From 8e11003e214729462b7dcf46f09d47efc736e1e8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 20 Aug 2005 04:42:19 +0000
Subject: r9411: Ensure we don't send a challenge without first getting a
 negotiate in NTLMSSP, unless we are in datagram mode (not fully implemented
 yet).

Andrew Bartlett
(This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)
---
 source4/auth/ntlmssp/ntlmssp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'source4/auth/ntlmssp')

diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 1fd7ac6756..339c219f62 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -138,8 +138,14 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 			ntlmssp_command = NTLMSSP_INITIAL;
 			break;
 		case NTLMSSP_SERVER:
-			/* 'datagram' mode - no neg packet */
-			ntlmssp_command = NTLMSSP_NEGOTIATE;
+			if (gensec_security->want_features & GENSEC_FEATURE_DATAGRAM_MODE) {
+				/* 'datagram' mode - no neg packet */
+				ntlmssp_command = NTLMSSP_NEGOTIATE;
+			} else {
+				/* This is normal in SPNEGO mech negotiation fallback */
+				DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n"));
+				return NT_STATUS_INVALID_PARAMETER;
+			}
 			break;
 		}
 	} else {
-- 
cgit