[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu May 26 18:58:03 MDT 2011 

The branch, master has been updated
       via  e05c9cd Fix bug #6911 - Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB
      from  875e29b s3: Document "async smb echo handler"

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e05c9cdcb6bf710ddb7d683916ca26857a3bce18
Author: Jeremy Allison <jra at samba.org>
Date:   Thu May 26 16:48:42 2011 -0700

    Fix bug #6911 - Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB
    
    We were not correctly checking the output of asn1_start_tag().
    asn1_start_tag() returns -1 and sets data->has_error if the
    remaining blob size is too short to contain the tag length.
    We were checking data->has_error and returning NT_STATUS_OK
    (to allow the second asn.1 parse to fail in that case). We
    should not be checking data->has_error in this case, but
    falling through to the code that already checks the length.
    
    Thanks to Jim for reproducing this for me. We don't get bitten
    by this as we announce a max buffer size of 16k, greater than
    Windows's 4k, which means that most krb5 spnego packets already
    fit.
    
    Jeremy.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Fri May 27 02:57:27 CEST 2011 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/sesssetup.c |   28 +++++++++++++++++++++++++---
 1 files changed, 25 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 026380e..ee305c4 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -930,13 +930,28 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
 	}
 
 	asn1_load(data, *pblob);
-	asn1_start_tag(data, pblob->data[0]);
-	if (data->has_error || data->nesting == NULL) {
+	if (asn1_start_tag(data, pblob->data[0])) {
+		/* asn1_start_tag checks if the given
+		   length of the blob is enough to complete
+		   the tag. If it returns true we know
+		   there is nothing to do - the blob is
+		   complete. */
 		asn1_free(data);
-		/* Let caller catch. */
 		return NT_STATUS_OK;
 	}
 
+	if (data->nesting == NULL) {
+		/* Incorrect tag, allocation failed,
+		   or reading the tag length failed.
+		   Let the caller catch. */
+		asn1_free(data);
+		return NT_STATUS_OK;
+	}
+
+	/* Here we know asn1_start_tag() has set data->has_error to true.
+	   asn1_tag_remaining() will have failed due to the given blob
+	   being too short. We need to work out how short. */
+
 	/* Integer wrap paranoia.... */
 
 	if (data->nesting->taglen + data->nesting->start < data->nesting->taglen ||
@@ -965,6 +980,13 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
 
 	if (needed_len <= pblob->length) {
 		/* Nothing to do - blob is complete. */
+		/* THIS SHOULD NOT HAPPEN - asn1_start_tag()
+		   above should have caught this !!! */
+		DEBUG(0,("check_spnego_blob_complete: logic "
+			"error (needed_len = %u, "
+			"pblob->length = %u).\n",
+			(unsigned int)needed_len,
+			(unsigned int)pblob->length ));
 		return NT_STATUS_OK;
 	}
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list