The branch, v3-6-test has been updated via 1168f77 s3:libsmb: check the wct of the incoming SMBnegprot responses from d728783 s3: Do not fork the echo handler for smb2
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit 1168f7799fb3a1de96233080cd11c6114584b329 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Sep 12 12:06:53 2011 -0700 s3:libsmb: check the wct of the incoming SMBnegprot responses metze Fix bug #8452 (negprot reply needs to check vwv vector length). The corresponding commit in master is 85332eb1c721d585e1a33101bddafdca4073e10f. ----------------------------------------------------------------------- Summary of changes: source3/libsmb/cliconnect.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d324899..81c1819 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2643,6 +2643,11 @@ static void cli_negprot_done(struct tevent_req *subreq) struct timespec ts; bool negotiated_smb_signing = false; + if (wct != 0x11) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + /* NT protocol */ cli->sec_mode = CVAL(vwv + 1, 0); cli->max_mux = SVAL(vwv + 1, 1); @@ -2716,6 +2721,11 @@ static void cli_negprot_done(struct tevent_req *subreq) } } else if (cli->protocol >= PROTOCOL_LANMAN1) { + if (wct != 0x0D) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + cli->use_spnego = False; cli->sec_mode = SVAL(vwv + 1, 0); cli->max_xmit = SVAL(vwv + 2, 0); -- Samba Shared Repository