The branch, v3-6-test has been updated via e54527f Fix bug 7694 - Crash bug with invalid SPNEGO token. from 96ab093 s3: tdbdump does not use our libs (cherry picked via commit aea64ef275b6e94ca7afb8fa2bb172416773abdf and 82c0e79b8d8c693c128e83d8062e1543f3bb311d)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit e54527f19f676eb8f604b1353cfb63c89d3a17d2 Author: Jeremy Allison <j...@samba.org> Date: Thu Sep 23 21:45:53 2010 -0700 Fix bug 7694 - Crash bug with invalid SPNEGO token. Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy. ----------------------------------------------------------------------- Summary of changes: source3/libads/sasl.c | 3 ++- source3/libsmb/cliconnect.c | 3 ++- source3/rpc_server/srv_pipe.c | 2 +- source3/smbd/sesssetup.c | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 051fc96..653d546 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); status = ADS_ERROR(LDAP_OPERATIONS_ERROR); goto failed; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1c104c9..1623cab 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1227,7 +1227,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, * negprot reply. It is WRONG to depend on the principal sent in the * negprot reply, but right now we do it. If we don't receive one, * we try to best guess, then fall back to NTLM. */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index e704d75..c1d5af6 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -625,7 +625,7 @@ static bool pipe_spnego_auth_bind_negotiate(struct pipes_struct *p, /* parse out the OIDs and the first sec blob */ if (!spnego_parse_negTokenInit(talloc_tos(), - pauth_info->credentials, OIDs, NULL, &secblob)) { + pauth_info->credentials, OIDs, NULL, &secblob) || OIDs[0] == NULL) { DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n")); goto err; } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 35b8c04..bc3c7e0 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -738,7 +738,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx, *kerb_mechOID = NULL; /* parse out the OIDs and the first sec blob */ - if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) { + if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) || + (OIDs[0] == NULL)) { return NT_STATUS_LOGON_FAILURE; } -- Samba Shared Repository