From: Volker Lendecke Date: Wed, 6 Oct 2010 16:24:13 +0000 (+0200) Subject: s3: Fix the async echo responder for netbios keepalives X-Git-Url: http://git.samba.org/?p=obnox%2Fsamba-ctdb.git;a=commitdiff_plain;h=dfebc94185e5ca1fc6e7971f8c71cd377c5a4f32 s3: Fix the async echo responder for netbios keepalives This fixes a crash in the echo responder when the client started to send the NetBIOS-Level 0x85-style keepalive packets. We did not correctly check the packet length, so the code writing the signing seqnum overwrote memory after the malloc'ed area for the 4 byte keepalive packet. --- diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 36f31dfed6..cf50417cff 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -2267,6 +2267,14 @@ static bool smbd_echo_reply(int fd, char *outbuf; bool ok; + if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) { + DEBUG(10, ("Got netbios keepalive\n")); + /* + * Just swallow it + */ + return true; + } + if (inbuf_len < smb_size) { DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len)); return false; @@ -2400,13 +2408,6 @@ static void smbd_echo_reader(struct tevent_context *ev, exit(1); } - /* - * place the seqnum in the packet so that the main process can reply - * with signing - */ - SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum); - SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK)); - reply = smbd_echo_reply(smbd_server_fd(), (uint8_t *)state->pending[num_pending].iov_base, state->pending[num_pending].iov_len, @@ -2417,10 +2418,22 @@ static void smbd_echo_reader(struct tevent_context *ev, state->pending = talloc_realloc(state, state->pending, struct iovec, num_pending); - } else { - DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid())); - smbd_echo_activate_writer(state); + return; + } + + if (state->pending[num_pending].iov_len >= smb_size) { + /* + * place the seqnum in the packet so that the main process + * can reply with signing + */ + SIVAL((uint8_t *)state->pending[num_pending].iov_base, + smb_ss_field, seqnum); + SIVAL((uint8_t *)state->pending[num_pending].iov_base, + smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK)); } + + DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid())); + smbd_echo_activate_writer(state); } static void smbd_echo_loop(struct smbd_server_connection *sconn,