Project

General

Profile

Actions
Copy link

Bug #5215

closed

smbd core dump with missing negotiate challenge

Added by Gordon Ross over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2014-10-08
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

> $C  
fbe642e8 libc_hwcap1.so.1`memcpy+0x1b(0, fbe643e4, 8, fe445802)
fbe64308 libmlsvc.so.1`netr_network_samlogon+0x28(832f008, fe4a9598, 8524e48, 
fbe643c0)
fbe64418 libmlsvc.so.1`netr_server_samlogon+0x17c(fbe649b0, fe4a9598, fbe64560, 
8524e48, 85c9bf8)
fbe64a28 libmlsvc.so.1`netlogon_logon+0x15c(8524e48, 85c9bf8, 0, fe444fe6)
fbe64a78 libmlsvc.so.1`smb_logon_domain+0xc4(8524e48, 85c9bf8, fbe64e08, fe44b301
)
fbe64e08 libmlsvc.so.1`smb_logon+0xbd(8524e48, 0, 0, 20)
fbe64f78 smbd_user_auth_logon+0x14(8524e48)
fbe64fa8 smbd_dop_user_auth_logon+0x29(8466f20, 200, fbe64fc8, 8057096)
fbe64fc8 smbd_door_dispatch_op+0x64(8466f20, fef63000, fbe64fe8, feecfdee)
fbe64fe8 libc_hwcap1.so.1`_thrp_setup+0x9b(febeca00)
fbe64ff8 libc_hwcap1.so.1`_lwp_start(febeca00, 0, 0, 0, 0, 0)

Ref. Nexenta 7126

Actions
Copy link
 #1

Updated by Gordon Ross over 8 years ago

Analysis from Dmitry Savitsky
The crash occurs when a NULL challenge key is passed to smbd from kernel during DC logon (from SMB_DR_USER_AUTH_LOGON door call). This can occur e.g. when a client performes session negotiation incorrectly; under some circumstances challenge key may be left uninitialed in a session. The attached patch adds a check for zero-length key in smbd daemon; and moves challenge key initialization from smb_com_negotiate() to smb_session_create(), so the key will always be valid and .
I couldn't find a way to reproduce the issue directly, but it can be emulated by passing null challenge key during SMB_DR_USER_AUTH_LOGON door call from kernel. So I tested my fix like that.

Actions
Copy link
 #2

Updated by Electric Monk over 8 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit f9bc6dadd79442185db5c8eb201c7475554fc7d7

commit  f9bc6dadd79442185db5c8eb201c7475554fc7d7
Author: Dmitry.Savitsky@nexenta.com <none@none>
Date:   2014-11-11T03:40:49.000Z

    5215 smbd core dump with missing negotiate challenge
    Reviewed by: Gordon Ross <gwr@nexenta.com>
    Reviewed by: Marcel Telka <marcel.telka@nexenta.com>
    Reviewed by: Dan McDonald <danmcd@nexenta.com>
    Reviewed by: Albert Lee <trisk@nexenta.com>
    Approved by: Robert Mustacchi <rm@joyent.com>

Actions
Copy link

Also available in: Atom PDF