4e8da8a67f280e4bacf7a32bb460f59d1
This bug was referenced in samba v4-17-test: 098e5f240a5561a7d57d936d9d01eba8994fa91f 4f3d61dc268f193c324a03a5013d4ea1903c33c6 fca63c10314ca16e30d45880957f0e84d55296ae
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc3): c7b1876ac53fc82283c0673ff04b1e47de34a78b 34291111df272c8a8396b54ff86e6e839c7ab3ff 6a4622c4e8da8a67f280e4bacf7a32bb460f59d1
This bug was referenced in samba v4-18-test: d2c16aada79fa13dcc2e60b05586388f819d93d6 0605946d20f582cb66a807baf3defa41b97f4857 0a044e409dede6a51c32d269e82c17f6b8f5abf0
Closing out bug report. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.11): 098e5f240a5561a7d57d936d9d01eba8994fa91f 4f3d61dc268f193c324a03a5013d4ea1903c33c6 fca63c10314ca16e30d45880957f0e84d55296ae
This bug was referenced in samba v4-18-stable (Release samba-4.18.7): d2c16aada79fa13dcc2e60b05586388f819d93d6 0605946d20f582cb66a807baf3defa41b97f4857 0a044e409dede6a51c32d269e82c17f6b8f5abf0