From d8814b1a48adaf1f428c7119b97c87b69123e6fa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Sep 2010 21:44:24 -0700 Subject: Fix bug 7694 - Crash bug with invalid SPNEGO token. Found by the CodeNomicon test suites at the SNIA plugfest. http://www.codenomicon.com/ If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server as we indirect the first returned value OIDs[0], which is returned as NULL. Jeremy. --- source3/libads/sasl.c | 3 ++- source3/libsmb/cliconnect.c | 3 ++- source3/rpc_server/dcesrv_spnego.c | 2 +- source3/smbd/sesssetup.c | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) (limited to 'source3') diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 051fc961d9..653d546ccd 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); status = ADS_ERROR(LDAP_OPERATIONS_ERROR); goto failed; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 92e5bb2021..f76f17c1bd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1229,7 +1229,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, * negprot reply. It is WRONG to depend on the principal sent in the * negprot reply, but right now we do it. If we don't receive one, * we try to best guess, then fall back to NTLM. */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c index 4686534a2e..fb758e338b 100644 --- a/source3/rpc_server/dcesrv_spnego.c +++ b/source3/rpc_server/dcesrv_spnego.c @@ -230,7 +230,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx, ret = spnego_parse_negTokenInit(sp_ctx, *spnego_in, sp_ctx->oid_list, NULL, &token_in); - if (!ret) { + if (!ret || sp_ctx->oid_list[0] == NULL) { DEBUG(3, ("Invalid SPNEGO message\n")); status = NT_STATUS_INVALID_PARAMETER; goto done; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 0b999b348a..b227d2bc9e 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -575,7 +575,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx, *kerb_mechOID = NULL; /* parse out the OIDs and the first sec blob */ - if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) { + if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) || + (OIDs[0] == NULL)) { return NT_STATUS_LOGON_FAILURE; } -- cgit