From 92c986c70059d860e15ab401ecbb3e920021a36f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 18 Sep 2012 11:51:31 -0700
Subject: [PATCH] Fix bug #9174: Empty SPNEGO packet can cause smbd to crash.

All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly
assume we'll always get a data blob and indirect within it.
---
 source3/smbd/sesssetup.c      |    2 +-
 source3/smbd/smb2_sesssetup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index d514b93..4f09db9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -735,7 +735,7 @@ static void reply_spnego_auth(struct smb_request *req,
 		return;
 	}
 
-	if (auth.data[0] == ASN1_APPLICATION(0)) {
+	if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
 		/* Might be a second negTokenTarg packet */
 		char *kerb_mech = NULL;
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 64a8053..c90368f 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -560,7 +560,7 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	if (auth.data[0] == ASN1_APPLICATION(0)) {
+	if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
 		/* Might be a second negTokenTarg packet */
 		DATA_BLOB secblob_in = data_blob_null;
 		char *kerb_mech = NULL;
-- 
1.7.9.5