Project

General

Profile

Bug #10970

SMB v1 response incorrect when signature verification fails

Added by Gordon Ross 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Open the attached tcon.snoop in Wireshark, and see frame 13.
Says [Malformed ...]
The word count and byte count are missing, so
the frame is 32 bytes long where it should be 35.

Steps to Reproduce:
Set signing required on the server,
and signing disabled on the client.
Attempt to connect with SMB1

Observe malformed error packet.


Files

tcon.snoop (3.27 KB) tcon.snoop Gordon Ross, 2019-05-18 02:06 AM

History

#1

Updated by Gordon Ross 5 months ago

#2

Updated by Gordon Ross 5 months ago

  • Status changed from New to In Progress
#3

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
#4

Updated by Gordon Ross 5 months ago

Near the top of smb1sr work, we have some "goto report_error" statements
that happen before we've written the SMB header in the reply. In that case,
report_error writes the (zero) word count and byte count at offset zero, and
then the header gets "poked" into the same location, overwriting those.
The word count and byte count are supposed to be after the header.

Testing: as in the description.
Fix in production since mid 2017

#5

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 2a19195a95e51d8bfa4d94abf117f9ace761ad08

commit  2a19195a95e51d8bfa4d94abf117f9ace761ad08
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-05-19T23:21:32.000Z

    10970 SMB v1 response incorrect when signature verification fails
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
    Reviewed by: Matt Barden <matt.barden@nexenta.com>
    Approved by: Joshua M. Clulow <josh@sysmgr.org>

Also available in: Atom PDF