The branch, v3-5-test has been updated
via 5e7e402 Fix bug 7694 - Crash bug with invalid SPNEGO token.
from b19f866 WHATSNEW: Update release notes.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 5e7e402320ebce06957e85f35d478615b2210a87
Author: Jeremy Allison <[email protected]>
Date: Sun Sep 26 04:59:31 2010 -0700
Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2
server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Modified for 3.5.x.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/libads/sasl.c | 3 ++-
source3/libsmb/cliconnect.c | 3 ++-
source3/rpc_server/srv_pipe.c | 3 ++-
source3/smbd/sesssetup.c | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 9b4d8bd..421faed 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -769,7 +769,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
/* the server sent us the first part of the SPNEGO exchange in the
negprot
reply */
- if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal)) {
+ if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal) ||
+ OIDs[0] == NULL) {
data_blob_free(&blob);
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
goto failed;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index a3febde..9d0b1e3 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1007,7 +1007,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state
*cli, const char *user,
* negprot reply. It is WRONG to depend on the principal sent in the
* negprot reply, but right now we do it. If we don't receive one,
* we try to best guess, then fall back to NTLM. */
- if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
+ if (!spnego_parse_negTokenInit(blob, OIDs, &principal) ||
+ OIDs[0] == NULL) {
data_blob_free(&blob);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 46f67f4..9c80fa2 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1184,7 +1184,8 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct
*p, prs_struct *rpc_in_
}
/* parse out the OIDs and the first sec blob */
- if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
+ if (!parse_negTokenTarg(blob, OIDs, &secblob) ||
+ OIDs[0] == NULL) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the
security blob.\n"));
goto err;
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 68cb8d3..ab9d855 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -725,7 +725,8 @@ NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
*kerb_mechOID = NULL;
/* parse out the OIDs and the first sec blob */
- if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) {
+ if (!parse_negTokenTarg(blob_in, OIDs, pblob_out) ||
+ OIDs[0] == NULL) {
return NT_STATUS_LOGON_FAILURE;
}
--
Samba Shared Repository
