From 6cb051a0ad84e3b8f7b56e355ad65b8923d1a82b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 28 Feb 2017 15:03:45 +0000
Subject: [PATCH 1/2] smbd: Do an early exit on negprot failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cf9acf9a3da932fca115967eb3d9d9ed48fcbbfc)
---
 source3/smbd/negprot.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdde334ccba..838ff45aad1 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -723,17 +723,26 @@ void reply_negprot(struct smb_request *req)
 			break;
 	}
 
-	if(choice != -1) {
-		fstrcpy(remote_proto,supported_protocols[protocol].short_name);
-		reload_services(sconn, conn_snum_used, true);
-		supported_protocols[protocol].proto_reply_fn(req, choice);
-		DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
-	} else {
+	if (choice == -1) {
+		bool ok;
+
 		DBG_NOTICE("No protocol supported !\n");
 		reply_outbuf(req, 1, 0);
 		SSVAL(req->outbuf, smb_vwv0, choice);
+
+		ok = srv_send_smb(xconn, (char *)req->outbuf,
+				  false, 0, false, NULL);
+		if (!ok) {
+			DBG_NOTICE("srv_send_smb failed\n");
+		}
+		exit_server_cleanly("no protocol supported\n");
 	}
 
+	fstrcpy(remote_proto,supported_protocols[protocol].short_name);
+	reload_services(sconn, conn_snum_used, true);
+	supported_protocols[protocol].proto_reply_fn(req, choice);
+	DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
+
 	DEBUG( 5, ( "negprot index=%d\n", choice ) );
 
 	/* We always have xconn->smb1.signing_state also for >= SMB2_02 */
-- 
2.12.0.rc1.440.g5b76565f74-goog


From f24c6b31e59367f1a8e7d7d5d9c707b604c1483a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 28 Feb 2017 16:17:03 +0100
Subject: [PATCH 2/2] torture3: Add test for smbd crash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12610

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar  3 06:20:50 CET 2017 on sn-devel-144

(cherry picked from commit a52c7f4d52df6853f925e680eadefcdfdc7bea85)
---
 source3/torture/torture.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 393d3435543..754e3b6933a 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -11017,6 +11017,81 @@ static bool run_local_canonicalize_path(int dummy)
 	return true;
 }
 
+static bool run_ign_bad_negprot(int dummy)
+{
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	struct smbXcli_conn *conn;
+	struct sockaddr_storage ss;
+	NTSTATUS status;
+	int fd;
+	bool ok;
+
+	printf("starting ignore bad negprot\n");
+
+	ok = resolve_name(host, &ss, 0x20, true);
+	if (!ok) {
+		d_fprintf(stderr, "Could not resolve name %s\n", host);
+		return false;
+	}
+
+	status = open_socket_out(&ss, 445, 10000, &fd);
+	if (!NT_STATUS_IS_OK(status)) {
+		d_fprintf(stderr, "open_socket_out failed: %s\n",
+			  nt_errstr(status));
+		return false;
+	}
+
+	conn = smbXcli_conn_create(talloc_tos(), fd, host, SMB_SIGNING_OFF, 0,
+				   NULL, 0);
+	if (conn == NULL) {
+		d_fprintf(stderr, "smbXcli_conn_create failed\n");
+		return false;
+	}
+
+	status = smbXcli_negprot(conn, 0, PROTOCOL_CORE, PROTOCOL_CORE);
+	if (NT_STATUS_IS_OK(status)) {
+		d_fprintf(stderr, "smbXcli_negprot succeeded!\n");
+		return false;
+	}
+
+	ev = samba_tevent_context_init(talloc_tos());
+	if (ev == NULL) {
+		d_fprintf(stderr, "samba_tevent_context_init failed\n");
+		return false;
+	}
+
+	req = smb1cli_session_setup_nt1_send(
+		ev, ev, conn, 0, getpid(), NULL, 65503, 2, 1, 0, "", "",
+		data_blob_null, data_blob_null, 0x40,
+		"Windows 2000 2195", "Windows 2000 5.0");
+	if (req == NULL) {
+		d_fprintf(stderr, "smb1cli_session_setup_nt1_send failed\n");
+		return false;
+	}
+
+	ok = tevent_req_poll_ntstatus(req, ev, &status);
+	if (!ok) {
+		d_fprintf(stderr, "tevent_req_poll failed\n");
+		return false;
+	}
+
+	status = smb1cli_session_setup_nt1_recv(req, NULL, NULL, NULL, NULL,
+						NULL, NULL);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_RESET)) {
+		d_fprintf(stderr, "smb1cli_session_setup_nt1_recv returned "
+			  "%s, expected NT_STATUS_CONNECTION_RESET\n",
+			  nt_errstr(status));
+		return false;
+	}
+
+	TALLOC_FREE(conn);
+
+	printf("starting ignore bad negprot\n");
+
+	return true;
+}
+
 static double create_procs(bool (*fn)(int), bool *result)
 {
 	int i, status;
@@ -11206,6 +11281,7 @@ static struct {
 	{ "NOTIFY-BENCH2", run_notify_bench2 },
 	{ "NOTIFY-BENCH3", run_notify_bench3 },
 	{ "BAD-NBT-SESSION", run_bad_nbt_session },
+	{ "IGN-BAD-NEGPROT", run_ign_bad_negprot },
 	{ "SMB-ANY-CONNECT", run_smb_any_connect },
 	{ "NOTIFY-ONLINE", run_notify_online },
 	{ "SMB2-BASIC", run_smb2_basic },
-- 
2.12.0.rc1.440.g5b76565f74-goog