Skip to content

s3:rpcclient - fix NULL deref caused by user error with chgpasswd3

Andrew Walker requested to merge samba-team/devel/samba:anodos325-fix-crash-in-rpcclient into master

I misremembered the arguments to pass this one from CLI and crashed it.

rpcclient $> chgpasswd3 smbuser Dogs1234
Segmentation fault (core dumped)
root@fbsd12:/usr/ports/net/samba # gdb /usr/local/bin/rpcclient rpcclient.core
Core was generated by `rpcclient //192.168.1.120 -U smbuser%Cats1234'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000080ea5bfaf in strlen () from /lib/libc.so.7
(gdb) bt
#0  0x000000080ea5bfaf in strlen () from /lib/libc.so.7
#1  0x0000000803757f63 in push_ucs2_talloc (ctx=0x0, dest=0x7fffffffe130, src=0x0, 
    converted_size=0x7fffffffe138) at ../../lib/util/charset/pull_push.c:41
#2  0x0000000805a7f563 in E_md4hash (passwd=0x0, p16=0x7fffffffe1c0 ",\265\343\030\307Q=\326")
    at ../../libcli/auth/smbencrypt.c:89
#3  0x00000000010a2db3 in dcerpc_samr_chgpasswd_user3 (h=0x80f70bc60, mem_ctx=0x80f6c83e0, 
    srv_name_slash=0x80f710590 "\\\\192.168.1.120", username=0x802dfe06b "smbuser", newpassword=0x0, 
    oldpassword=0x802dfe073 "Dogs1234", dominfo1=0x7fffffffe6d0, reject=0x7fffffffe6c8, 
    presult=0x7fffffffe680) at ../../source3/rpc_client/cli_samr.c:374
#4  0x00000000010a308d in rpccli_samr_chgpasswd_user3 (cli=<optimized out>, mem_ctx=0x7fffffffe130, 
    username=0x0, 
    newpassword=0xfefefefefefefeff <error: Cannot access memory at address 0xfefefefefefefeff>, 
    oldpassword=0x8080808080808080 <error: Cannot access memory at address 0x8080808080808080>, 
    dominfo1=0x0, reject=0x7fffffffe6c8) at ../../source3/rpc_client/cli_samr.c:451
#5  0x00000000010bbf54 in cmd_samr_chgpasswd3 (cli=0x80f7263e0, mem_ctx=0x80f6c83e0, 
    argc=<optimized out>, argv=<optimized out>) at ../../source3/rpcclient/cmd_samr.c:3070
#6  0x00000000010b3135 in do_cmd (cli=<optimized out>, auth_info=<optimized out>, 
    cmd_entry=<optimized out>, binding=<optimized out>, argc=3, argv=0x802dfe040)
    at ../../source3/rpcclient/rpcclient.c:916
#7  process_cmd (auth_info=<optimized out>, cli=<optimized out>, binding=<optimized out>, 
    cmd=<optimized out>) at ../../source3/rpcclient/rpcclient.c:971
#8  0x00000000010b2b6c in main (argc=<optimized out>, argv=<optimized out>)
    at ../../source3/rpcclient/rpcclient.c:1294

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Andrew Walker

Merge request reports