summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2010-10-06 18:24:13 +0200
committerJeremy Allison <jra@samba.org>2010-10-07 19:47:35 +0000
commitfd9effce2bb981207a0662707c30e50100059c06 (patch)
treea4083cc30288b58aeb11b6141c44210f29bad827 /source3/smbd
parentfb75355263c16ce17dadd483f0ad40e7c31846f4 (diff)
downloadsamba-fd9effce2bb981207a0662707c30e50100059c06.tar.gz
samba-fd9effce2bb981207a0662707c30e50100059c06.tar.bz2
samba-fd9effce2bb981207a0662707c30e50100059c06.zip
s3: Fix the async echo responder for netbios keepalives
This fixes a crash in the echo responder when the client started to send the NetBIOS-Level 0x85-style keepalive packets. We did not correctly check the packet length, so the code writing the signing seqnum overwrote memory after the malloc'ed area for the 4 byte keepalive packet. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Thu Oct 7 19:47:35 UTC 2010 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/process.c33
1 files changed, 23 insertions, 10 deletions
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 07fa67477d..763ee56747 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2610,6 +2610,14 @@ static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
char *outbuf;
bool ok;
+ if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
+ DEBUG(10, ("Got netbios keepalive\n"));
+ /*
+ * Just swallow it
+ */
+ return true;
+ }
+
if (inbuf_len < smb_size) {
DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
return false;
@@ -2747,13 +2755,6 @@ static void smbd_echo_reader(struct tevent_context *ev,
exit(1);
}
- /*
- * place the seqnum in the packet so that the main process can reply
- * with signing
- */
- SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum);
- SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
-
reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
state->pending[num_pending].iov_len,
seqnum);
@@ -2763,10 +2764,22 @@ static void smbd_echo_reader(struct tevent_context *ev,
state->pending = talloc_realloc(state, state->pending,
struct iovec,
num_pending);
- } else {
- DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
- smbd_echo_activate_writer(state);
+ return;
+ }
+
+ if (state->pending[num_pending].iov_len >= smb_size) {
+ /*
+ * place the seqnum in the packet so that the main process
+ * can reply with signing
+ */
+ SIVAL((uint8_t *)state->pending[num_pending].iov_base,
+ smb_ss_field, seqnum);
+ SIVAL((uint8_t *)state->pending[num_pending].iov_base,
+ smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
}
+
+ DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
+ smbd_echo_activate_writer(state);
}
static void smbd_echo_loop(struct smbd_server_connection *sconn,