Fix bug #9174: Empty SPNEGO packet can cause smbd to crash.

All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly
assume we'll always get a data blob and indirect within it.

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index d514b93518a2cb5e1539f9be593cba09d911676d..4f09db929ac9834dd38d69646c6ba5f087a5cede 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -735,7 +735,7 @@ static void reply_spnego_auth(struct smb_request *req,
                return;
        }
 
-       if (auth.data[0] == ASN1_APPLICATION(0)) {
+       if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
                /* Might be a second negTokenTarg packet */
                char *kerb_mech = NULL;
 

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 64a8053e40b7d8b933f6e518d6f4a5d0a0543997..c90368ffc58aa201e1fd6fe80bd46ab9aa3562a8 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -560,7 +560,7 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
                return NT_STATUS_LOGON_FAILURE;
        }
 
-       if (auth.data[0] == ASN1_APPLICATION(0)) {
+       if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
                /* Might be a second negTokenTarg packet */
                DATA_BLOB secblob_in = data_blob_null;
                char *kerb_mech = NULL;