There is an input validation error in "nmbd" of Samba 2.2.0 and earlier, which can cause a segmentation fault. The failure first occurred, when a Macintosh SMB client "DAVE 2.5.2" tried to share files in the same workgroup. The problem is that DAVE claims the packet contains 0x3584 bytes of data. "nmbd" relies on this and tries (in source/nmbd/nmbd_packets.c) to read from unallocated memory. This probably can be used for a DoS attack against Samba servers. I have solved the problem by comparing the claimed length with the "header.dgm_length" entry of the packet. I don't know whether there is an "official" way for input validation in "nmbd", but this one works. I have attached an example of a deadly packet (snoop -v -x0) and the patch file (diff -C4 source/nmbd/nmbd_packets.c.orig source/nmbd/nmbd_packets.c). My server is a Sun UltraSPARC 1 box running Solaris 7 (SunOS 2.7). I have compiled Samba 2.2.0 using gcc version 2.95.2. Except of this little problem last week, Samba has done a very good service for me over the last years. Thank You ! Claudius Peschke cpe@sunkist.physik.uni-frankfurt.de ----------------------------------------- diff -C4 source/nmbd/nmbd_packets.c.orig source/nmbd/nmbd_packets.c *** source/nmbd/nmbd_packets.c.orig Mon Jan 8 21:37:45 2001 --- source/nmbd/nmbd_packets.c Tue May 8 13:50:36 2001 *************** *** 1253,1267 **** return; } buf = &dgram->data[0]; ! buf -= 4; /* XXXX for the pseudo tcp length - someday I need to get rid of this */ if (CVAL(buf,smb_com) != SMBtrans) return; len = SVAL(buf,smb_vwv11); buf2 = smb_base(buf) + SVAL(buf,smb_vwv12); DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n", nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name), --- 1253,1273 ---- return; } buf = &dgram->data[0]; ! buf -= sizeof(int); /* XXXX for the pseudo tcp length - someday I need to get rid of this */ if (CVAL(buf,smb_com) != SMBtrans) return; len = SVAL(buf,smb_vwv11); + if (len > dgram->header.dgm_length + sizeof(int) - smb_vwv12) + { + DEBUG(5,("process_dgram: ignoring dgram packet from %s with invalid length=%d\n", + inet_ntoa(p->ip), len)); + return; + } buf2 = smb_base(buf) + SVAL(buf,smb_vwv12); DEBUG(4,("process_dgram: datagram from %s to %s IP %s for %s of type %d len=%d\n", nmb_namestr(&dgram->source_name),nmb_namestr(&dgram->dest_name), ----------------------------------------- snoop -v -x0 ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 15:42:14.17 ETHER: Packet size = 253 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:a0:d2:11:9f:fb, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 239 bytes IP: Identification = 62235 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 60 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = d3ee IP: Source address = 141.2.46.112, mikro3mac.physik.uni-frankfurt.de IP: Destination address = 141.2.46.127, 141.2.46.127 IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 138 UDP: Destination port = 138 UDP: Length = 219 UDP: Checksum = DB40 UDP: 0: ffff ffff ffff 00a0 d211 9ffb 0800 4500 ..............E. 16: 00ef f31b 4000 3c11 d3ee 8d02 2e70 8d02 ..?.@.<......p.. 32: 2e7f 008a 008a 00db db40 1102 02fa 8d02 .........@...... 48: 2e70 008a 00c5 0000 2045 4e45 4245 4443 .p...... ENEBEDC 64: 4145 4844 4443 4144 4243 4143 4143 4143 AEHDDCADBCACACAC 80: 4143 4143 4143 4143 4100 2045 4e45 4a45 ACACACACA. ENEJE 96: 4c46 4345 5046 4845 4645 4d45 4d45 4645 LFCEPFHEFEMEMEFE 112: 4f43 4143 4143 4143 4142 4e00 ff53 4d42 OCACACACABN..SMB 128: 2500 0000 0000 0000 0000 0000 0000 0000 %............... 144: 0000 0000 0000 0000 0000 0000 1100 002b ...............+ 160: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 176: 0000 0084 3556 0003 0001 0001 0002 003c ....5V.........< 192: 005c 4d41 494c 534c 4f54 5c42 524f 5753 .\MAILSLOT\BROWS 208: 4500 0101 a0bb 0d00 4d41 4320 4733 2031 E.......MAC G3 1 224: 0000 0000 0000 0000 0400 0322 4100 1504 ..........."A... 240: 55aa 4d61 6320 4733 2028 3129 00 U.Mac G3 (1).