From: Jeremy Allison <jra@samba.org>
Date: Tue, 26 Nov 2019 20:53:09 +0000 (-0800)
Subject: s3: smbd: Only set xconn->smb1.negprot.done = true after supported_protocols[protocol... 
X-Git-Tag: samba-4.10.13~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2757c0711d02c2135afb161dac70d2150b18190b;p=thirdparty%2Fsamba.git

s3: smbd: Only set xconn->smb1.negprot.done = true after supported_protocols[protocol].proto_reply_fn() succeeds.

Otherwise we can end up with negprot.done set, but
without smbXsrv_connection_init_tables() being called.

This can cause a client self-crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  4 21:27:24 UTC 2019 on sn-devel-184

(cherry picked from commit 8db0c1bff6f42feabd2e4d9dfb13ae12cc29607b)
---

diff --git a/selftest/knownfail.d/smb1_fuzz_smbd b/selftest/knownfail.d/smb1_fuzz_smbd
deleted file mode 100644
index 82b1b26254f..00000000000
--- a/selftest/knownfail.d/smb1_fuzz_smbd
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.smbd_fuzztest
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 8317dc49086..e77c8f52261 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -588,7 +588,6 @@ void reply_negprot(struct smb_request *req)
 		END_PROFILE(SMBnegprot);
 		exit_server_cleanly("multiple negprot's are not permitted");
 	}
-	xconn->smb1.negprot.done = true;
 
 	if (req->buflen == 0) {
 		DEBUG(0, ("negprot got no protocols\n"));
@@ -778,6 +777,8 @@ void reply_negprot(struct smb_request *req)
 
 	DBG_INFO("negprot index=%zu\n", choice);
 
+	xconn->smb1.negprot.done = true;
+
 	/* We always have xconn->smb1.signing_state also for >= SMB2_02 */
 	signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
 	if (signing_required && (chosen_level < PROTOCOL_NT1)) {