From: Jeremy Allison <jra@samba.org>
Date: Sat, 12 Aug 2023 00:14:38 +0000 (-0700)
Subject: s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.
X-Git-Tag: samba-4.17.11~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=098e5f240a5561a7d57d936d9d01eba8994fa91f;p=thirdparty%2Fsamba.git

s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.

If a client does a SMB1 NEGPROT followed by SMB1 TCON
then req->session is left uninitialized.

Show this causes a crash by deliberately initializing
req->session to an invalid pointer. This will be removed
once the test shows the crash, and the fix is added to
cause init_smb1_request() to zero the memory passed in.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(Back-ported from commit f02f74e931f5821c7b7c1be2b8f0fb60c9a69b19)
---

diff --git a/source3/smbd/smb2_process.c b/source3/smbd/smb2_process.c
index ad4386e08a4..e003cbaf481 100644
--- a/source3/smbd/smb2_process.c
+++ b/source3/smbd/smb2_process.c
@@ -793,6 +793,7 @@ bool init_smb1_request(struct smb_request *req,
 	req->smb2req = NULL;
 	req->chain = NULL;
 	req->posix_pathnames = lp_posix_pathnames();
+	req->session = (void *)0xDEADBEEF;
 	smb_init_perfcount_data(&req->pcd);
 
 	/* Ensure we have at least wct words and 2 bytes of bcc. */