Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid NetBIOS session request is received the code in name_len() in libsmb/nmblib.c can hit an assert. Jeremy.
Created attachment 5984 [details] git-am fix for 3.5.next Volker, please check and re-assign to Karolin if you're ok. This is the fix I put into master and v3-6-test, modified for 3.5.next. Jeremy.
Comment on attachment 5984 [details] git-am fix for 3.5.next Jeremy, before I bless this I'd like to see the sniff that made smbd run into the assert. This packet-length twiddling is a bit too fiddly to get right from just looking at the code. Thanks, Volker
Unfortunately it was from a proprietary app (the CodeNomicon suite). I do have the data that their tool creates describing the flaw they injected into the packet, but in order to reproduce I'll have to hand craft a NetBIOS type 81 packet with invalid name. I'll code that into smbtorture (in source3) as a regression test (shouldn't be too hard). I'll update the bug when the test is in place. Jeremy.
We now have a regression test in bin/smbtorture - BAD-NBT-SESSION added with d7c09f312ee326c3108c7d06bc9c7390861d8552 in master. Running this test crashes 3.5.x, now passes against v3-6-test and master. Jeremy.
Comment on attachment 5984 [details] git-am fix for 3.5.next Patch fixes the problem. Although to be honest, the patch is more difficult to understand than necessary, as it could have been a bit better partitioned as a patch. It puts everything into one basked which should be avoided IMVHO
Pushed to v3-5-test. Closing out bug report. Thanks!