[SCM] Samba Shared Repository - branch v3-6-test updated

Mon Feb 18 01:54:16 MST 2013

The branch, v3-6-test has been updated
       via  e28ec90 smbd: fix initial large PAC sess setup response
      from  d21280f Fix bug 9519 - Samba returns unexpected error on SMB posix open.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit e28ec902a207655acab665c4cfabb1f2031fb24f
Author: David Disseldorp <ddiss at samba.org>
Date:   Tue Feb 12 11:58:06 2013 +0100

    smbd: fix initial large PAC sess setup response
    
    An oversize Kerberos security token may be split across multiple Session
    Setup AndX requests when authenticating as a user who is a member of
    many (~2000) groups.
    In such a case the NativeOS, NativeLanMan & PrimaryDomain fields must be
    sent with the NT_STATUS_MORE_PROCESSING_REQUIRED response. Otherwise
    Windows clients may resend the same security token data in subsequent
    session setup andX requests, as observed with Windows 7 and Server 2012.
    
    This change fixes the SMB1 server only.
    
    Fix bug #9658 - Session Setup AndX exchange fails with an oversize security
    token.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/sesssetup.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4f09db9..75c2a15 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -905,6 +905,13 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
 			(unsigned int)copy_len,
 			(unsigned int)pblob->length ));
 
+		if (pblob->length > pad->needed_len) {
+			DEBUG(2, ("subsequent security token data length %u "
+				  "exceeds expected length %u\n",
+				  (unsigned int)pblob->length,
+				  (unsigned int)pad->needed_len));
+		}
+
 		tmp_blob = data_blob(NULL,
 				pad->partial_data.length + copy_len);
 
@@ -1165,13 +1172,18 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 
 	status = check_spnego_blob_complete(sconn, smbpid, vuid, &blob1);
 	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * Pack error response, ensuring to fill NativeOS, NativeLanMan
+		 * & PrimaryDomain fields on NT_STATUS_MORE_PROCESSING_REQUIRED
+		 */
+		reply_outbuf(req, 4, 0);
+		reply_sesssetup_blob(req, data_blob_null, status);
 		if (!NT_STATUS_EQUAL(status,
 				NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 			/* Real error - kill the intermediate vuid */
 			invalidate_vuid(sconn, vuid);
 		}
 		data_blob_free(&blob1);
-		reply_nterror(req, nt_status_squash(status));
 		return;
 	}
 


-- 
Samba Shared Repository
