From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 30 Aug 2022 14:56:12 +0000 (+0200)
Subject: smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection... 
X-Git-Tag: talloc-2.4.0~1208
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21ef01e7b8368caa050ed82b9d787d1679220b2b;p=thirdparty%2Fsamba.git

smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c
index 079ca80ad12..7cf51b2d022 100644
--- a/source3/smbd/smbXsrv_client.c
+++ b/source3/smbd/smbXsrv_client.c
@@ -614,10 +614,6 @@ static bool smb2srv_client_mc_negprot_filter(struct messaging_rec *rec, void *pr
 		return false;
 	}
 
-	if (rec->buf.length < SMB2_HDR_BODY) {
-		return false;
-	}
-
 	return true;
 }
 
@@ -707,6 +703,14 @@ static void smb2srv_client_mc_negprot_done(struct tevent_req *subreq)
 		return;
 	}
 
+	if (passed_info0->negotiate_request.length != 0) {
+		DBG_ERR("negotiate_request.length[%zu]\n",
+			passed_info0->negotiate_request.length);
+		NDR_PRINT_DEBUG(smbXsrv_connection_passB, &passed_blob);
+		tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+		return;
+	}
+
 	tevent_req_nterror(req, NT_STATUS_MESSAGE_RETRIEVED);
 }
 
@@ -931,12 +935,6 @@ static bool smbXsrv_client_connection_pass_filter(struct messaging_rec *rec, voi
 		return false;
 	}
 
-	if (rec->buf.length < SMB2_HDR_BODY) {
-		return false;
-	}
-
-	/* TODO: verify client_guid...? */
-
 	return true;
 }
 
@@ -1029,6 +1027,15 @@ static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq)
 		goto next;
 	}
 
+	if (pass_info0->negotiate_request.length < SMB2_HDR_BODY) {
+		DBG_WARNING("negotiate_request.length[%zu]\n",
+			    pass_info0->negotiate_request.length);
+		if (DEBUGLVL(DBGLVL_WARNING)) {
+			NDR_PRINT_DEBUG(smbXsrv_connection_passB, &pass_blob);
+		}
+		goto next;
+	}
+
 	status = smb2srv_client_connection_passed(client, pass_info0);
 	if (!NT_STATUS_IS_OK(status)) {
 		const char *r = "smb2srv_client_connection_passed() failed";