Bug 6138 - Panic (segfault) in dcesrv_netr_DsRGetDCNameEx2()
Summary: Panic (segfault) in dcesrv_netr_DsRGetDCNameEx2()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-24 23:57 UTC by Andrew Kroeger
Modified: 2009-06-07 21:43 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Kroeger 2009-02-24 23:57:27 UTC
Line 1223 of rpc_server/netlogon/dcerpc_netlogon.c has a reproducible case where NULL (via r->in.domain_name) is passed to strcasecmp() and causes a segfault.

Steps to reproduce (done w/ WinXP SP2 client):
1) Open ADUC
2) Right-click on domain (e.g. "smb4.internal.id10ts.net") in left pane
3) Choose "Find..."
4) samba segfaults
Comment 1 Matthias Dieter Wallnöfer 2009-03-04 03:14:51 UTC
That should indeed be fixed.
We have now another condition in front of the "strcasecmp".

if (r->in.domain_name != NULL || strcasecmp(r->in.domain_name ...) == 0) ...
Comment 2 Andrew Kroeger 2009-03-04 04:37:49 UTC
The "fix" you reference was initially made to the v4-0-test branch, as a quick fix before alpha7.  I don't think it was even meant to get into the master branch.  Per the commit message (from 76a0050e):

"This fix just for the release.  A better fix will make it into the master branch soon."

Reopening until an appropriate fix can be implemented and tested, or until the fix from v4-0-test is declared as all that is necessary.
Comment 3 Andrew Bartlett 2009-03-04 04:48:08 UTC
correct.  This call needs much more work, despite the fix for some reason being merged into master.
Comment 4 Andrew Bartlett 2009-06-07 21:43:13 UTC
The recent work to remove 'we could possibly have more than one domain' also fixed this issue properly