[PATCH] libcli: ignore bad DataLength in negotiate response
philipp.gesang at intra2net.com
Thu Feb 28 09:05:21 UTC 2019
-<| Quoting Ralph Böhme via samba-technical <slow at samba.org>, on Thursday, 2019-02-28 09:33:46 AM |>-
> On Thu, Feb 28, 2019 at 08:49:44AM +0100, Philipp Gesang via samba-technical wrote:
> > following an issue we observed when connecting Samba with some
> > Netapp box  we contacted the vendor who confirmed that we are
> > indeed dealing with an issue with certain revisions of their SMB
> > stack. This is now being tracked as CVE-2019-5491 .
> ups, so this turned into a CVE. :)))
Afraid so. Netapp security were really responsive though.
> > Anyways, please consider the attached patch that makes Samba
> > behave less strictly (but still conforming) in this situation by
> > accepting a SMB2_ENCRYPTION_CAPABILITIES context whose DataLength
> > field is larger than necessary. Preceding checks on the value
> > ensure it does not point outside the response. Only the first
> > item of data is used anyways.
> > The rationale for relaxing the check is that we should expect
> > the affected Netapp versions to be around for some time despite a
> > fix being available because apparently, admins think they’re a
> > pain to update. Also, other SMB clients like Windows don’t seem
> > to have any trouble connecting to the same server which would
> > make this patch “correct” wrt. to bug-for-bug compatibility.
> as we can't be sure that MS is going to stick with this behaviour, we should
> as MS dochelp for clarification. Can you take care of that? Ie write a mail
> to dochelp at microsoft.com (ideally ccing cifs-protocol at lists.samba.org) and
> ask for clarification on the MS-SMB2 parapgraph in question. I could also
> take care of this if you prefer.
I’ll do that, give me a day or so.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the samba-technical