diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-04-26 10:38:15 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2022-05-02 20:13:10 +0000 |
commit | 54c6cf8666b073818301d3a71a37453b44e57b5c (patch) | |
tree | f06cec6e7b71e4b66119dda1ee50862382f3325e /libcli | |
parent | 8ca99c25bacb6d9b0e6e064b37d6b726d181a487 (diff) | |
download | samba-54c6cf8666b073818301d3a71a37453b44e57b5c.tar.gz |
libcli/smb: allow SMB2 Negotiate responses with security_offset = 0 and security_length = 0
This fixes connections against the Azure SMB3 server.
It's not possible to demonstrate the bug with a test and a knownfail
entry, because it fails to even startup the test environments,
but the following change to our server demonstrates the problem
and shows the fix works:
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index da567951c0bf..25fdaea2df7b 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -711,6 +711,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
}
}
+ security_buffer = data_blob_null;
+
if (out_negotiate_context_blob.length != 0) {
static const uint8_t zeros[8];
size_t pad = 0;
@@ -759,6 +761,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
}
+ security_offset = 0;
+
SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
SSVAL(outbody.data, 0x02,
security_mode); /* security mode */
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15050
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 2 20:13:10 UTC 2022 on sn-devel-184
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/smb/smbXcli_base.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 0f3e4fa3f90..57d39d60fca 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5083,6 +5083,21 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) security_offset = SVAL(body, 56); security_length = SVAL(body, 58); + if (security_offset == 0) { + /* + * Azure sends security_offset = 0 and security_length = 0 + * + * We just set security_offset to the expected value + * in order to allow the further logic to work + * as before. + */ + if (security_length != 0) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + security_offset = SMB2_HDR_BODY + iov[1].iov_len; + } + if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; |