CVE-2019-10218 - s3: libsmb: Protect SMB2 client code from evil server returned names.

Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071

Signed-off-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 1cfa50ffbac62886f452818b497c3d234efbf8e3..3cdf68dc24b6dba6ce2377e99bc8270fa3f77ad1 100644 (file)
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1017,6 +1017,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli,
                                goto fail;
                        }
 
+                       /* Protect against server attack. */
+                       status = is_bad_finfo_name(cli, finfo);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               smbXcli_conn_disconnect(cli->conn, status);
+                               goto fail;
+                       }
+
                        if (dir_check_ftype((uint32_t)finfo->mode,
                                        (uint32_t)attribute)) {
                                /*