Only checks the signature for the first pdu in a compound.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Minor issue, as far as I can tell not exploitable, but looks funny.


Apply this patch to libsmb2 and run this for a reproducer:
diff --git a/lib/libsmb2.c b/lib/libsmb2.c
index d17e72b..244cab6 100644
--- a/lib/libsmb2.c
+++ b/lib/libsmb2.c
@@ -1985,6 +1985,7 @@ smb2_getinfo_async(struct smb2_context *smb2,
const char *path,
                 smb2_free_pdu(smb2, pdu);
                 return -1;
         }
+        next_pdu->header.protocol_id[3] = 0xaa;
         smb2_add_compound_pdu(smb2, pdu, next_pdu);

         /* CLOSE command */


./examples/smb2-stat-sync smb://server/Share


What it basically does it it corrupts the SMB2 signature for the
second PDU in the
Create/GetInfo/Close compound.

Wireshark is fine with this and still decodes the PDU eventhough it
has the signature 0xfe 'S 'M' 0xaa


The bug is  that it only checks the signature for the first PDU:

int ksmbd_verify_smb_message(struct ksmbd_work *work)
{
struct smb2_hdr *smb2_hdr = work->request_buf;

if (smb2_hdr->ProtocolId == SMB2_PROTO_NUMBER)
return ksmbd_smb2_check_message(work);

return 0;
}


Funny thing is that ksmbd responds with the same bogus signature in
the second PDU in the compound.




[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux