4339 – smbd segfaults after "no protocol" failure

Bug 4339 - smbd segfaults after "no protocol" failure

Summary: smbd segfaults after "no protocol" failure

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	File Services (show other bugs)
Version:	3.0.23d
Hardware:	x64 Linux

Importance:	P3 major
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-01-14 12:48 UTC by Michael Letzgus-Koppmann
Modified:	2007-01-14 13:54 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Letzgus-Koppmann 2007-01-14 12:48:20 UTC

I'm using SWB (security friday) to test my Samba-Server.

I did the following:

* Configure smbd with "min protocol = lanman2"

* Setup a connection with swb, set the "smb negotiate protocol"-details in SWB to "lanman1" or "core" and click the negotiate-button. this will fail, of course.
Server logfile says:

Jan 14 19:16:17 pc1 smbd[21089]: [2007/01/14 19:16:17, 0] smbd/negprot.c:reply_negprot(582)
Jan 14 19:16:17 pc1 smbd[21089]:   No protocol supported !

No Problem so far, but...

* Now, click "negotiate" again and smbd will crash:

Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] smbd/server.c:exit_server_common(657)
Jan 14 19:16:23 pc1 smbd[21089]:   ===============================================================
Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] smbd/server.c:exit_server_common(659)
Jan 14 19:16:23 pc1 smbd[21089]:   Abnormal server exit: multiple negprot's are not permitted
Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] smbd/server.c:exit_server_common(660)
Jan 14 19:16:23 pc1 smbd[21089]:   ===============================================================
Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] lib/util.c:log_stack_trace(1706)
Jan 14 19:16:23 pc1 smbd[21089]:   BACKTRACE: 9 stack frames:
Jan 14 19:16:23 pc1 smbd[21089]:    #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0x80215e7d]
Jan 14 19:16:23 pc1 smbd[21089]:    #1 /usr/sbin/smbd [0x802bbf65]
Jan 14 19:16:23 pc1 smbd[21089]:    #2 /usr/sbin/smbd [0x802bc143]
Jan 14 19:16:23 pc1 smbd[21089]:    #3 /usr/sbin/smbd(reply_negprot+0x5b5) [0x80069e55]
Jan 14 19:16:23 pc1 smbd[21089]:    #4 /usr/sbin/smbd [0x800b3b70]
Jan 14 19:16:23 pc1 smbd[21089]:    #5 /usr/sbin/smbd(smbd_process+0x78b) [0x800b4c6b]
Jan 14 19:16:23 pc1 smbd[21089]:    #6 /usr/sbin/smbd(main+0xbd0) [0x802bdd50]
Jan 14 19:16:23 pc1 smbd[21089]:    #7 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7ac0f9c]
Jan 14 19:16:23 pc1 smbd[21089]:    #8 /usr/sbin/smbd [0x80042c31]
Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] smbd/server.c:exit_server_common(664)
Jan 14 19:16:23 pc1 smbd[21089]:   Last message was SMBnegprot
Jan 14 19:16:23 pc1 smbd[21089]: [2007/01/14 19:16:23, 0] lib/fault.c:dump_core(173)
Jan 14 19:16:23 pc1 smbd[21089]:   dumping core in /var/log/samba/cores/smbd
Jan 14 19:16:23 pc1 smbd[21089]:
Jan 14 19:25:03 pc1 smbd[25507]: [2007/01/14 19:25:03, 0] smbd/negprot.c:reply_negprot(582)
Jan 14 19:25:03 pc1 smbd[25507]:   No protocol supported !
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] smbd/server.c:exit_server_common(657)
Jan 14 19:25:10 pc1 smbd[25507]:   ===============================================================
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] smbd/server.c:exit_server_common(659)
Jan 14 19:25:10 pc1 smbd[25507]:   Abnormal server exit: multiple negprot's are not permitted
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] smbd/server.c:exit_server_common(660)
Jan 14 19:25:10 pc1 smbd[25507]:   ===============================================================
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] lib/util.c:log_stack_trace(1706)
Jan 14 19:25:10 pc1 smbd[25507]:   BACKTRACE: 9 stack frames:
Jan 14 19:25:10 pc1 smbd[25507]:    #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0x80215e7d]
Jan 14 19:25:10 pc1 smbd[25507]:    #1 /usr/sbin/smbd [0x802bbf65]
Jan 14 19:25:10 pc1 smbd[25507]:    #2 /usr/sbin/smbd [0x802bc143]
Jan 14 19:25:10 pc1 smbd[25507]:    #3 /usr/sbin/smbd(reply_negprot+0x5b5) [0x80069e55]
Jan 14 19:25:10 pc1 smbd[25507]:    #4 /usr/sbin/smbd [0x800b3b70]
Jan 14 19:25:10 pc1 smbd[25507]:    #5 /usr/sbin/smbd(smbd_process+0x78b) [0x800b4c6b]
Jan 14 19:25:10 pc1 smbd[25507]:    #6 /usr/sbin/smbd(main+0xbd0) [0x802bdd50]
Jan 14 19:25:10 pc1 smbd[25507]:    #7 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7ac0f9c]
Jan 14 19:25:10 pc1 smbd[25507]:    #8 /usr/sbin/smbd [0x80042c31]
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] smbd/server.c:exit_server_common(664)
Jan 14 19:25:10 pc1 smbd[25507]:   Last message was SMBnegprot
Jan 14 19:25:10 pc1 smbd[25507]: [2007/01/14 19:25:10, 0] lib/fault.c:dump_core(173)
Jan 14 19:25:10 pc1 smbd[25507]:   dumping core in /var/log/samba/cores/smbd


I know, I've violated the protocol by repeating the negotiation, but nevertheless smbd should NOT crash!

Comment 1 Jeremy Allison 2007-01-14 13:52:19 UTC

smbd is protecting itself against multiple negprots, and we're warning about broken clients. Probably in the production code we should log the error at level 0 and just shut down the tcp connection.
Jeremy.

Comment 2 Jeremy Allison 2007-01-14 13:54:49 UTC

Ah, I see the problem. We're calling exit_server() in this case (generates coredump) and we should be calling exit_server_cleanly(). This has been fixed for the 3.0.24 code.
I'm closing this as fixed in next release.
Jeremy.