Fix bug 7694 - Crash bug with invalid SPNEGO token.

Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.

Modified for 3.5.x.

Jeremy.

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 9b4d8bd2d444589ab56686c2544125ed78f3300a..421faed15921c88ecd2d591c85fdbbfe23eb41a9 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -769,7 +769,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 
        /* the server sent us the first part of the SPNEGO exchange in the negprot 
           reply */
-       if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal)) {
+       if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal) ||
+                       OIDs[0] == NULL) {
                data_blob_free(&blob);
                status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
                goto failed;

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index a3febde7b7e01dcb6dd33d0d7828d951a1873d18..9d0b1e343c4f503ada26ae38f9b2c7ac1f0954d4 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1007,7 +1007,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
         * negprot reply. It is WRONG to depend on the principal sent in the
         * negprot reply, but right now we do it. If we don't receive one,
         * we try to best guess, then fall back to NTLM.  */
-       if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
+       if (!spnego_parse_negTokenInit(blob, OIDs, &principal) ||
+                       OIDs[0] == NULL) {
                data_blob_free(&blob);
                return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
        }

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 46f67f499b100fc6a2163015ac20486adb4c0c09..9c80fa234345ee2a7bb86338e03300ba68521e1a 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1184,7 +1184,8 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_
        }
 
        /* parse out the OIDs and the first sec blob */
-       if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
+       if (!parse_negTokenTarg(blob, OIDs, &secblob) ||
+                       OIDs[0] == NULL) {
                DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
                goto err;
         }

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 68cb8d3a267a9d8c6cb31e54624fdc85a5c1ac45..ab9d8551576d7a9e631a81562beac8e961ebfec4 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -725,7 +725,8 @@ NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
        *kerb_mechOID = NULL;
 
        /* parse out the OIDs and the first sec blob */
-       if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) {
+       if (!parse_negTokenTarg(blob_in, OIDs, pblob_out) ||
+                       OIDs[0] == NULL) {
                return NT_STATUS_LOGON_FAILURE;
        }