The Samba-Bugzilla – Attachment 5985 Details for
Bug 7694
Crash bug with invalid SPNEGO token.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.5.next
0001-Fix-bug-7694-Crash-bug-with-invalid-SPNEGO-token.patch (text/plain), 2.95 KB, created by
Jeremy Allison
on 2010-09-26 07:01:51 UTC
(
hide
)
Description:
git-am fix for 3.5.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-09-26 07:01:51 UTC
Size:
2.95 KB
patch
obsolete
>From adc9bceee9c80f52d5055bbdd70db1c7afca425a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Sun, 26 Sep 2010 04:59:31 -0700 >Subject: [PATCH] Fix bug 7694 - Crash bug with invalid SPNEGO token. > >Found by the CodeNomicon test suites at the SNIA plugfest. > >http://www.codenomicon.com/ > >If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server >as we indirect the first returned value OIDs[0], which is returned as NULL. > >Modified for 3.5.x. > >Jeremy. >--- > source3/libads/sasl.c | 3 ++- > source3/libsmb/cliconnect.c | 3 ++- > source3/rpc_server/srv_pipe.c | 3 ++- > source3/smbd/sesssetup.c | 3 ++- > 4 files changed, 8 insertions(+), 4 deletions(-) > >diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c >index 9b4d8bd..421faed 100644 >--- a/source3/libads/sasl.c >+++ b/source3/libads/sasl.c >@@ -769,7 +769,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > > /* the server sent us the first part of the SPNEGO exchange in the negprot > reply */ >- if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal)) { >+ if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal) || >+ OIDs[0] == NULL) { > data_blob_free(&blob); > status = ADS_ERROR(LDAP_OPERATIONS_ERROR); > goto failed; >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index a3febde..9d0b1e3 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1007,7 +1007,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > * negprot reply. It is WRONG to depend on the principal sent in the > * negprot reply, but right now we do it. If we don't receive one, > * we try to best guess, then fall back to NTLM. */ >- if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { >+ if (!spnego_parse_negTokenInit(blob, OIDs, &principal) || >+ OIDs[0] == NULL) { > data_blob_free(&blob); > return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); > } >diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c >index 46f67f4..9c80fa2 100644 >--- a/source3/rpc_server/srv_pipe.c >+++ b/source3/rpc_server/srv_pipe.c >@@ -1184,7 +1184,8 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_ > } > > /* parse out the OIDs and the first sec blob */ >- if (!parse_negTokenTarg(blob, OIDs, &secblob)) { >+ if (!parse_negTokenTarg(blob, OIDs, &secblob) || >+ OIDs[0] == NULL) { > DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n")); > goto err; > } >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 68cb8d3..ab9d855 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -725,7 +725,8 @@ NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in, > *kerb_mechOID = NULL; > > /* parse out the OIDs and the first sec blob */ >- if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) { >+ if (!parse_negTokenTarg(blob_in, OIDs, pblob_out) || >+ OIDs[0] == NULL) { > return NT_STATUS_LOGON_FAILURE; > } > >-- >1.7.0.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 7694
: 5985