Attachment 5985 Details for Bug 7694 – git-am fix for 3.5.next

[patch] git-am fix for 3.5.next

0001-Fix-bug-7694-Crash-bug-with-invalid-SPNEGO-token.patch (text/plain), 2.95 KB, created by Jeremy Allison on 2010-09-26 07:01:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2010-09-26 07:01:51 UTC

Size: 2.95 KB

patch

obsolete

>From adc9bceee9c80f52d5055bbdd70db1c7afca425a Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Sun, 26 Sep 2010 04:59:31 -0700
>Subject: [PATCH] Fix bug 7694 - Crash bug with invalid SPNEGO token.
>
>Found by the CodeNomicon test suites at the SNIA plugfest.
>
>http://www.codenomicon.com/
>
>If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
>as we indirect the first returned value OIDs[0], which is returned as NULL.
>
>Modified for 3.5.x.
>
>Jeremy.
>---
> source3/libads/sasl.c         |    3 ++-
> source3/libsmb/cliconnect.c   |    3 ++-
> source3/rpc_server/srv_pipe.c |    3 ++-
> source3/smbd/sesssetup.c      |    3 ++-
> 4 files changed, 8 insertions(+), 4 deletions(-)
>
>diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
>index 9b4d8bd..421faed 100644
>--- a/source3/libads/sasl.c
>+++ b/source3/libads/sasl.c
>@@ -769,7 +769,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
> 
> 	/* the server sent us the first part of the SPNEGO exchange in the negprot 
> 	   reply */
>-	if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal)) {
>+	if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal) ||
>+			OIDs[0] == NULL) {
> 		data_blob_free(&blob);
> 		status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
> 		goto failed;
>diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
>index a3febde..9d0b1e3 100644
>--- a/source3/libsmb/cliconnect.c
>+++ b/source3/libsmb/cliconnect.c
>@@ -1007,7 +1007,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
> 	 * negprot reply. It is WRONG to depend on the principal sent in the
> 	 * negprot reply, but right now we do it. If we don't receive one,
> 	 * we try to best guess, then fall back to NTLM.  */
>-	if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
>+	if (!spnego_parse_negTokenInit(blob, OIDs, &principal) ||
>+			OIDs[0] == NULL) {
> 		data_blob_free(&blob);
> 		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
> 	}
>diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
>index 46f67f4..9c80fa2 100644
>--- a/source3/rpc_server/srv_pipe.c
>+++ b/source3/rpc_server/srv_pipe.c
>@@ -1184,7 +1184,8 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_
> 	}
> 
> 	/* parse out the OIDs and the first sec blob */
>-	if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
>+	if (!parse_negTokenTarg(blob, OIDs, &secblob) ||
>+			OIDs[0] == NULL) {
> 		DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
> 		goto err;
>         }
>diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
>index 68cb8d3..ab9d855 100644
>--- a/source3/smbd/sesssetup.c
>+++ b/source3/smbd/sesssetup.c
>@@ -725,7 +725,8 @@ NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
> 	*kerb_mechOID = NULL;
> 
> 	/* parse out the OIDs and the first sec blob */
>-	if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) {
>+	if (!parse_negTokenTarg(blob_in, OIDs, pblob_out) ||
>+			OIDs[0] == NULL) {
> 		return NT_STATUS_LOGON_FAILURE;
> 	}
> 
>-- 
>1.7.0.4
>

Flags:

vl: review+

Actions: View

Attachments on bug 7694: 5985