Red Hat Bugzilla – Bug 389021
Critical Regression caused by CVE-2007-4572
Last modified: 2010-10-22 16:32:41 EDT
Description of problem:
When either a request for a directory listing of a share using a wildcard (e.g.,
"ls /mnt/share/redhat*") is entered or a directory listing (e.g., "ls
/mnt/share") the action generates trans2 error messages in the client and the
following in the server:
[2007/11/16 17:47:14, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/smbd
[2007/11/16 17:47:14, 1] smbd/service.c:make_connection_snum(1033)
192.168.1.14 (192.168.1.14) connect to service ben initially as user ben
(uid=500, gid=500) (pid 6208)
[2007/11/16 17:47:14, 0] lib/util.c:smb_panic(1654)
PANIC (pid 6208): push_ascii - dest_len == -1
[2007/11/16 17:47:14, 0] lib/util.c:log_stack_trace(1758)
BACKTRACE: 12 stack frames:
#0 smbd(log_stack_trace+0x1c) [0x555555776cdc]
#1 smbd(smb_panic+0x43) [0x555555776dc3]
#2 smbd(push_ascii+0x113) [0x555555762893]
#3 smbd [0x5555556037c9]
#4 smbd [0x555555606eb3]
#5 smbd(handle_trans2+0x25e) [0x55555560a12e]
#6 smbd(reply_trans2+0x6ec) [0x55555561077c]
#7 smbd [0x555555629384]
#8 smbd(smbd_process+0x7b1) [0x55555562a321]
#9 smbd(main+0xa20) [0x55555582b2d0]
#10 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aaaad3728a4]
#11 smbd [0x5555555bc009]
This problem ONLY occurs in linux to linux transfers. I have not been able to
detect a problem with linux-windows transactions. Also, if you enter a complete
qualified file name (e.g., "ls /mnt/<SHARE/mytest.png " the process works
perfectly without errors.
Version-Release number of selected component (if applicable):
This occurs if the client is samba-3.0.9-1.3E.14.1 in RHEL 3 and if the server
is samba-3.0.25b-1 in RHEL 5 or samba-3.0.9-1.3E.14.1 in RHEL3. This problem is
alleviated if the previous version is installed.
Again, client in samba-3.0.25b-1 in RHEL 5 does not exhibit this issue.
Completely, hardware independent.
Note the RHEL5 client does not exhibit this problem.
Steps to Reproduce:
1. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " work before update.
2. Update samba on RHEL3 to latest rpm.
3. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " hang after update.
Error messages, no returned results.
Note (possibly completely unrelated) the samba patch as released caused bad nmbd
fail on Ubuntu and I understand they released a second update.
Upstream we have a patch, starting testing to insure all is ok.
And just for the records, Ubuntu ""fixed"" this problem by completely reverting
the security fix, so their packages are now vulnerable.
1) On RHEL3 smbclient work fine, but smbmount doesn't.
2) On RHEL4 the same problem occurs when I do listing after "mount -t smbfs",
and ls after "mount -t cifs" works without errors.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.