Bug 7694 - Crash bug with invalid SPNEGO token.
Crash bug with invalid SPNEGO token.
Product: Samba 3.5
Classification: Unclassified
Component: File services
All All
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-09-23 23:44 UTC by Jeremy Allison
Modified: 2011-08-27 09:02 UTC (History)
0 users

See Also:

git-am fix for 3.5.next (2.95 KB, patch)
2010-09-26 07:01 UTC, Jeremy Allison
vl: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2010-09-23 23:44:12 UTC
Found by the CodeNomicon test suites at the SNIA plugfest.


If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL.

Comment 1 Jeremy Allison 2010-09-26 07:01:51 UTC
Created attachment 5985 [details]
git-am fix for 3.5.next

Volker, please check and re-assign to Karolin if you're ok with it. This is the fix I put into master and v3-6-test, modified for 3.5.next.

Comment 2 Volker Lendecke 2010-09-27 05:46:50 UTC
Comment on attachment 5985 [details]
git-am fix for 3.5.next

Jeremy, can you please upload a tcpdump or a torture test of this crash bug?


Comment 3 Jeremy Allison 2010-09-27 07:45:22 UTC
Unfortunately it was from a proprietary app (the CodeNomicon suite). I do have
the data that their tool creates describing the flaw they injected into the
packet, but in order to reproduce I'll have to hand craft an invalid SPNEGO packet with a null list of OID's. I'll code that into smbtorture (in source3) as a
regression test. I'll update the bug when the test is in place.

Comment 4 Jeremy Allison 2010-10-06 19:33:10 UTC
Ok, it's really hard to create a torture test for this bug, as it means duplicating a lot of code that creates SPNEGO packets that is currently in static functions inside libsmb/ in order to corrupt the packet at exactly the right place. I can do this, but it would make the torture code for this really ugly.

Volker, can you review the code logic for 3.5.next, as it's actually a pretty simple defensive programming patch. It's also gone into master and 3.6.0 so it has had some testing.

I'd like to get this crash bug fixed for 3.5.6.

Comment 5 Karolin Seeger 2010-10-07 10:44:56 UTC
Pushed to v3-5-test.
Closing out bug report.