Fix bug 7694 - Crash bug with invalid SPNEGO token.

Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.

Jeremy.

1 files changed, 2 insertions, 1 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 92e5bb2021..f76f17c1bd 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1229,7 +1229,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	 * negprot reply. It is WRONG to depend on the principal sent in the
 	 * negprot reply, but right now we do it. If we don't receive one,
 	 * we try to best guess, then fall back to NTLM.  */
-	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) {
+	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) ||
+			OIDs[0] == NULL) {
 		data_blob_free(&blob);
 		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}