summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-09-18 02:24:30 +0200
committerStefan Metzmacher <metze@samba.org>2013-09-18 04:46:00 +0200
commit4879d0810a2ad741e32ad174a7a14cd35521aeaf (patch)
treefcf3418b942848865849b63e74c525ad6d201696
parent17a9a0f37bbb730d09b3a57b00665d44aac18ea6 (diff)
downloadsamba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.tar.gz
samba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.tar.bz2
samba-4879d0810a2ad741e32ad174a7a14cd35521aeaf.zip
libcli/smb: only check the SMB2 session setup signature if required and valid
This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804 that skips the scary debug messages. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104
-rw-r--r--libcli/smb/smbXcli_base.c26
1 files changed, 21 insertions, 5 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index f59f1f7ad2..27ac2a8f58 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4742,12 +4742,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
struct smbXcli_conn *conn = session->conn;
uint16_t no_sign_flags;
uint8_t session_key[16];
+ bool check_signature = true;
+ uint32_t hdr_flags;
NTSTATUS status;
if (conn == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
+ if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
if (session->smb2->session_flags & no_sign_flags) {
@@ -4839,18 +4845,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return NT_STATUS_NO_MEMORY;
}
- status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
- session->conn->protocol,
- recv_iov, 3);
- if (!NT_STATUS_IS_OK(status)) {
+ check_signature = conn->mandatory_signing;
+
+ hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
+ if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
/*
* Sadly some vendors don't sign the
* final SMB2 session setup response
*
* At least Windows and Samba are always doing this
* if there's a session key available.
+ *
+ * We only check the signature if it's mandatory
+ * or SMB2_HDR_FLAG_SIGNED is provided.
*/
- if (conn->mandatory_signing) {
+ check_signature = true;
+ }
+
+ if (check_signature) {
+ status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
+ session->conn->protocol,
+ recv_iov, 3);
+ if (!NT_STATUS_IS_OK(status)) {
return status;
}
}