From 2cc6a6d10980bd67452d9079679b77c90f33efb6 Mon Sep 17 00:00:00 2001 From: Philipp Gesang Date: Thu, 14 Feb 2019 10:17:28 +0100 Subject: [PATCH] libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES structures containing DataLength field that includes the padding [0]. Microsoft has since clarified that only values smaller than the size are considered invalid [1]. While parsing the NegotiateContext it is ensured that DataLength does not exceed the message bounds. Also, the value is not actually used anywhere outside the validation. Thus values greater than the actual data size are safe to use. This patch makes Samba fail only on values that are too small for the (fixed size) payload. [0] https://lists.samba.org/archive/samba/2019-February/221139.html [1] https://lists.samba.org/archive/cifs-protocol/2019-March/003210.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13869 Signed-off-by: Philipp Gesang Reviewed-by: Ralph Böhme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sun Mar 31 01:11:09 UTC 2019 on sn-devel-144 (cherry picked from commit 865b7b0c7d2ba7fa0a045586d1e83a72028a0864) --- libcli/smb/smbXcli_base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index a237bf17d0a..a8c73be445a 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5064,7 +5064,7 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq) return; } - if (cipher->data.length != (2 + 2 * cipher_count)) { + if (cipher->data.length < (2 + 2 * cipher_count)) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; -- 2.21.0.392.gf8f6787159e-goog