From d8814b1a48adaf1f428c7119b97c87b69123e6fa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Sep 2010 21:44:24 -0700 Subject: Fix bug 7694 - Crash bug with invalid SPNEGO token. Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy. --- source3/smbd/sesssetup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/smbd') diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 0b999b348a..b227d2bc9e 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -575,7 +575,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx, *kerb_mechOID = NULL; /* parse out the OIDs and the first sec blob */ - if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) { + if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) || + (OIDs[0] == NULL)) { return NT_STATUS_LOGON_FAILURE; } -- cgit