CVE-2023-3347: smbd: fix "server signing = mandatory"

This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
deleted file mode 100644 (file)
index 53b7a70..0000000
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.session-require-signing.bug15397

diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
index ef4a54d5710762fd80c53c7cab4ed4dce6bcf81b..73d07380dfa173d5f34c935b83fdc8ddc3d90b7b 100644 (file)
--- a/source3/smbd/smb2_signing.c
+++ b/source3/smbd/smb2_signing.c
@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
                return false;
        }
 
+       /*
+        * For SMB2 all we need to know is if signing is mandatory.
+        * It is always allowed and desired, whatever the smb.conf says.
+        */
+       (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
+
 #if defined(WITH_SMB1SERVER)
-       if (conn->protocol >= PROTOCOL_SMB2_02) {
-#endif
-               /*
-                * For SMB2 all we need to know is if signing is mandatory.
-                * It is always allowed and desired, whatever the smb.conf says.
-                */
-               (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-#if defined(WITH_SMB1SERVER)
-       } else {
-               ok = smb1_srv_init_signing(lp_ctx, conn);
-       }
+       ok = smb1_srv_init_signing(lp_ctx, conn);
 #endif
+
        talloc_unlink(conn, lp_ctx);
        return ok;
 }