[PATCH] libcli: ignore bad DataLength in negotiate response

Ralph Böhme slow at samba.org
Thu Feb 28 08:33:46 UTC 2019

Hi Philipp,

On Thu, Feb 28, 2019 at 08:49:44AM +0100, Philipp Gesang via samba-technical wrote:
>following an issue we observed when connecting Samba with some
>Netapp box [0] we contacted the vendor who confirmed that we are
>indeed dealing with an issue with certain revisions of their SMB
>stack. This is now being tracked as CVE-2019-5491 [1].

ups, so this turned into a CVE. :)))

>Anyways, please consider the attached patch that makes Samba
>behave less strictly (but still conforming) in this situation by
>accepting a SMB2_ENCRYPTION_CAPABILITIES context whose DataLength
>field is larger than necessary. Preceding checks on the value
>ensure it does not point outside the response. Only the first
>item of data is used anyways.
>The rationale for relaxing the check is that we should expect
>the affected Netapp versions to be around for some time despite a
>fix being available because apparently, admins think they’re a
>pain to update. Also, other SMB clients like Windows don’t seem
>to have any trouble connecting to the same server which would
>make this patch “correct” wrt. to bug-for-bug compatibility.

as we can't be sure that MS is going to stick with this behaviour, we should as 
MS dochelp for clarification. Can you take care of that? Ie write a mail to 
dochelp at microsoft.com (ideally ccing cifs-protocol at lists.samba.org) and ask for 
clarification on the MS-SMB2 parapgraph in question. I could also take care of 
this if you prefer.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba-technical mailing list