s3:libsmb: check the wct of the incoming SMBnegprot responses

metze

Fix bug #8452 (negprot reply needs to check vwv vector length).

The corresponding commit in master is 85332eb1c721d585e1a33101bddafdca4073e10f.
(cherry picked from commit c5bf8ac4ee60fe808a2593a5ece12e8bfad5695b)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6316db1bd3255b45a3548baa2df2cf813b389f18..760681062aec77891460158d0e61a90b95c72030 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1700,6 +1700,11 @@ static void cli_negprot_done(struct tevent_req *subreq)
                struct timespec ts;
                bool negotiated_smb_signing = false;
 
+               if (wct != 0x11) {
+                       tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                       return;
+               }
+
                /* NT protocol */
                cli->sec_mode = CVAL(vwv + 1, 0);
                cli->max_mux = SVAL(vwv + 1, 1);
@@ -1765,6 +1770,11 @@ static void cli_negprot_done(struct tevent_req *subreq)
                }
 
        } else if (cli->protocol >= PROTOCOL_LANMAN1) {
+               if (wct != 0x0D) {
+                       tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+                       return;
+               }
+
                cli->use_spnego = False;
                cli->sec_mode = SVAL(vwv + 1, 0);
                cli->max_xmit = SVAL(vwv + 2, 0);