Bug 9174 - Empty SPNEGO packet can cause smbd to crash.
Empty SPNEGO packet can cause smbd to crash.
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-18 18:49 UTC by Jeremy Allison
Modified: 2012-09-21 07:23 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for 3.6.next (1.45 KB, patch)
2012-09-18 18:55 UTC, Jeremy Allison
jra: review? (vl)
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-09-18 18:49:01 UTC
Found by Codenomicon testing at the SNIA plugfest.

All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly assume we'll always get a data blob and indirect within it.

Fix for 3.6.x, 3.5.x and 4.0.0rc to follow.

Big thanks to the Codenomicon guys !

Jeremy.
Comment 1 Jeremy Allison 2012-09-18 18:55:54 UTC
Created attachment 7904 [details]
git-am fix for 3.6.next

I've checked every code path within 3.6.x, this is the only vulnerable place where we don't correctly check returns.
Jeremy
Comment 2 Stefan Metzmacher 2012-09-18 20:56:57 UTC
Is this only in 3.6?
Comment 3 Jeremy Allison 2012-09-18 21:13:11 UTC
No, I expect it's in all versions. Patch for master will be pushed to autobuild and I'll follow up here with a patch for 3.5.x.

Jeremy.
Comment 4 Stefan Metzmacher 2012-09-18 22:10:34 UTC
The code that is changed by this patch doesn't exist in master anymore.

To me it seems that spnego_read_data() (read_negTokenInit, read_negTokenTarg) doesn't have this problem.
Comment 5 Jeremy Allison 2012-09-19 01:49:25 UTC
Ok, I finally had a chance to look over the 3.5.x code and it doesn't look like it's a problem here either - so I think it's a 3.6.x fix only.

Yay !

Jeremy.
Comment 6 Stefan Metzmacher 2012-09-19 22:34:33 UTC
Comment on attachment 7904 [details]
git-am fix for 3.6.next

Looks good
Comment 7 Stefan Metzmacher 2012-09-19 22:35:09 UTC
Karolin, please pick for the next release.
Comment 8 Karolin Seeger 2012-09-21 07:23:53 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!