From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 11 Jun 2019 15:44:04 +0000 (+0200)
Subject: libcli/smb: harden smbXcli_session_shallow_copy against nonce reusage
X-Git-Tag: ldb-2.0.5~397
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b336d09b7b18370098ee73e63cf794a161e1ecb3;p=thirdparty%2Fsamba.git

libcli/smb: harden smbXcli_session_shallow_copy against nonce reusage

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 12 13:56:19 UTC 2019 on sn-devel-184
---

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 3d7a0625ccc..1af550d9cdd 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5562,6 +5562,8 @@ struct smbXcli_session *smbXcli_session_shallow_copy(TALLOC_CTX *mem_ctx,
 						struct smbXcli_session *src)
 {
 	struct smbXcli_session *session;
+	struct timespec ts;
+	NTTIME nt;
 
 	session = talloc_zero(mem_ctx, struct smbXcli_session);
 	if (session == NULL) {
@@ -5583,6 +5585,23 @@ struct smbXcli_session *smbXcli_session_shallow_copy(TALLOC_CTX *mem_ctx,
 	session->smb2_channel = src->smb2_channel;
 	session->disconnect_expired = src->disconnect_expired;
 
+	/*
+	 * This is only supposed to be called in test code
+	 * but we should not reuse nonces!
+	 *
+	 * Add the current timestamp as NTTIME to nonce_high
+	 * and set nonce_low to a value we can recognize in captures.
+	 */
+	clock_gettime_mono(&ts);
+	nt = unix_timespec_to_nt_time(ts);
+	nt &= session->smb2->nonce_high_max;
+	if (nt == session->smb2->nonce_high_max || nt < UINT8_MAX) {
+		talloc_free(session);
+		return NULL;
+	}
+	session->smb2->nonce_high += nt;
+	session->smb2->nonce_low = UINT32_MAX;
+
 	DLIST_ADD_END(src->conn->sessions, session);
 	talloc_set_destructor(session, smbXcli_session_destructor);