CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested

With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index d2a4c194f44986782c34de18ba334619df80f330..3b3e6b9dc74e46b70396d9eaa6eeda4a50631c8d 100644 (file)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -203,7 +203,9 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
                /* If a password was not supplied then
                 * try again with a null username. */
                if (password[0] || !username[0] ||
+                       force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
                        get_cmdline_auth_info_use_kerberos(auth_info) ||
+                       get_cmdline_auth_info_use_ccache(auth_info) ||
                        !NT_STATUS_IS_OK(status = cli_session_setup(c, "",
                                                "", 0,
                                                "", 0,