From 92c986c70059d860e15ab401ecbb3e920021a36f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Sep 2012 11:51:31 -0700 Subject: [PATCH] Fix bug #9174: Empty SPNEGO packet can cause smbd to crash. All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly assume we'll always get a data blob and indirect within it. --- source3/smbd/sesssetup.c | 2 +- source3/smbd/smb2_sesssetup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index d514b93..4f09db9 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -735,7 +735,7 @@ static void reply_spnego_auth(struct smb_request *req, return; } - if (auth.data[0] == ASN1_APPLICATION(0)) { + if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) { /* Might be a second negTokenTarg packet */ char *kerb_mech = NULL; diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 64a8053..c90368f 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -560,7 +560,7 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, return NT_STATUS_LOGON_FAILURE; } - if (auth.data[0] == ASN1_APPLICATION(0)) { + if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) { /* Might be a second negTokenTarg packet */ DATA_BLOB secblob_in = data_blob_null; char *kerb_mech = NULL; -- 1.7.9.5