Skip to content

Commit

Permalink
s3: smbd: init_smb1_request() isn't being passed zero'ed memory from …
Browse files Browse the repository at this point in the history 
…any codepath.

If a client does a SMB1 NEGPROT followed by SMB1 TCON
then req->session is left uninitialized.

Show this causes a crash by deliberately initializing
req->session to an invalid pointer. This will be removed
once the test shows the crash, and the fix is added to
cause init_smb1_request() to zero the memory passed in.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Noel Power <[email protected]>
  • Loading branch information
@jrasamba
jrasamba authored and Noel Power committed Aug 15, 2023
1 parent dc7b48c commit f02f74e
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions source3/smbd/smb2_process.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -760,6 +760,7 @@ bool init_smb1_request(struct smb_request *req,
req->smb2req = NULL;
req->chain = NULL;
req->posix_pathnames = lp_posix_pathnames();
req->session = (void *)0xDEADBEEF;

/* Ensure we have at least wct words and 2 bytes of bcc. */
if (smb_size + req->wct*2 > req_size) {
Expand Down

0 comments on commit f02f74e

Please sign in to comment.