[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Mon Jul 12 21:26:01 UTC 2021
The branch, master has been updated
via 147dd9d58a4 libcli/smb: let smb2_negotiate_context_parse() only parse the expected number of contexts
from 44aba9c7cab nsswitch: ensure the attrlist_t array is large enough for a NULL sentinel
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 147dd9d58a429695a3b6c6e45c8b0eaafc67908a
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun May 9 21:16:00 2021 +0200
libcli/smb: let smb2_negotiate_context_parse() only parse the expected number of contexts
Any garbage at the end needs to be ignored.
This fixes the Negotiate_SMB311_ContextID_NetName test from:
https://github.com/microsoft/WindowsProtocolTestSuites/blob/main/TestSuites/FileServer/src/SMB2/TestSuite/Negotiate/Negotiation.cs#L730
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Jul 12 21:25:21 UTC 2021 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb2_negotiate_context.c | 12 +++++++++++-
libcli/smb/smb2_negotiate_context.h | 5 +++--
libcli/smb/smbXcli_base.c | 13 +++++++------
source3/smbd/smb2_negprot.c | 9 +++------
4 files changed, 24 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_negotiate_context.c b/libcli/smb/smb2_negotiate_context.c
index b9b8c763a8e..9ec20bc93d0 100644
--- a/libcli/smb/smb2_negotiate_context.c
+++ b/libcli/smb/smb2_negotiate_context.c
@@ -31,12 +31,14 @@ static size_t smb2_negotiate_context_padding(uint32_t offset, size_t n)
parse a set of SMB2 create contexts
*/
NTSTATUS smb2_negotiate_context_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
+ uint16_t expected_count,
struct smb2_negotiate_contexts *contexts)
{
const uint8_t *data = buffer.data;
uint32_t remaining = buffer.length;
+ uint16_t idx;
- while (true) {
+ for (idx = 0; idx < expected_count; idx++) {
uint16_t data_length;
uint16_t type;
NTSTATUS status;
@@ -63,6 +65,10 @@ NTSTATUS smb2_negotiate_context_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffe
return status;
}
+ if (contexts->num_contexts == expected_count) {
+ break;
+ }
+
remaining -= next_offset;
data += next_offset;
@@ -78,6 +84,10 @@ NTSTATUS smb2_negotiate_context_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffe
data += pad;
}
+ if (contexts->num_contexts != expected_count) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return NT_STATUS_OK;
}
diff --git a/libcli/smb/smb2_negotiate_context.h b/libcli/smb/smb2_negotiate_context.h
index 1e2e3e8f17d..a671d8a0ebf 100644
--- a/libcli/smb/smb2_negotiate_context.h
+++ b/libcli/smb/smb2_negotiate_context.h
@@ -26,7 +26,7 @@ struct smb2_negotiate_context {
};
struct smb2_negotiate_contexts {
- uint32_t num_contexts;
+ uint16_t num_contexts;
struct smb2_negotiate_context *contexts;
};
@@ -34,7 +34,8 @@ struct smb2_negotiate_contexts {
parse a set of SMB2 negotiate contexts
*/
NTSTATUS smb2_negotiate_context_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB buffer,
- struct smb2_negotiate_contexts *contexts);
+ uint16_t expected_count,
+ struct smb2_negotiate_contexts *contexts);
/*
negotiate a buffer of a set of negotiate contexts
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c38b8afc255..2021d6da584 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5059,13 +5059,14 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
negotiate_context_blob.data += ctx_ofs;
negotiate_context_blob.length -= ctx_ofs;
- status = smb2_negotiate_context_parse(state, negotiate_context_blob, &c);
- if (tevent_req_nterror(req, status)) {
- return;
+ status = smb2_negotiate_context_parse(state,
+ negotiate_context_blob,
+ negotiate_context_count,
+ &c);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
}
-
- if (negotiate_context_count != c.num_contexts) {
- tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ if (tevent_req_nterror(req, status)) {
return;
}
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 414965b75d1..121d5205de8 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -262,15 +262,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
in_negotiate_context_blob.length -= ofs;
status = smb2_negotiate_context_parse(req,
- in_negotiate_context_blob, &in_c);
+ in_negotiate_context_blob,
+ in_negotiate_context_count,
+ &in_c);
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
-
- if (in_negotiate_context_count != in_c.num_contexts) {
- return smbd_smb2_request_error(req,
- NT_STATUS_INVALID_PARAMETER);
- }
}
if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
--
Samba Shared Repository
More information about the samba-cvs
mailing list