s3:libsmb: check the wct of the incoming SMBnegprot responses

metze

Fix bug #8452 (negprot reply needs to check vwv vector length).

The corresponding commit in master is 85332eb1c721d585e1a33101bddafdca4073e10f.

1 files changed, 10 insertions, 0 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6316db1bd32..760681062ae 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1700,6 +1700,11 @@ static void cli_negprot_done(struct tevent_req *subreq)
 		struct timespec ts;
 		bool negotiated_smb_signing = false;
 
+		if (wct != 0x11) {
+			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+			return;
+		}
+
 		/* NT protocol */
 		cli->sec_mode = CVAL(vwv + 1, 0);
 		cli->max_mux = SVAL(vwv + 1, 1);
@@ -1765,6 +1770,11 @@ static void cli_negprot_done(struct tevent_req *subreq)
 		}
 
 	} else if (cli->protocol >= PROTOCOL_LANMAN1) {
+		if (wct != 0x0D) {
+			tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+			return;
+		}
+
 		cli->use_spnego = False;
 		cli->sec_mode = SVAL(vwv + 1, 0);
 		cli->max_xmit = SVAL(vwv + 2, 0);