Bug 8199 - potential crash in smbd handling smb2
Summary: potential crash in smbd handling smb2
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.0rc1
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-06-01 10:44 UTC by Volker Lendecke
Modified: 2011-06-01 18:35 UTC (History)
1 user (show)

See Also:
metze: review+


Note You need to log in before you can comment on or make changes to this bug.
Description Volker Lendecke 2011-06-01 10:44:52 UTC
c981d4fa126956 needs to be in 3.6. Sent the following explanation to Jeremy:

With the async echo responder                        
active we did not enable sconn->using_smb2. Client came in                     
with a SMB1 negprot offering SMB2, which we happily                            
accepted. So we were running SMB2 without sconn->using_smb2                    
being set to true. Now look at exit_server_common. We                          
explicitly do the conn_close_all which in the SMB1 case does                   
the close_cnum on all connections. In exit_server_common we                    
later do the TALLOC_FREE(smbd_server_conn). All smb2_tcon                      
structs are eventually children of smbd_server_conn, so                        
smbd_smb2_tcon_destructor gets called. There if                                
tcon->compat_conn exists (which it still does, but                             
invalidly, see the conn_close_all above) we call                               
set_current_service. That then wants to dereference                            
conn->params, which conn_free (called from conn_close_all)                     
had already NULL'ed out.                                                       
This patch makes 100% sure we never handle SMB2 without                        
sconn->using_smb2 being set to true.
Comment 1 Stefan Metzmacher 2011-06-01 14:17:32 UTC
Yep, that should go into 3.6.0
Comment 2 Jeremy Allison 2011-06-01 17:55:31 UTC
+1 makes sense.

Comment 3 Karolin Seeger 2011-06-01 18:35:31 UTC
Pushed to v3-6-test.
Closing out bug report.