[PATCH] libcli: ignore bad DataLength in negotiate response

Thu Feb 28 07:49:44 UTC 2019

Hi,

following an issue we observed when connecting Samba with some
Netapp box [0] we contacted the vendor who confirmed that we are
indeed dealing with an issue with certain revisions of their SMB
stack. This is now being tracked as CVE-2019-5491 [1].

Anyways, please consider the attached patch that makes Samba
behave less strictly (but still conforming) in this situation by
accepting a SMB2_ENCRYPTION_CAPABILITIES context whose DataLength
field is larger than necessary. Preceding checks on the value
ensure it does not point outside the response. Only the first
item of data is used anyways.

The rationale for relaxing the check is that we should expect
the affected Netapp versions to be around for some time despite a
fix being available because apparently, admins think they’re a
pain to update. Also, other SMB clients like Windows don’t seem
to have any trouble connecting to the same server which would
make this patch “correct” wrt. to bug-for-bug compatibility.

Thank you,
Philipp


[0] https://lists.samba.org/archive/samba/2019-February/221139.html
[1] https://security.netapp.com/advisory/ntap-20190227-0001/

-------------- next part --------------
From aa2af5045ea11b53a93b34d03790a3da84331d97 Mon Sep 17 00:00:00 2001
From: Philipp Gesang <philipp.gesang at intra2net.com>
Date: Thu, 14 Feb 2019 10:17:28 +0100
Subject: [PATCH] libcli: ignore bad DataLength in negotiate response

Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES
structures containing an invalid DataLength field [0] that
includes the padding. This violates the specification but seems
to be ignored by other SMB client implementations.

While parsing the NegotiateContext it is ensured that the length
does not exceed the message bounds. Also, the value is not actually
used anywhere outside the validation. This patch makes Samba fail
only on values that are too small for the (fixed size) payload
and log a debug message but continue for larger values.

[0] https://lists.samba.org/archive/samba/2019-February/221139.html
---
 libcli/smb/smbXcli_base.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 2455b6deacd..c63fc1a7c19 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5064,10 +5064,17 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
 			return;
 		}
 
-		if (cipher->data.length != (2 + 2 * cipher_count)) {
+		if (cipher->data.length < (2 + 2 * cipher_count)) {
 			tevent_req_nterror(req,
 					NT_STATUS_INVALID_NETWORK_RESPONSE);
 			return;
+		} else if (cipher->data.length > (2 + 2 * cipher_count)) {
+			DEBUG(1, ("bogus data in negotiate response / "
+				  "SMB2_ENCRYPTION_CAPABILITIES: "
+				  "expected DataLength=%hu, got %zu!\n",
+				  (uint16_t)2 + 2 * cipher_count,
+				  cipher->data.length));
+			/* ignoring malformed response */
 		}
 
 		if (cipher_count == 1) {
-- 
2.20.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190228/04accb78/signature.sig>
