From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 26 Mar 2016 17:08:16 +0000 (+0100)
Subject: CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
X-Git-Tag: samba-4.2.10~173
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e35c14ea9e55c73a5a26c083ac87f92f6504677;p=thirdparty%2Fsamba.git

CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index a406cebd401..4d0d2f2f07f 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2145,6 +2145,17 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
 		return req;
 	} else {
 		/* otherwise do a NT1 style session setup */
+		if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
+			/*
+			 * Don't send an NTLMv2 response without NTLMSSP
+			 * if we want to use spnego support
+			 */
+			DEBUG(1, ("Server does not support EXTENDED_SECURITY "
+				  " but 'client use spnego = yes"
+				  " and 'client ntlmv2 auth = yes'\n"));
+			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+			return tevent_req_post(req, ev);
+		}
 
 		subreq = cli_session_setup_nt1_send(
 			state, ev, cli, user, pass, passlen, ntpass, ntpasslen,