Bug 2263 - smbd coredumps when adding "User manager for domains"
smbd coredumps when adding "User manager for domains"
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.10
All FreeBSD
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-19 20:57 UTC by Timur Bakeyev
Modified: 2005-08-24 10:16 UTC (History)
0 users

See Also:


Attachments
Add sanity checks to the input parameters in base64_encode_data_blob() (659 bytes, patch)
2005-01-19 20:58 UTC, Timur Bakeyev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Timur Bakeyev 2005-01-19 20:57:34 UTC
I've got a report from the user(Konstantin Reznichenko <kot@premierbank.dp.ua>)
together with the patch:

His smbd was coredumping when adding a user from "User manager for domains" with
the signal 11:

         if ((from->fields_present & ACCT_CALLBACK) &&
             (from->hdr_munged_dial.buffer)) {
                 char *newstr;
                 old_string = pdb_get_munged_dial(to);
                 mung.length = from->hdr_munged_dial.uni_str_len;
                 mung.data = (uint8 *) from->uni_munged_dial.buffer;
                 newstr = base64_encode_data_blob(mung);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ dies here
                 DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s ->
%s\n",old_string, newstr));
                 if (STRING_CHANGED_NC(old_string, newstr))
                         pdb_set_munged_dial(to   , newstr, PDB_CHANGED);

                 SAFE_FREE(newstr);
         }

It's a bit difficult to trace the problem now, as he was using 3.0.4 at the
moment of writing, but his patch fixes at least problem with the insufficient
parameters verification in base64_encode_data_blob().

Patch is attached to the bug report. Just for the record, his smb.conf contains:

add machine script = /usr/sbin/pw useradd -n%u -cMachines -d/nonexistent
-gntmachines -s/sbin/nologin
add user script = /usr/sbin/pw useradd -n%u -cUsers -d/nonexistent
-gntdomusers -s/sbin/nologin
add group script = /usr/sbin/pw groupadd -n%g
add user to group script = /usr/sbin/pw groupmod -n%g -m%u
delete user from group script = /BIN/delgrpusr %g %u
delete user script = /usr/sbin/pw userdel -n%u
delete group script = /usr/sbin/pw groupdel -n%g

And last record in the log:

INFO_23 UNI_UNKNOWN_STR:...
Comment 1 Timur Bakeyev 2005-01-19 20:58:02 UTC
Created attachment 900 [details]
Add sanity checks to the input parameters in base64_encode_data_blob()
Comment 2 Gerald (Jerry) Carter 2005-02-01 11:20:52 UTC
This crash has already been fixed in the code with ....

if ((from->fields_present & ACCT_CALLBACK) &&
    (from->hdr_munged_dial.buffer)) {
        char *newstr;
        old_string = pdb_get_munged_dial(to);
        mung.length = from->hdr_munged_dial.uni_str_len;
        mung.data = (uint8 *) from->uni_munged_dial.buffer;
        newstr = (mung.length == 0) ?
            NULL : base64_encode_data_blob(mung);
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

        DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr));
        if (STRING_CHANGED_NC(old_string, newstr))
            pdb_set_munged_dial(to   , newstr, PDB_CHANGED);

        SAFE_FREE(newstr);
    }
}

But the patch looks sane (and prevents the caller from 
having to paranoid.  Checking it in.
Comment 3 Gerald (Jerry) Carter 2005-02-07 07:34:43 UTC
originally reported against 3.0.11pre1.  Moving back to version to 3.0.10 
to remove preX and rcX versions.
Comment 4 Gerald (Jerry) Carter 2005-08-24 10:16:43 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.