A malicious client could send packets that may set up the stack in such
a way that the freeing of memory in a subsequent anonymous netlogon
packet could allow execution of arbitrary code. This code would execute
with root privileges.
This flaw arises because of an uninitialized pointer is passed to the
TALLOC_FREE() function. (Samba uses embedded talloc for memory
management and does not rely on the glibc malloc family to function). It
can be exploited by calling the ServerPasswordSet RPC api on the
NetLogon endpoint, by using a NULL session over IPC.
In Samba 4.1 and above, this crash can only be triggered after setting
βserver schannel = yesβ in the server configuration. This is due to the
adbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL
initialization into the most common code path. It is still possible to
trigger an early return with a memory allocation failure, but that is
less likely to occur.