Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy.
Created attachment 5985 [details] git-am fix for 3.5.next Volker, please check and re-assign to Karolin if you're ok with it. This is the fix I put into master and v3-6-test, modified for 3.5.next. Jeremy.
Comment on attachment 5985 [details] git-am fix for 3.5.next Jeremy, can you please upload a tcpdump or a torture test of this crash bug? Thanks, Volker
Unfortunately it was from a proprietary app (the CodeNomicon suite). I do have the data that their tool creates describing the flaw they injected into the packet, but in order to reproduce I'll have to hand craft an invalid SPNEGO packet with a null list of OID's. I'll code that into smbtorture (in source3) as a regression test. I'll update the bug when the test is in place. Jeremy.
Ok, it's really hard to create a torture test for this bug, as it means duplicating a lot of code that creates SPNEGO packets that is currently in static functions inside libsmb/ in order to corrupt the packet at exactly the right place. I can do this, but it would make the torture code for this really ugly. Volker, can you review the code logic for 3.5.next, as it's actually a pretty simple defensive programming patch. It's also gone into master and 3.6.0 so it has had some testing. I'd like to get this crash bug fixed for 3.5.6. Jeremy.
Pushed to v3-5-test. Closing out bug report. Thanks!