libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len

When the ptext_size != m_total check fails, we call this:

   status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
   goto out;

As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 99182af4ab5a3413311e27c2a193e09babceb01c)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index d036fd95918a36953e67e3811eb174e9f8cdb7c2..c808f0bda155e69977dad44f0f2d86c46befce92 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -773,9 +773,16 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
                                                ctext_size,
                                                ptext,
                                                &ptext_size);
-               if (rc < 0 || ptext_size != m_total) {
+               if (rc < 0) {
+                       TALLOC_FREE(ptext);
+                       TALLOC_FREE(ctext);
+                       status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+                       goto out;
+               }
+               if (ptext_size != m_total) {
                        TALLOC_FREE(ptext);
                        TALLOC_FREE(ctext);
+                       rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
                        status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
                        goto out;
                }