Fix bug 7694 - Crash bug with invalid SPNEGO token.

Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.

Jeremy.

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 051fc961d9bc50a31a4989eb43e0fe94b120b46e..653d546ccdf90666851b3e4f209feae9e07ed0b6 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -785,7 +785,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 
        /* the server sent us the first part of the SPNEGO exchange in the negprot 
           reply */
-       if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) {
+       if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+                       OIDs[0] == NULL) {
                data_blob_free(&blob);
                status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
                goto failed;

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 92e5bb2021d5a267fd949bd0af7328aebe509dee..f76f17c1bd17440814497af36f1a4822e620d86a 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1229,7 +1229,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
         * negprot reply. It is WRONG to depend on the principal sent in the
         * negprot reply, but right now we do it. If we don't receive one,
         * we try to best guess, then fall back to NTLM.  */
-       if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) {
+       if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) ||
+                       OIDs[0] == NULL) {
                data_blob_free(&blob);
                return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
        }

diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c
index 4686534a2ee8e541cd3adb97a40f8debfe791b6e..fb758e338b84ffa970c561db71b3b37ad6d2689f 100644 (file)
--- a/source3/rpc_server/dcesrv_spnego.c
+++ b/source3/rpc_server/dcesrv_spnego.c
@@ -230,7 +230,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
 
        ret = spnego_parse_negTokenInit(sp_ctx, *spnego_in,
                                        sp_ctx->oid_list, NULL, &token_in);
-       if (!ret) {
+       if (!ret || sp_ctx->oid_list[0] == NULL) {
                DEBUG(3, ("Invalid SPNEGO message\n"));
                status = NT_STATUS_INVALID_PARAMETER;
                goto done;

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 0b999b348a8fee5f8f9ed5d60095eb0e0249cea3..b227d2bc9e4e5fef05b8723f72b56d1512e3a979 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -575,7 +575,8 @@ NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
        *kerb_mechOID = NULL;
 
        /* parse out the OIDs and the first sec blob */
-       if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) {
+       if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) ||
+                       (OIDs[0] == NULL)) {
                return NT_STATUS_LOGON_FAILURE;
        }