[SCM] Samba Shared Repository - branch v3-6-test updated

Jeremy Allison jra at samba.org
Thu Sep 23 22:46:42 MDT 2010


The branch, v3-6-test has been updated
       via  e54527f Fix bug 7694 - Crash bug with invalid SPNEGO token.
      from  96ab093 s3: tdbdump does not use our libs (cherry picked via commit aea64ef275b6e94ca7afb8fa2bb172416773abdf and 82c0e79b8d8c693c128e83d8062e1543f3bb311d)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit e54527f19f676eb8f604b1353cfb63c89d3a17d2
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Sep 23 21:45:53 2010 -0700

    Fix bug 7694 - Crash bug with invalid SPNEGO token.
    
    Found by the CodeNomicon test suites at the SNIA plugfest.
    
    http://www.codenomicon.com/
    
    If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
    as we indirect the first returned value OIDs[0], which is returned as NULL.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/sasl.c         |    3 ++-
 source3/libsmb/cliconnect.c   |    3 ++-
 source3/rpc_server/srv_pipe.c |    2 +-
 source3/smbd/sesssetup.c      |    3 ++-
 4 files changed, 7 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 051fc96..653d546 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 
 	/* the server sent us the first part of the SPNEGO exchange in the negprot 
 	   reply */
-	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) {
+	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+			OIDs[0] == NULL) {
 		data_blob_free(&blob);
 		status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
 		goto failed;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1c104c9..1623cab 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1227,7 +1227,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	 * negprot reply. It is WRONG to depend on the principal sent in the
 	 * negprot reply, but right now we do it. If we don't receive one,
 	 * we try to best guess, then fall back to NTLM.  */
-	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) {
+	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) ||
+			OIDs[0] == NULL) {
 		data_blob_free(&blob);
 		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index e704d75..c1d5af6 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -625,7 +625,7 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p,
 
 	/* parse out the OIDs and the first sec blob */
 	if (!spnego_parse_negTokenInit(talloc_tos(),
-			pauth_info->credentials, OIDs, NULL, &secblob)) {
+			pauth_info->credentials, OIDs, NULL, &secblob) || OIDs[0] == NULL) {
 		DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
 		goto err;
         }
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 35b8c04..bc3c7e0 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -738,7 +738,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
 	*kerb_mechOID = NULL;
 
 	/* parse out the OIDs and the first sec blob */
-	if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) {
+	if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) ||
+			(OIDs[0] == NULL)) {
 		return NT_STATUS_LOGON_FAILURE;
 	}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list