The Samba-Bugzilla – Attachment 6492 Details for
Bug 6911
Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.6.0
0001-Fix-bug-6911-Kerberos-authentication-from-vista-to-s.patch (text/plain), 2.64 KB, created by
Jeremy Allison
on 2011-05-27 00:10:05 UTC
(
hide
)
Description:
git-am fix for 3.6.0
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2011-05-27 00:10:05 UTC
Size:
2.64 KB
patch
obsolete
>From 73086592bcb3c63c27c0ec2e70840e6c78cabcc1 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 26 May 2011 16:48:42 -0700 >Subject: [PATCH] Fix bug #6911 - Kerberos authentication from vista to samba fails when security blob size is greater than 16 kB > >We were not correctly checking the output of asn1_start_tag(). >asn1_start_tag() returns -1 and sets data->has_error if the >remaining blob size is too short to contain the tag length. >We were checking data->has_error and returning NT_STATUS_OK >(to allow the second asn.1 parse to fail in that case). We >should not be checking data->has_error in this case, but >falling through to the code that already checks the length. > >Thanks to Jim for reproducing this for me. We don't get bitten >by this as we announce a max buffer size of 16k, greater than >Windows's 4k, which means that most krb5 spnego packets already >fit. > >Jeremy. >--- > source3/smbd/sesssetup.c | 28 +++++++++++++++++++++++++--- > 1 files changed, 25 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 026380e..ee305c4 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -930,13 +930,28 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn, > } > > asn1_load(data, *pblob); >- asn1_start_tag(data, pblob->data[0]); >- if (data->has_error || data->nesting == NULL) { >+ if (asn1_start_tag(data, pblob->data[0])) { >+ /* asn1_start_tag checks if the given >+ length of the blob is enough to complete >+ the tag. If it returns true we know >+ there is nothing to do - the blob is >+ complete. */ > asn1_free(data); >- /* Let caller catch. */ > return NT_STATUS_OK; > } > >+ if (data->nesting == NULL) { >+ /* Incorrect tag, allocation failed, >+ or reading the tag length failed. >+ Let the caller catch. */ >+ asn1_free(data); >+ return NT_STATUS_OK; >+ } >+ >+ /* Here we know asn1_start_tag() has set data->has_error to true. >+ asn1_tag_remaining() will have failed due to the given blob >+ being too short. We need to work out how short. */ >+ > /* Integer wrap paranoia.... */ > > if (data->nesting->taglen + data->nesting->start < data->nesting->taglen || >@@ -965,6 +980,13 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn, > > if (needed_len <= pblob->length) { > /* Nothing to do - blob is complete. */ >+ /* THIS SHOULD NOT HAPPEN - asn1_start_tag() >+ above should have caught this !!! */ >+ DEBUG(0,("check_spnego_blob_complete: logic " >+ "error (needed_len = %u, " >+ "pblob->length = %u).\n", >+ (unsigned int)needed_len, >+ (unsigned int)pblob->length )); > return NT_STATUS_OK; > } > >-- >1.7.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jmcd
:
review+
Actions:
View
Attachments on
bug 6911
:
6483
|
6489
|
6490
|
6491
| 6492