diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-09-18 02:24:30 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-09-18 04:46:00 +0200 |
commit | 4879d0810a2ad741e32ad174a7a14cd35521aeaf (patch) | |
tree | fcf3418b942848865849b63e74c525ad6d201696 | |
parent | 17a9a0f37bbb730d09b3a57b00665d44aac18ea6 (diff) | |
download | samba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.tar.gz samba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.tar.bz2 samba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.zip |
libcli/smb: only check the SMB2 session setup signature if required and valid
This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804
that skips the scary debug messages.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104
-rw-r--r-- | libcli/smb/smbXcli_base.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index f59f1f7ad2..27ac2a8f58 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4742,12 +4742,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, struct smbXcli_conn *conn = session->conn; uint16_t no_sign_flags; uint8_t session_key[16]; + bool check_signature = true; + uint32_t hdr_flags; NTSTATUS status; if (conn == NULL) { return NT_STATUS_INVALID_PARAMETER_MIX; } + if (recv_iov[0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; if (session->smb2->session_flags & no_sign_flags) { @@ -4839,18 +4845,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return NT_STATUS_NO_MEMORY; } - status = smb2_signing_check_pdu(session->smb2_channel.signing_key, - session->conn->protocol, - recv_iov, 3); - if (!NT_STATUS_IS_OK(status)) { + check_signature = conn->mandatory_signing; + + hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS); + if (hdr_flags & SMB2_HDR_FLAG_SIGNED) { /* * Sadly some vendors don't sign the * final SMB2 session setup response * * At least Windows and Samba are always doing this * if there's a session key available. + * + * We only check the signature if it's mandatory + * or SMB2_HDR_FLAG_SIGNED is provided. */ - if (conn->mandatory_signing) { + check_signature = true; + } + + if (check_signature) { + status = smb2_signing_check_pdu(session->smb2_channel.signing_key, + session->conn->protocol, + recv_iov, 3); + if (!NT_STATUS_IS_OK(status)) { return status; } } |