Bug 7694 - Crash bug with invalid SPNEGO token.
Summary: Crash bug with invalid SPNEGO token.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.5
Hardware: All All
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-23 23:44 UTC by Jeremy Allison
Modified: 2011-08-27 09:02 UTC (History)
0 users

See Also:


Attachments
git-am fix for 3.5.next (2.95 KB, patch)
2010-09-26 07:01 UTC, Jeremy Allison
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2010-09-23 23:44:12 UTC
Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL.

Jeremy.
Comment 1 Jeremy Allison 2010-09-26 07:01:51 UTC
Created attachment 5985 [details]
git-am fix for 3.5.next

Volker, please check and re-assign to Karolin if you're ok with it. This is the fix I put into master and v3-6-test, modified for 3.5.next.

Jeremy.
Comment 2 Volker Lendecke 2010-09-27 05:46:50 UTC
Comment on attachment 5985 [details]
git-am fix for 3.5.next

Jeremy, can you please upload a tcpdump or a torture test of this crash bug?

Thanks,

Volker
Comment 3 Jeremy Allison 2010-09-27 07:45:22 UTC
Unfortunately it was from a proprietary app (the CodeNomicon suite). I do have
the data that their tool creates describing the flaw they injected into the
packet, but in order to reproduce I'll have to hand craft an invalid SPNEGO packet with a null list of OID's. I'll code that into smbtorture (in source3) as a
regression test. I'll update the bug when the test is in place.

Jeremy.
Comment 4 Jeremy Allison 2010-10-06 19:33:10 UTC
Ok, it's really hard to create a torture test for this bug, as it means duplicating a lot of code that creates SPNEGO packets that is currently in static functions inside libsmb/ in order to corrupt the packet at exactly the right place. I can do this, but it would make the torture code for this really ugly.

Volker, can you review the code logic for 3.5.next, as it's actually a pretty simple defensive programming patch. It's also gone into master and 3.6.0 so it has had some testing.

I'd like to get this crash bug fixed for 3.5.6.


Jeremy.
Comment 5 Karolin Seeger 2010-10-07 10:44:56 UTC
Pushed to v3-5-test.
Closing out bug report.

Thanks!