Bug 3390 - net rpc vampire segfaults
Summary: net rpc vampire segfaults
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: net utility (show other bugs)
Version: 3.0.21a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
: 3399 (view as bug list)
Depends on:
Reported: 2006-01-10 00:42 UTC by Taso Hatzi
Modified: 2006-01-12 15:26 UTC (History)
2 users (show)

See Also:

copy session key *after* the ZERO_STRUCT (2.13 KB, patch)
2006-01-11 11:34 UTC, Guenther Deschner
no flags Details
simpler version of the patch (2.69 KB, patch)
2006-01-11 12:02 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Taso Hatzi 2006-01-10 00:42:31 UTC
Run: net rpc vampire -S ZEPHYR -U Administrator%none

Script started on Tue 10 Jan 2006 18:26:53 EST
(gdb) file net
(gdb) set args rpc vampire -S ZEPHYR -U Administrator%none
(gdb) r
Starting program: /usr/bin/net rpc vampire -S ZEPHYR -U Administrator%none
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xb7d24000
Fetching DOMAIN database

Program received signal SIGSEGV, Segmentation fault.
0xb7e66b57 in smb_arc4_init (arc4_state_out=0xbf807080 "", key=0x0, keylen=16) at lib/arc4.c:42
42                      j += (arc4_state_out[ind] + key[ind%keylen]);
(gdb) bt
#0  0xb7e66b57 in smb_arc4_init (arc4_state_out=0xbf807080 "", key=0x0, keylen=16) at lib/arc4.c:42
#1  0xb7db742e in SamOEMhash (data=0x0, key=0x0, len=0) at libsmb/smbdes.c:368
#2  0xb7db14f2 in prs_hash1 (ps=0x0, offset=6548, len=0) at rpc_parse/parse_prs.c:1408
#3  0xb7dd2ed0 in net_io_sam_delta_ctr (desc=Variable "desc" is not available.
) at rpc_parse/parse_net.c:2331
#4  0xb7dd3fa4 in net_io_r_sam_sync (desc=0x0, r_s=0xbf807500, ps=0xbf807580, depth=1) at rpc_parse/parse_net.c:3011
#5  0xb7e82272 in rpccli_netlogon_sam_sync (cli=0xb9f81778, mem_ctx=0xb9f80880, database_id=0, next_rid=0, num_deltas=0x0, hdr_deltas=0x0, deltas=0x0) at rpc_client/cli_netlogon.c:615
#6  0xb7d6ca49 in fetch_database (pipe_hnd=0xb9f81778, db_type=0, dom_sid=
        {sid_rev_num = 1 '\001', num_auths = 4 '\004', id_auth = "\000\000\000\000\000\005", sub_auths = {21, 2097366427, 912265223, 572944225, 0 <repeats 11 times>}})
    at utils/net_rpc_samsync.c:1129
#7  0xb7d71f0f in rpc_vampire_internals (domain_sid=0xb9f80b10, domain_name=0xb9f80ac0 "SONDE", cli=0xb9f5fc48, pipe_hnd=0xb9f81778, mem_ctx=0xb9f80800, argc=0, argv=0xb9f1c1ac)
    at utils/net_rpc_samsync.c:2153
#8  0xb7d5f0c7 in run_rpc_command (cli_arg=0x0, pipe_idx=3, conn_flags=Variable "conn_flags" is not available.
) at utils/net_rpc.c:166
#9  0xb7d6ad3c in rpc_vampire (argc=0, argv=0x0) at utils/net_rpc.c:5741
#10 0xb7d57b07 in net_run_function (argc=1, argv=0xb9f1c1a8, table=0xbf809720, usage_fn=0xb7d6b44e <net_rpc_usage>) at utils/net.c:129
#11 0xb7d6b69d in net_rpc (argc=0, argv=0x0) at utils/net_rpc.c:6198
#12 0xb7d57b07 in net_run_function (argc=2, argv=0xb9f1c1a4, table=0xb7f102e0, usage_fn=0xb7d5d10e <net_help>) at utils/net.c:129
#13 0xb7d58e57 in main (argc=7, argv=0xbf809c14) at utils/net.c:874
(gdb) quit
The program is running.  Exit anyway? (y or n) y
Script done on Tue 10 Jan 2006 18:29:34 EST
Comment 1 Taso Hatzi 2006-01-11 00:45:38 UTC
Let me add what I would have said if I wasn't so tired when I reported this one.

1. The platform is a fully yum updated Fedora 3
2. glibc-2.3.6-0.fc3.1
3. kernel-2.6.12-1.1381_FC3
4. I build the RPMS with the makerpms.sh script in the Samba tar ball. No tweaking of anything.
5. Problem is observed with Samba 3.0.21 and 3.0.21a
6. No problem with the Fedora supplied 3.0.14a
7. The PDC is Windows NT 4

Comment 2 Guenther Deschner 2006-01-11 11:34:14 UTC
Created attachment 1664 [details]
copy session key *after* the ZERO_STRUCT
Comment 3 Guenther Deschner 2006-01-11 11:38:15 UTC
The patch fixes net rpc samdump (haven't tested vampire yet). Does it solve your problem?
Comment 4 Guenther Deschner 2006-01-11 12:02:34 UTC
Created attachment 1665 [details]
simpler version of the patch
Comment 5 Guenther Deschner 2006-01-11 12:17:16 UTC
Fixed in subversion. Thanks for the good backtrace!
Comment 6 Jeremy Allison 2006-01-11 12:21:27 UTC
*Very* good work Gunther - I can't have tested this after the RPC rewrite. Hate the patch though..... I'll think about how else to fix it :-).
Comment 7 Jeremy Allison 2006-01-11 12:49:20 UTC
Ok, I was wrong Gunther. It is the best possible solution (damn you :-).
Thanks :-).
Comment 8 Rick Johnson 2006-01-11 13:27:46 UTC
Applied this patch within the Enterprise Samba 3.0.21a-26 RPM, and rebuilt under CentOS 4.x. The  'net rpc vampire' no longer segfaults now when replicating from a Windows NT 4.0 PDC. Thanks guys for the quick patch.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2006-01-12 15:22:03 UTC
*** Bug 3399 has been marked as a duplicate of this bug. ***
Comment 10 Lars Müller 2006-01-12 15:26:26 UTC
We have rebuild the packages for SuSE Linux products includung the UnitedLinux 1, SuSE Linux Enterprise Server (SLES) 8 and 9.  See ftp.SuSE.com/pub/projects/samba/3.0/ and download.Samba.org/samba/ftp/Binary_Packages/SuSE/3.0/

And we've got already posivtive feeedback.