[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Sep 23 22:44:46 MDT 2010
The branch, master has been updated
via d8814b1 Fix bug 7694 - Crash bug with invalid SPNEGO token.
from 0a1d153 s3-waf: add check for seteuid method.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d8814b1a48adaf1f428c7119b97c87b69123e6fa
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 23 21:44:24 2010 -0700
Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/libads/sasl.c | 3 ++-
source3/libsmb/cliconnect.c | 3 ++-
source3/rpc_server/dcesrv_spnego.c | 2 +-
source3/smbd/sesssetup.c | 3 ++-
4 files changed, 7 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 051fc96..653d546 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
/* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
- if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) {
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+ OIDs[0] == NULL) {
data_blob_free(&blob);
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
goto failed;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 92e5bb2..f76f17c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1229,7 +1229,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
* negprot reply. It is WRONG to depend on the principal sent in the
* negprot reply, but right now we do it. If we don't receive one,
* we try to best guess, then fall back to NTLM. */
- if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) {
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) ||
+ OIDs[0] == NULL) {
data_blob_free(&blob);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c
index 4686534..fb758e3 100644
--- a/source3/rpc_server/dcesrv_spnego.c
+++ b/source3/rpc_server/dcesrv_spnego.c
@@ -230,7 +230,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
ret = spnego_parse_negTokenInit(sp_ctx, *spnego_in,
sp_ctx->oid_list, NULL, &token_in);
- if (!ret) {
+ if (!ret || sp_ctx->oid_list[0] == NULL) {
DEBUG(3, ("Invalid SPNEGO message\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto done;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 0b999b3..b227d2b 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -575,7 +575,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
*kerb_mechOID = NULL;
/* parse out the OIDs and the first sec blob */
- if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) {
+ if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) ||
+ (OIDs[0] == NULL)) {
return NT_STATUS_LOGON_FAILURE;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list