diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-09-12 12:10:54 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-09-15 20:41:26 +0200 |
commit | c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b (patch) | |
tree | de2b4a0875893cd453e87e576e29bf2c04c8b33a | |
parent | 126d343580e7ba6465cfdf60ea60958cbe98b242 (diff) | |
download | samba-c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b.tar.gz samba-c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b.tar.xz samba-c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b.zip |
s3:libsmb: check the wct of the incoming SMBnegprot responses
metze
Fix bug #8452 (negprot reply needs to check vwv vector length).
The corresponding commit in master is 85332eb1c721d585e1a33101bddafdca4073e10f.
-rw-r--r-- | source3/libsmb/cliconnect.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6316db1bd32..760681062ae 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1700,6 +1700,11 @@ static void cli_negprot_done(struct tevent_req *subreq) struct timespec ts; bool negotiated_smb_signing = false; + if (wct != 0x11) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + /* NT protocol */ cli->sec_mode = CVAL(vwv + 1, 0); cli->max_mux = SVAL(vwv + 1, 1); @@ -1765,6 +1770,11 @@ static void cli_negprot_done(struct tevent_req *subreq) } } else if (cli->protocol >= PROTOCOL_LANMAN1) { + if (wct != 0x0D) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + cli->use_spnego = False; cli->sec_mode = SVAL(vwv + 1, 0); cli->max_xmit = SVAL(vwv + 2, 0); |