From 9220fd730c67352e2d0789f298e6e42063ca9e3c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 8 Dec 2001 02:12:17 +0000
Subject: Ensure that 'use spnego' restricts, rather than just advises our
 clients.

This means that if a hole is found in the spnego code, we can tell people
to just set 'use spengo' in their config file while we sort it out.

Other than that, preventing 'unusual' behaviour is always a good thing.

Andrew Bartlett
(This used to be commit a8a53c08f7d607268a3959486a850a2df50ca7a2)
---
 source3/smbd/sesssetup.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source3/smbd')

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 7190caa35b..4c26bda4db 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -502,11 +502,16 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 	ZERO_STRUCT(plaintext_password);
 
 	DEBUG(3,("wct=%d flg2=0x%x\n", CVAL(inbuf, smb_wct), SVAL(inbuf, smb_flg2)));
-	
+
 	/* a SPNEGO session setup has 12 command words, whereas a normal
 	   NT1 session setup has 13. See the cifs spec. */
 	if (CVAL(inbuf, smb_wct) == 12 &&
 	    (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) {
+		if (!global_spnego_negotiated) {
+			DEBUG(0,("reply_sesssetup_and_X:  Rejecting attempt at SPNEGO session setup when it was not negoitiated.\n"));
+			return ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+		}
+
 		return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize);
 	}
 
-- 
cgit