CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange

Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0079bb8d509a9c5017fd9151d326cdeee4607cf7..9c5e51daead724e6fa1d47ecd6910d9e196f7f2a 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -784,6 +784,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 
                const char *my_mechs[] = {NULL, NULL};
                NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
+               bool ok;
 
                if (!in.length) {
                        /* client to produce negTokenInit */
@@ -846,6 +847,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                return NT_STATUS_INVALID_PARAMETER;
                }
 
+               ok = spnego_write_mech_types(spnego_state,
+                                            my_mechs,
+                                            &spnego_state->mech_types);
+               if (!ok) {
+                       DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
+                       return NT_STATUS_NO_MEMORY;
+               }
+
                /* set next state */
                spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
                spnego_state->state_position = SPNEGO_CLIENT_TARG;