Bug 5087 - Crash of smbd after upgrade to 3.0.27
Summary: Crash of smbd after upgrade to 3.0.27
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.27
Hardware: x86 Linux
: P3 critical
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
: 5088 (view as bug list)
Depends on:
Reported: 2007-11-16 06:27 UTC by Juergen Daubert
Modified: 2007-11-21 07:39 UTC (History)
3 users (show)

See Also:

smbd log file, debug level 10 (85.04 KB, text/plain)
2007-11-16 07:47 UTC, Juergen Daubert
no flags Details
smb.conf (1.10 KB, text/plain)
2007-11-16 07:47 UTC, Juergen Daubert
no flags Details
Patch for 3.0.27a (9.58 KB, patch)
2007-11-16 15:18 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Juergen Daubert 2007-11-16 06:27:04 UTC
After the upgrade to 3.0.27 or applying the patch for CVE-2007-4572 to 3.0.26a I'm no longer able to mount shares.

PANIC (pid 10736): push_ascii - dest_len == -1
BACKTRACE: 14 stack frames:
 #0 smbd(log_stack_trace+0x2d) [0x80214bcd]
 #1 smbd(smb_panic+0x5d) [0x80214cfd]
 #2 smbd [0x801fda1c]
 #3 smbd(push_string_fn+0x44) [0x801fda64]
 #4 smbd(srvstr_push_fn+0xa5) [0x800aa8c5]
 #5 smbd [0x80095d10]
 #6 smbd [0x80097566]
 #7 smbd(handle_trans2+0x180) [0x80097d10]
 #8 smbd(reply_trans2+0x69c) [0x8009ddac]
 #9 smbd [0x800b9e8e]
 #10 smbd(smbd_process+0x84b) [0x800bb26b]
 #11 smbd(main+0xa18) [0x802c5d78]
 #12 /lib/libc.so.6(__libc_start_main+0xe0) [0xb7b9cf90]
 #13 smbd [0x80044aa1]
push_sec_ctx(500, 100) : sec_ctx_stack_ndx = 1
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
dumping core in /var/log/samba/cores/smbd
Comment 1 Gerald (Jerry) Carter (dead mail address) 2007-11-16 06:53:08 UTC
Please provide more information about your environment, 
configuration, details of how to reproduce the crash, and
an attachment (not inline) of level 10 debug logs from 
smbd.  Thanks.

Jeremy,  If you cannot take a look at this, please pass off 
to Volker or possibly Simo.
Comment 2 Volker Lendecke 2007-11-16 07:05:37 UTC
Looking at it right now, lets see if I can reproduce it without more info.

Comment 3 Volker Lendecke 2007-11-16 07:12:22 UTC
Hmmm. Just compiled 14ecfecb (v3-0-test), with security=user I can connect from Windows XP just fine.

So I need more info like smb.conf, environment and a full debug level 10 log of the failure.

Comment 4 Juergen Daubert 2007-11-16 07:47:04 UTC
Created attachment 2974 [details]
smbd log file, debug level 10
Comment 5 Juergen Daubert 2007-11-16 07:47:24 UTC
Created attachment 2975 [details]
Comment 6 Juergen Daubert 2007-11-16 07:48:15 UTC
Debug log and smb.conf attached. I'm trying to mount from a Linux client not from Windows.

Samba built form sources, gcc 4.2.2, glibc 2.7.1. 
Comment 7 Michael Adam 2007-11-16 07:53:18 UTC
I thought this was a bug with 3.0.27, not 3.0.26a?

Comment 8 Juergen Daubert 2007-11-16 07:58:39 UTC
Yep, it is. 3.0.27 and 3.0.26a with the securtity patches are affected. Plain 3.0.26a works fine.
Comment 9 Michael Adam 2007-11-16 08:31:02 UTC
Ok, i found the culprit(s) in the code.
I am going to prepare a patch...
Comment 10 Michael Adam 2007-11-16 09:20:46 UTC
Analysis of the problem:

The panic was introduced by the patch for CVE-2007-4572:

push_ascii() now panics when called with "-1" as dest_len parameter.
(In order to avoid buffer overflows - This -1 used to mean unlimited 
dest len before.)

Now there are (at least) roughly 100 indirect callers of push_ascii 
left that explicitly pass -1 for dest_len:
roughly 40 through srvstr_push and roughly 60 through clistr_push.

This is too much for a really quick fix.
I would like to hear Jeremy's opinion on this.

Comment 11 Juergen Daubert 2007-11-16 11:07:18 UTC
Seems we have some more problems related to the changes to charcnv.c.
See https://bugs.launchpad.net/ubuntu/+source/samba/+bug/163042
Comment 12 Jamie Strandboge 2007-11-16 12:24:08 UTC
The Ubuntu bug was for patched 3.0.22.  The Ubuntu patch did not include a change to a call to push_string() in nmbd/nmbd_sendannounce.c that was introduced in 3.0.23, which caused a smb_panic in some configurations.
Comment 13 Jeremy Allison 2007-11-16 12:35:50 UTC
Michael, clistr_push_fn explicitly handles the -1 case if it's pushing into a cli->outbuf space. Check libsmb/clistr.c for details. srvstr_push_fn does the same - it ensures it's pushing into valid space for the -1 case.

I'm guessing this is smbfs not setting the max_send correctly in the sessionsetup call.

Comment 14 Jeremy Allison 2007-11-16 15:18:11 UTC
Created attachment 2976 [details]
Patch for 3.0.27a

Fix for 3.0.27a
Comment 15 Jeremy Allison 2007-11-16 16:26:26 UTC
*** Bug 5088 has been marked as a duplicate of this bug. ***
Comment 16 Gerald (Jerry) Carter (dead mail address) 2007-11-21 07:39:48 UTC
Fixed in 3.0.27a.