diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-09-12 12:10:54 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-10-24 19:15:47 +0200 |
commit | a1ea93395614cf234f8fb31bbc3904e8cd45aa86 (patch) | |
tree | 38fa5f23fc75ca4b3fac7e68ac5042bec4364fd6 | |
parent | 3479f1f948c7068d8aafa65e2cb16e4cf1da9c16 (diff) | |
download | samba-a1ea93395614cf234f8fb31bbc3904e8cd45aa86.tar.gz samba-a1ea93395614cf234f8fb31bbc3904e8cd45aa86.tar.xz samba-a1ea93395614cf234f8fb31bbc3904e8cd45aa86.zip |
s3:libsmb: check the wct of the incoming SMBnegprot responses
metze
Fix bug #8452 (negprot reply needs to check vwv vector length).
The corresponding commit in master is 85332eb1c721d585e1a33101bddafdca4073e10f.
(cherry picked from commit c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b)
-rw-r--r-- | source3/libsmb/cliconnect.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6316db1bd32..760681062ae 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1700,6 +1700,11 @@ static void cli_negprot_done(struct tevent_req *subreq) struct timespec ts; bool negotiated_smb_signing = false; + if (wct != 0x11) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + /* NT protocol */ cli->sec_mode = CVAL(vwv + 1, 0); cli->max_mux = SVAL(vwv + 1, 1); @@ -1765,6 +1770,11 @@ static void cli_negprot_done(struct tevent_req *subreq) } } else if (cli->protocol >= PROTOCOL_LANMAN1) { + if (wct != 0x0D) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + cli->use_spnego = False; cli->sec_mode = SVAL(vwv + 1, 0); cli->max_xmit = SVAL(vwv + 2, 0); |