From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 31 Jan 2022 19:33:43 +0000 (+0100)
Subject: libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len
X-Git-Tag: tevent-0.12.0~790
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99182af4ab5a3413311e27c2a193e09babceb01c;p=thirdparty%2Fsamba.git

libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len

When the ptext_size != m_total check fails, we call this:

   status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
   goto out;

As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 4a94b026ccc..b6add1b5c28 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -1251,9 +1251,16 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 						ctext_size,
 						ptext,
 						&ptext_size);
-		if (rc < 0 || ptext_size != m_total) {
+		if (rc < 0) {
+			TALLOC_FREE(ptext);
+			TALLOC_FREE(ctext);
+			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+			goto out;
+		}
+		if (ptext_size != m_total) {
 			TALLOC_FREE(ptext);
 			TALLOC_FREE(ctext);
+			rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
 			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
 			goto out;
 		}