s3:libsmb: remove the guid from the cli->secblob in spnego mode

metze

1 files changed, 8 insertions, 4 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 77d122cf9c..315c2ac742 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1785,7 +1785,7 @@ static ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
 	DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
 
 	/* the server might not even do spnego */
-	if (cli->secblob.length <= 16) {
+	if (cli->secblob.length == 0) {
 		DEBUG(3,("server didn't supply a full spnego negprot\n"));
 		goto ntlmssp;
 	}
@@ -1794,8 +1794,7 @@ static ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
 	file_save("negprot.dat", cli->secblob.data, cli->secblob.length);
 #endif
 
-	/* there is 16 bytes of GUID before the real spnego packet starts */
-	blob = data_blob(cli->secblob.data+16, cli->secblob.length-16);
+	blob = data_blob(cli->secblob.data, cli->secblob.length);
 
 	/* The server sent us the first part of the SPNEGO exchange in the
 	 * negprot reply. It is WRONG to depend on the principal sent in the
@@ -2688,7 +2687,12 @@ static void cli_negprot_done(struct tevent_req *subreq)
 			server_lockread = true;
 		}
 		if (server_capabilities & CAP_EXTENDED_SECURITY) {
-			cli->secblob = data_blob(bytes, num_bytes);
+			if (num_bytes < 16) {
+				tevent_req_nterror(req,
+					NT_STATUS_INVALID_NETWORK_RESPONSE);
+				return;
+			}
+			cli->secblob = data_blob(bytes+16, num_bytes-16);
 		} else {
 			cli->secblob = data_blob(bytes, MIN(num_bytes, 8));
 			/* work out if they sent us a workgroup */