From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 26 Mar 2016 17:08:16 +0000 (+0100)
Subject: CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
X-Git-Tag: samba-4.2.10~174
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2608fb3d766a2048f57d6a7de006b61e6cca0b27;p=thirdparty%2Fsamba.git

CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---

diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index f09a3f80914..9f989f21f2c 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -329,6 +329,17 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
 	
 
 	if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+		if (!cli_credentials_is_anonymous(io->in.credentials) &&
+		    session->options.ntlmv2_auth &&
+		    session->transport->options.use_spnego)
+		{
+			/*
+			 * Don't send an NTLMv2_RESPONSE without NTLMSSP
+			 * if we want to use spnego
+			 */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
 		nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
 							      &flags, 
 							      session->transport->negotiate.secblob,