diff options
author | Jeremy Allison <jra@samba.org> | 2010-09-23 21:44:24 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-09-23 21:44:24 -0700 |
commit | d8814b1a48adaf1f428c7119b97c87b69123e6fa (patch) | |
tree | 4b915160b408a5790000442b54567d7ab7de7b3a /source3/libads | |
parent | 0a1d153b256e45d7862235ab0fdaa9e92ae883f2 (diff) | |
download | samba-d8814b1a48adaf1f428c7119b97c87b69123e6fa.tar.gz samba-d8814b1a48adaf1f428c7119b97c87b69123e6fa.tar.bz2 samba-d8814b1a48adaf1f428c7119b97c87b69123e6fa.zip |
Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
Diffstat (limited to 'source3/libads')
-rw-r--r-- | source3/libads/sasl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 051fc961d9..653d546ccd 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); status = ADS_ERROR(LDAP_OPERATIONS_ERROR); goto failed; |