Bug 3401 - smbd produce PANIC: internal error
Summary: smbd produce PANIC: internal error
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool (show other bugs)
Version: 3.0.21a
Hardware: x86 Windows XP
: P3 critical
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
: 3383 (view as bug list)
Depends on:
Blocks: 3383
  Show dependency treegraph
 
Reported: 2006-01-12 21:46 UTC by Yau Lam Yiu
Modified: 2006-01-19 22:49 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yau Lam Yiu 2006-01-12 21:46:32 UTC 
Server: Linux kernel 2.6.15
Client: Windows XP with SP2 and latest update

The "net view" command returns "System error 64 has occured." at the client side. It general a "PANIC: internal error" at the server side.
After traced the source code, it seems to be the function "libsmb/ntlmssp.c:ntlmssp_weaken_keys(NTLMSSP_STATE)" casusing the problem. If the "ntlmssp_state->session_key" is (NULL,0) and "ntlmssp_state->neg_flags" is set with NTLMSSP_NEGOTIATE_LM_KEY, session_key.length will be set to "8" without checking "session_key.data" is NULL. A session key with (NULL,8) will cause invalid pointer access in the later code. Our modification is following. It may not be appropriate in general and work for our environment only. Thank you very much.


void ntlmssp_weaken_keys(NTLMSSP_STATE *ntlmssp_state)
{
        /* Key weakening not performed on the master key for NTLM2
           and does not occour for NTLM1.  Therefore we only need
           to do this for the LM_KEY.
        */

        if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
                if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
                        ;
                } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
                        ntlmssp_state->session_key.data[7] = 0xa0;
                        ntlmssp_state->session_key.length = 8;  /* new */
                } else { /* forty bits */
                        ntlmssp_state->session_key.data[5] = 0xe5;
                        ntlmssp_state->session_key.data[6] = 0x38;
                        ntlmssp_state->session_key.data[7] = 0xb0;
                        ntlmssp_state->session_key.length = 8; /* new */
                }
                
                /* ntlmssp_state->session_key.length = 8; */ /* original */

        }
}
Comment 1 Scott 2006-01-13 13:16:07 UTC 
I can verify that this fix worked for FreeBSD-6.0-STABLE with samba 3.0.21a,1
Thanks
Comment 2 Jeremy Allison 2006-01-13 16:23:33 UTC 
Applied (a version created by Andrew Bartlett).
Thanks !
Jeremy.
Comment 3 Scott 2006-01-13 18:09:11 UTC 
I realize this bug is closed, however, although the solution did work for FreeBSD-6.0-STABLE, it didn't seem to solve the problem with Arch-0.7.1.  Due to circumstances, I wasn't able to thoroughly investigate so I'm reluctant to reopen the bug.
Comment 4 Andrew Bartlett 2006-01-13 20:52:09 UTC 
If the fix in current SVN doesn't fix things, then I suspect you are seeing a different bug.  Many things lead to segfaults...
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-01-16 11:09:38 UTC 
*** Bug 3383 has been marked as a duplicate of this bug. ***
Comment 6 Scott 2006-01-19 22:49:55 UTC 
I stated that the problem didn't seem to be solved with ArchLinux.  However I now realize that by the time I tried applying the patch, I had already played around so much with it (trying another suggested fix, et al) that I must have broken something else.  :)

On a fresh install, I was able to duplicate the problem, and then solve it by commenting out the suggested line (session_key.length = 8 ).  So this fix also applies to Arch Linux (and has been incorporated in their latest package for samba-3.0.21a.

Thank you for your efforts.  Apparently it was the same bug.  Regardless, it was fixed with the given solution.