Description of problem:
I'm running samba3x (samba3x-3.6.6-0.139.el5_10) as an simple NT domain controler on a CentOS 5.10, and found sometime the nmbd process stuck (eating 100% CPU, and not responding anymore to any request, making any domain login impossible). The only solution was to kill -9 this process and restart it. It was occuring randomly, so was quite hard to troubleshoot, but after a few hours, I've finaly identified what's causing it (well at least, I know a simple request from a client is enough to trigger it)
I'll attach:
- a strace of the process at the time the problem occure. In this file the last lines (recvfrom(12, 0xbfcff9c8, 576, 0, 0xbfcffc08, 0xbfcff988) = -1 EAGAIN (Resource temporarily unavailable)) is repeated indefinitly as long as the process isn't killed, producing several GB per hour in the strace file. I've truncated it to the interesting part
- a pcap of the packet crashing nmbd (which you can replay with tcpreplay to reproduce the issue)
Version-Release number of selected component (if applicable):
How reproducible:
100% with the attached pcap
Steps to Reproduce:
1. You need a client with IP 192.168.7.50 and MAC 6c:62:6d:b0:25:42
2. The server running nmbd with IP 192.168.7.1 and MAC 52:54:00:7C:31:C4
(if you have different values you'll have to tweak the pcap with tcprewrite)
3. The netbios name of the samba server should be SAS (it's contained in the pcap and needs to match the netbios name of the server in order to trigger the issue)
4. Run nmbd (I'm running it with daemontools with /usr/sbin/nmbd -F -S but that probably doesn't matter)
5. Replay the attached pcap with tcpreplay -i eth0 nmbd_dos.pcap
Actual results:
nmbd will go in a loop, taking 100% of a core, and won't respond to any further requests, making impossible to login on the domain
Expected results:
nmbd should continue working as normal
Additional info:
Marking this a security issue as it makes it very easy to DOS a domain controler