From d8814b1a48adaf1f428c7119b97c87b69123e6fa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Sep 2010 21:44:24 -0700 Subject: Fix bug 7694 - Crash bug with invalid SPNEGO token. Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy. --- source3/rpc_server/dcesrv_spnego.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c index 4686534a2e..fb758e338b 100644 --- a/source3/rpc_server/dcesrv_spnego.c +++ b/source3/rpc_server/dcesrv_spnego.c @@ -230,7 +230,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx, ret = spnego_parse_negTokenInit(sp_ctx, *spnego_in, sp_ctx->oid_list, NULL, &token_in); - if (!ret) { + if (!ret || sp_ctx->oid_list[0] == NULL) { DEBUG(3, ("Invalid SPNEGO message\n")); status = NT_STATUS_INVALID_PARAMETER; goto done; -- cgit