diff options
author | Volker Lendecke <vl@samba.org> | 2010-10-06 18:24:13 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-10-07 19:47:35 +0000 |
commit | fd9effce2bb981207a0662707c30e50100059c06 (patch) | |
tree | a4083cc30288b58aeb11b6141c44210f29bad827 /source3/smbd | |
parent | fb75355263c16ce17dadd483f0ad40e7c31846f4 (diff) | |
download | samba-fd9effce2bb981207a0662707c30e50100059c06.tar.gz samba-fd9effce2bb981207a0662707c30e50100059c06.tar.bz2 samba-fd9effce2bb981207a0662707c30e50100059c06.zip |
s3: Fix the async echo responder for netbios keepalives
This fixes a crash in the echo responder when the client started to send the
NetBIOS-Level 0x85-style keepalive packets. We did not correctly check the
packet length, so the code writing the signing seqnum overwrote memory after
the malloc'ed area for the 4 byte keepalive packet.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Oct 7 19:47:35 UTC 2010 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/process.c | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 07fa67477d..763ee56747 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -2610,6 +2610,14 @@ static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len, char *outbuf; bool ok; + if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) { + DEBUG(10, ("Got netbios keepalive\n")); + /* + * Just swallow it + */ + return true; + } + if (inbuf_len < smb_size) { DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len)); return false; @@ -2747,13 +2755,6 @@ static void smbd_echo_reader(struct tevent_context *ev, exit(1); } - /* - * place the seqnum in the packet so that the main process can reply - * with signing - */ - SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum); - SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK)); - reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base, state->pending[num_pending].iov_len, seqnum); @@ -2763,10 +2764,22 @@ static void smbd_echo_reader(struct tevent_context *ev, state->pending = talloc_realloc(state, state->pending, struct iovec, num_pending); - } else { - DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid())); - smbd_echo_activate_writer(state); + return; + } + + if (state->pending[num_pending].iov_len >= smb_size) { + /* + * place the seqnum in the packet so that the main process + * can reply with signing + */ + SIVAL((uint8_t *)state->pending[num_pending].iov_base, + smb_ss_field, seqnum); + SIVAL((uint8_t *)state->pending[num_pending].iov_base, + smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK)); } + + DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid())); + smbd_echo_activate_writer(state); } static void smbd_echo_loop(struct smbd_server_connection *sconn, |