Project

General

Profile

Actions

Bug #14021

closed

stack overflow in smbd:smbd_dc_check

Added by Andy Fiddaman 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
smb - SMB server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

An OmniOS user has reported a crash in smbd:

% mdb core.smbd.1628737077
Loading modules: [ libumem.so.1 libc.so.1 libuutil.so.1 libcmdutils.so.1 libmlsvc.so.1 libavl.so.1 libtopo.so.1 libnvpair.so.1 ld.so.1 ]
> $C
fe7d0ab8 libc.so.1`syscall+0x13(feee9204, 1c, fe7d0a9c, 0, fe7d0b08, 26)
fe7d0ad8 0xfee6d77f(fe7d0b44, 1, 1388, bd01001a, 0, 400726)
fe7d0b08 smbd_dc_update(fe7d0b44, 8071bcc, fe7d0b3c, 805abd4)
fe7d0fc8 smbd_dc_monitor+0x144(0, 0, 0, 0)
fe7d0fe8 libc.so.1`_thrp_setup+0x81(fec51a40)
fe7d0ff8 libc.so.1`_lwp_start(fec51a40, 0, 0, 0, 0, 0)
> ::status
debugging core file of smbd (32-bit) from fs2
initial argv: /usr/lib/smbsrv/smbd start
threading model: native threads
status: process panicked
upanic message: *** stack smashing detected
(gdb) where
#0  0xfeedef53 in syscall () from /lib/libc.so.1
#1  0xfeedd59a in upanic () from /lib/libc.so.1
#2  0xfee6d77f in __stack_chk_fail () from /lib/libc.so.1
#3  0x0805aa66 in smbd_dc_check ()
#4  0x0805acc7 in smbd_dc_monitor ()
#5  0xfeed8031 in _thrp_setup () from /lib/libc.so.1
#6  0xfeed82e0 in ?? () from /lib/libc.so.1
#7  0x00000000 in ?? ()

This occurred around the same time as one of the DCs was rebooted for maintenance; IPv6 is in use.

The problem appears to be that the smbd_dc_check() function is allocating storage for a struct sockaddr and then using it as struct sockaddr_in6 which is twice as big.

Actions #1

Updated by Andy Fiddaman 4 months ago

  • Gerrit CR set to 1655
Actions #2

Updated by Andy Fiddaman 4 months ago

The end user who reported the crash in the first place was able, with some effort, to recreate the crash by adding blackhole routes to prevent communication with the DC.

Having replaced the smbd binary with one that includes the change in the attached Gerrit review, it was no longer possible to trigger a crash.

Actions #3

Updated by Electric Monk 4 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit d209bf0d7c080e4110469ed3a2c94e2382091f6c

commit  d209bf0d7c080e4110469ed3a2c94e2382091f6c
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2021-08-13T09:20:13.000Z

    14021 stack overflow in smbd:smbd_dc_check
    Reviewed by: Mike Zeller <mike.zeller@joyent.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF