Bug 2263 - smbd coredumps when adding "User manager for domains"
Summary: smbd coredumps when adding "User manager for domains"
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.10
Hardware: All FreeBSD
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-19 20:57 UTC by Timur Bakeyev
Modified: 2005-08-24 10:16 UTC (History)
0 users

See Also:


Attachments
Add sanity checks to the input parameters in base64_encode_data_blob() (659 bytes, patch)
2005-01-19 20:58 UTC, Timur Bakeyev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Timur Bakeyev 2005-01-19 20:57:34 UTC
I've got a report from the user(Konstantin Reznichenko <kot@premierbank.dp.ua>)
together with the patch:

His smbd was coredumping when adding a user from "User manager for domains" with
the signal 11:

         if ((from->fields_present & ACCT_CALLBACK) &&
             (from->hdr_munged_dial.buffer)) {
                 char *newstr;
                 old_string = pdb_get_munged_dial(to);
                 mung.length = from->hdr_munged_dial.uni_str_len;
                 mung.data = (uint8 *) from->uni_munged_dial.buffer;
                 newstr = base64_encode_data_blob(mung);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ dies here
                 DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s ->
%s\n",old_string, newstr));
                 if (STRING_CHANGED_NC(old_string, newstr))
                         pdb_set_munged_dial(to   , newstr, PDB_CHANGED);

                 SAFE_FREE(newstr);
         }

It's a bit difficult to trace the problem now, as he was using 3.0.4 at the
moment of writing, but his patch fixes at least problem with the insufficient
parameters verification in base64_encode_data_blob().

Patch is attached to the bug report. Just for the record, his smb.conf contains:

add machine script = /usr/sbin/pw useradd -n%u -cMachines -d/nonexistent
-gntmachines -s/sbin/nologin
add user script = /usr/sbin/pw useradd -n%u -cUsers -d/nonexistent
-gntdomusers -s/sbin/nologin
add group script = /usr/sbin/pw groupadd -n%g
add user to group script = /usr/sbin/pw groupmod -n%g -m%u
delete user from group script = /BIN/delgrpusr %g %u
delete user script = /usr/sbin/pw userdel -n%u
delete group script = /usr/sbin/pw groupdel -n%g

And last record in the log:

INFO_23 UNI_UNKNOWN_STR:...
Comment 1 Timur Bakeyev 2005-01-19 20:58:02 UTC
Created attachment 900 [details]
Add sanity checks to the input parameters in base64_encode_data_blob()
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-01 11:20:52 UTC
This crash has already been fixed in the code with ....

if ((from->fields_present & ACCT_CALLBACK) &&
    (from->hdr_munged_dial.buffer)) {
        char *newstr;
        old_string = pdb_get_munged_dial(to);
        mung.length = from->hdr_munged_dial.uni_str_len;
        mung.data = (uint8 *) from->uni_munged_dial.buffer;
        newstr = (mung.length == 0) ?
            NULL : base64_encode_data_blob(mung);
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

        DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr));
        if (STRING_CHANGED_NC(old_string, newstr))
            pdb_set_munged_dial(to   , newstr, PDB_CHANGED);

        SAFE_FREE(newstr);
    }
}

But the patch looks sane (and prevents the caller from 
having to paranoid.  Checking it in.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:34:43 UTC
originally reported against 3.0.11pre1.  Moving back to version to 3.0.10 
to remove preX and rcX versions.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:16:43 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.