Re: Bearerbox Panic after receiving CIFS/SMB request at smsbox-port

Tue, 22 Sep 2009 02:30:13 -0700

Hmmm. Interesting. cvs up will update it. However cvs diff doesn't report any differences with the old sources (w/ panic). I always run diff before updating, to avoid surprises. 

Anyway, thanks,
Nikos
----- Original Message ----- From: "Alexander Malysh" <[email protected]> 
To: "Nikos Balkanas" <[email protected]>
Cc: <[email protected]>
Sent: Tuesday, September 22, 2009 11:54 AM
Subject: Re: Bearerbox Panic after receiving CIFS/SMB request at smsbox-port



Hi,

don't know why you don't see my patch, cvs up?

here is commited patch again:

diff --git a/gw/msg.c b/gw/msg.c
index 8fb5017..23af584 100644
--- a/gw/msg.c
+++ b/gw/msg.c
@@ -232,8 +232,11 @@ Msg *msg_unpack_real(Octstr *os, const char *file, long line, const char *func) 
     switch (msg->type) {
 #include "msg-decl.h"
     default:
-        panic(0, "Internal error: unknown message type: %d",
+        error(0, "Internal error: unknown message type: %d",
               msg->type);
+        msg->type = 0;
+        msg_destroy(msg);
+        return NULL;
     }

     return msg;

Thanks,
Alexander Malysh

Am 22.09.2009 um 09:34 schrieb Nikos Balkanas:


Hi Alex,
No problem. It was quite trivial. But i ask because I don't see the same fix. Which file did you patch? 

BR,
Nikos
----- Original Message ----- From: "Alexander Malysh" <[email protected]
>
To: "Nikos Balkanas" <[email protected]>
Cc: <[email protected]>
Sent: Tuesday, September 22, 2009 10:30 AM
Subject: Re: Bearerbox Panic after receiving CIFS/SMB request at smsbox-port 



Hi Nikos,

hmm I saw your patch after I commited my version. sorry...

Thanks,
Alexander Maysh

Am 20.09.2009 um 21:58 schrieb Nikos Balkanas:


Hi Alex,

Which one? I just sent a patch about the very same thing 10 hrs ago.

BR,
Nikos
----- Original Message ----- From: "Alexander Malysh" <[email protected] 
>
To: "Michael Zervakis" <[email protected]>
Cc: <[email protected]>
Sent: Sunday, September 20, 2009 9:21 PM
Subject: Re: Bearerbox Panic after receiving CIFS/SMB request at smsbox-port 



Hi,

thanks for report. I just fixed this issue in cvs. Please retest.

Thanks,
Alexander Malysh

Am 18.09.2009 um 17:00 schrieb Michael Zervakis:


Dear all,
During testing of Bearerbox using version cvs-20090506 I found that if smsbox socket receives a CIFS/SMB request bearerbox panics. This means that a malicious user could easily crash bearerbox simply by scanning the host (for example via nmap -sV).
2009-09-18 17:09:18 [2002] [5] DEBUG: Started thread 30 (gw/ bb_boxc.c:function) 2009-09-18 17:09:18 [2002] [30] PANIC: Internal error: unknown message type: -11317950 2009-09-18 17:09:18 [2002] [30] PANIC: ./bearerbox(gw_panic +0xbc) [0x80d8fcc] 2009-09-18 17:09:18 [2002] [30] PANIC: ./ bearerbox(msg_unpack_real +0x78) [0x8065c88] 
2009-09-18 17:09:18 [2002] [30] PANIC: ./bearerbox [0x8057e50]
2009-09-18 17:09:18 [2002] [30] PANIC: ./bearerbox [0x80596b9]
2009-09-18 17:09:18 [2002] [30] PANIC: ./bearerbox [0x80cfafd]
2009-09-18 17:09:18 [2002] [30] PANIC: /lib/libpthread.so.0 [0xb7faa1b5] 2009-09-18 17:09:18 [2002] [30] PANIC: /lib/libc.so.6(clone +0x5e) [0xb7abd3be]
addr2line -e /usr/gateway/sbin/bearerbox 0x80d8fcc 0x8065c88 0x8057e50 0x80596b9 0x80cfafd 0xb7faa1b5 0xb7abd3be 
/usr/src/packages/SOURCES/gateway/gwlib/log.c:542
/usr/src/packages/SOURCES/gateway/gw/msg.c:245
/usr/src/packages/SOURCES/gateway/gw/bb_boxc.c:199
/usr/src/packages/SOURCES/gateway/gw/bb_boxc.c:656
/usr/src/packages/SOURCES/gateway/gwlib/gwthread-pthread.c:135
??:0
??:0

