Bug 4187 - smbclient crash connecting to windows server 2003 with guest account
Summary: smbclient crash connecting to windows server 2003 with guest account
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 3.0.23c
Hardware: Other Linux
: P3 major
Target Milestone: none
Assignee: Derrell Lipman
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-10-24 14:23 UTC by Brian Tarricone
Modified: 2006-11-10 18:24 UTC (History)
0 users

See Also:

fix-win2k3-crash.diff (1007 bytes, patch)
2006-10-24 14:26 UTC, Brian Tarricone
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Tarricone 2006-10-24 14:23:16 UTC
I'm getting this specific crash on an embedded ARM system (we're using libsmbclient directly), though I can reproduce a similar segfault (not sure if it's the same one as I don't have a debug build to run through gdb) on x86 using the smbclient app.

This occurs when connecting to Windows Server 2003: it is an Active Directory domain controller, and the 'guest' account is enabled.  If the guest account is disabled, the crash goes away.

Backtrace (ARM):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1026]
0x93b3b5f0 in set_sequence_can_delete_flag (list=0x10, mid=7,
    can_delete_entry=1) at libsmb/smb_signing.c:97
97                      if (t->mid == mid) {
(gdb) bt
#0  0x93b3b5f0 in set_sequence_can_delete_flag (list=0x10, mid=7,
    can_delete_entry=1) at libsmb/smb_signing.c:97
#1  0x93b3ceb0 in client_set_trans_sign_state_off (cli=0x92d81010, mid=7)
    at libsmb/smb_signing.c:644
#2  0x93b8ea8c in cli_receive_trans (cli=0x92d81010, trans=37,
    param=0x92f9311c, param_len=0x92f93110, data=0x92f93118,
    data_len=0x92f93114) at libsmb/clitrans.c:324
#3  0x93b84800 in cli_api (cli=0x92d81010, param=0x92f92d0c "h", prcnt=30,
    mprcnt=8, data=0x0, drcnt=0, mdrcnt=65535, rparam=0x92f9311c,
    rprcnt=0x92f93110, rdata=0x92f93118, rdrcnt=0x92f93114)
    at libsmb/clirap.c:64
#4  0x93b854e8 in cli_NetServerEnum (cli=0x92d81010,
    workgroup=0x92f94ab0 "BAR", stype=65534, fn=0x93b63100 <list_fn>,
    state=0x92da2c48) at libsmb/clirap.c:239
#5  0x93b64554 in smbc_opendir_ctx (context=0x91088008,
    fname=0x92fa56a4 "smb://:@BAR") at libsmb/libsmbclient.c:2864
#6  0x93af1ad4 in smbc_opendir (durl=0x92fa56a4 "smb://:@BAR")
    at libsmb/libsmb_compat.c:316
#7  0x93af0378 in smbc_dispatch_msg (msg=0x92f94c60, ack_info=0x92f94c60)
    at main.c:139
#8  0x93af0614 in smbc_message_loop (fd=4) at main.c:254
#9  0x93bf8fd4 in pthread_start_thread ()
#10 0x93bf9020 in pthread_start_thread_event ()

Patch coming in a minute...
Comment 1 Brian Tarricone 2006-10-24 14:26:28 UTC
Created attachment 2189 [details]

I'm not sure if this is the correct fix, if returning False or True is the proper response here, or if there's something that needs to be fixed farther up in the call stack.

The bug appears in both client_set_trans_sign_state_off() and client_set_trans_sign_state_on().  Local var 'data' is set to si->signing_context, which is NULL.  Later in both functions, 'data' is dereferenced as an argument to set_sequence_can_delete_flag().
Comment 2 Jeremy Allison 2006-11-10 18:24:07 UTC
Should be fixed for 3.0.23d thanks.