Bug 9174 - Empty SPNEGO packet can cause smbd to crash.
Summary: Empty SPNEGO packet can cause smbd to crash.
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-09-18 18:49 UTC by Jeremy Allison
Modified: 2020-12-11 07:59 UTC (History)
1 user (show)

See Also:

git-am fix for 3.6.next (1.45 KB, patch)
2012-09-18 18:55 UTC, Jeremy Allison
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-09-18 18:49:01 UTC
Found by Codenomicon testing at the SNIA plugfest.

All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly assume we'll always get a data blob and indirect within it.

Fix for 3.6.x, 3.5.x and 4.0.0rc to follow.

Big thanks to the Codenomicon guys !

Comment 1 Jeremy Allison 2012-09-18 18:55:54 UTC
Created attachment 7904 [details]
git-am fix for 3.6.next

I've checked every code path within 3.6.x, this is the only vulnerable place where we don't correctly check returns.
Comment 2 Stefan Metzmacher 2012-09-18 20:56:57 UTC
Is this only in 3.6?
Comment 3 Jeremy Allison 2012-09-18 21:13:11 UTC
No, I expect it's in all versions. Patch for master will be pushed to autobuild and I'll follow up here with a patch for 3.5.x.

Comment 4 Stefan Metzmacher 2012-09-18 22:10:34 UTC
The code that is changed by this patch doesn't exist in master anymore.

To me it seems that spnego_read_data() (read_negTokenInit, read_negTokenTarg) doesn't have this problem.
Comment 5 Jeremy Allison 2012-09-19 01:49:25 UTC
Ok, I finally had a chance to look over the 3.5.x code and it doesn't look like it's a problem here either - so I think it's a 3.6.x fix only.

Yay !

Comment 6 Stefan Metzmacher 2012-09-19 22:34:33 UTC
Comment on attachment 7904 [details]
git-am fix for 3.6.next

Looks good
Comment 7 Stefan Metzmacher 2012-09-19 22:35:09 UTC
Karolin, please pick for the next release.
Comment 8 Karolin Seeger 2012-09-21 07:23:53 UTC
Pushed to v3-6-test.
Closing out bug report.