Tcpdump
17:09:18.100983 IP 10.12.0.50.29000 > 172.31.1.48.4201: S 3500919925:3500919925(0) ack 739634900 win 5840 <mss 1460,nop, 
nop,sackOK>
0x0000: 4500 0030 0000 4000 4006 e747 c129 e507 E.. 0...@[email protected].).. 0x0010: ac1f 0130 7148 1069 d0ab cc75 2c15 eed4 ... 0qH.i...u,... 0x0020: 7012 16d0 df01 0000 0204 05b4 0101 0402 p............... 17:09:18.101524 IP 172.31.1.48.4201 > 10.12.0.50.29000: . ack 1 win 65535 0x0000: 4500 0028 939b 4000 7e06 15b4 ac1f 0130 E.. (....@.~......0 0x0010: c129 e507 1069 7148 2c15 eed4 d0ab cc76 .)...iqH,......v 0x0020: 5010 ffff 2296 0000 0000 0000 0000 P..."......... 17:09:18.114337 IP 172.31.1.48.4201 > 10.12.0.50.29000: P 1:169(168) ack 1 win 65535 0x0000: 4500 00d0 939e 4000 7e06 1509 ac1f 0130 e.....@.~......0 0x0010: c129 e507 1069 7148 2c15 eed4 d0ab cc76 .)...iqH,......v 0x0020: 5018 ffff 82ac 0000 0000 00a4 ff53 4d42 P............SMB 0x0030: 7200 0000 0008 0140 0000 0000 0000 0000 r......@........ 0x0040: 0000 0000 0000 4006 0000 0100 0081 0002 ......@......... 0x0050: 5043 204e 4554 574f 524b 2050 524f 4752 PC.NETWORK.PROGR 0x0060: 414d 2031 2e30 0002 4d49 4352 4f53 4f46 AM. 1.0..MICROSOF 0x0070: 5420 4e45 5457 4f52 4b53 2031 2e30 3300 T.NETWORKS. 1.03. 0x0080: 024d 4943 524f 534f 4654 204e 4554 574f .MICROSOFT.NETWO 0x0090: 524b 5320 332e 3000 024c 414e 4d41 4e31 RKS. 3.0..LANMAN1 0x00a0: 2e30 0002 4c4d 312e 3258 3030 3200 0253 . 0..LM1.2X002..S 0x00b0: 616d 6261 0002 4e54 204c 414e 4d41 4e20 amba..NT.LANMAN. 0x00c0: 312e 3000 024e 5420 4c4d 2030 2e31 3200 1.0..NT.LM. 0.12. 17:09:18.114348 IP 10.12.0.50.29000 > 172.31.1.48.4201: . ack 169 win 6432 0x0000: 4500 0028 999f 4000 4006 4db0 c129 e507 E.. (....@[email protected]..).. 0x0010: ac1f 0130 7148 1069 d0ab cc76 2c15 ef7c ... 0qH.i...v,..| 
    0x0020:  5010 1920 08ce 0000                      P.......
17:09:18.116709 IP 10.12.0.50.29000 > 172.31.1.48.4201: F 1:1(0) ack 169 win 6432 0x0000: 4500 0028 99a0 4000 4006 4daf c129 e507 E.. (....@[email protected]..).. 0x0010: ac1f 0130 7148 1069 d0ab cc76 2c15 ef7c ... 0qH.i...v,..| 
    0x0020:  5011 1920 08cd 0000                      P.......

Sincerely,
Michael Zervakis

Reply via email to