From 68d6c10e5e7f14bc2473d53fde38593ff280a439 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 04:15:38 +0100
Subject: CVE-2016-2115: s4:libcli/raw: pass the minprotocol to
 smb_raw_negotiate*()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source4/libcli/cliconnect.c            | 2 +-
 source4/libcli/raw/rawnegotiate.c      | 7 +++++--
 source4/libcli/smb_composite/connect.c | 1 +
 3 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'source4/libcli')

diff --git a/source4/libcli/cliconnect.c b/source4/libcli/cliconnect.c
index 17151923d5b..35d963eebf8 100644
--- a/source4/libcli/cliconnect.c
+++ b/source4/libcli/cliconnect.c
@@ -77,7 +77,7 @@ NTSTATUS smbcli_negprot(struct smbcli_state *cli, bool unicode, int maxprotocol)
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	return smb_raw_negotiate(cli->transport, unicode, maxprotocol);
+	return smb_raw_negotiate(cli->transport, unicode, PROTOCOL_CORE, maxprotocol);
 }
 
 /* wrapper around smb_raw_sesssetup() */
diff --git a/source4/libcli/raw/rawnegotiate.c b/source4/libcli/raw/rawnegotiate.c
index 32e8a9195b2..4b42c2662a0 100644
--- a/source4/libcli/raw/rawnegotiate.c
+++ b/source4/libcli/raw/rawnegotiate.c
@@ -37,6 +37,7 @@ static void smb_raw_negotiate_done(struct tevent_req *subreq);
 struct tevent_req *smb_raw_negotiate_send(TALLOC_CTX *mem_ctx,
 					  struct tevent_context *ev,
 					  struct smbcli_transport *transport,
+					  int minprotocol,
 					  int maxprotocol)
 {
 	struct tevent_req *req;
@@ -58,7 +59,7 @@ struct tevent_req *smb_raw_negotiate_send(TALLOC_CTX *mem_ctx,
 	subreq = smbXcli_negprot_send(state, ev,
 				      transport->conn,
 				      timeout_msec,
-				      PROTOCOL_CORE,
+				      minprotocol,
 				      maxprotocol);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
@@ -131,7 +132,8 @@ NTSTATUS smb_raw_negotiate_recv(struct tevent_req *req)
 /*
  Send a negprot command (sync interface)
 */
-NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode, int maxprotocol)
+NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode,
+			   int minprotocol, int maxprotocol)
 {
 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
 	struct tevent_req *subreq = NULL;
@@ -140,6 +142,7 @@ NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode, int
 	subreq = smb_raw_negotiate_send(transport,
 					transport->ev,
 					transport,
+					minprotocol,
 					maxprotocol);
 	if (subreq == NULL) {
 		return NT_STATUS_NO_MEMORY;
diff --git a/source4/libcli/smb_composite/connect.c b/source4/libcli/smb_composite/connect.c
index d87d5ecae27..fffa768ac97 100644
--- a/source4/libcli/smb_composite/connect.c
+++ b/source4/libcli/smb_composite/connect.c
@@ -297,6 +297,7 @@ static NTSTATUS connect_send_negprot(struct composite_context *c,
 	state->subreq = smb_raw_negotiate_send(state,
 					       state->transport->ev,
 					       state->transport,
+					       state->transport->options.min_protocol,
 					       state->transport->options.max_protocol);
 	NT_STATUS_HAVE_NO_MEMORY(state->subreq);
 	tevent_req_set_callback(state->subreq, subreq_handler, c);
-- 
cgit v1.2.1