diff options
author | Stefan Metzmacher <metze@samba.org> | 2021-03-08 02:03:30 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2021-07-15 00:06:31 +0000 |
commit | e720ce4fadb051295871314bfcb1057c48586736 (patch) | |
tree | 5d45914ca76f921ba0fce1e556e16ccc77eeb5d0 | |
parent | eeb09dfa6d79bfd42ad4a31cc2297438e917fef7 (diff) | |
download | samba-e720ce4fadb051295871314bfcb1057c48586736.tar.gz |
libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED
We should propagate these errors to the caller instead of masking them
with ACCESS_DENIED. And for ACCESS_DENIED we should not disconnect the
connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | libcli/smb/smbXcli_base.c | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 9ffc60ff330..30df9b244ea 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3896,6 +3896,46 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, state->smb2.signing_skipped = true; signing_key = NULL; } + if (NT_STATUS_EQUAL(status, NT_STATUS_REQUEST_OUT_OF_SEQUENCE)) { + /* + * if the server returns + * NT_STATUS_REQUEST_OUT_OF_SEQUENCE for a session setup + * request, the response is not signed and we should + * propagate the NT_STATUS_REQUEST_OUT_OF_SEQUENCE + * status to the caller + */ + if (opcode == SMB2_OP_SESSSETUP) { + state->smb2.signing_skipped = true; + signing_key = NULL; + } + } + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + /* + * if the server returns NT_STATUS_NOT_SUPPORTED + * for a session setup request, the response is not + * signed and we should propagate the NT_STATUS_NOT_SUPPORTED + * status to the caller. + */ + if (opcode == SMB2_OP_SESSSETUP) { + state->smb2.signing_skipped = true; + signing_key = NULL; + } + } + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + /* + * if the server returns + * NT_STATUS_ACCESS_DENIED for a session setup + * request, the response is not signed and we should + * propagate the NT_STATUS_ACCESS_DENIED + * status to the caller without disconnecting + * the connection because we where not able to + * verify the response signature. + */ + if (opcode == SMB2_OP_SESSSETUP) { + state->smb2.signing_skipped = true; + signing_key = NULL; + } + } if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { /* |