From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 17 Jul 2017 19:54:51 +0000 (+0200)
Subject: auth/spnego: don't call gensec_spnego_server_response() with a fatal error
X-Git-Tag: tdb-1.3.15~324
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=eedb8105507ed14ed19da185dcf32537dc39c7fe;p=samba.git

auth/spnego: don't call gensec_spnego_server_response() with a fatal error

It doesn't make sense to produce an output token without
returning OK or MORE_PROCESSING_REQUIRED.

Even in v4-0-test we had gensec_spnego_update_wrapper()
which only passed the constructed output token to the caller
with OK or MORE_PROCESSING_REQUIRED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 5eb75ad47aa..474f0a9fe1c 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1048,7 +1048,8 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
 		if (GENSEC_UPDATE_IS_NTERROR(status)) {
 			DBG_WARNING("%s: NEG_TOKEN_INIT failed: %s\n",
 				    cur_sec->op->name, nt_errstr(status));
-			goto reply;
+			TALLOC_FREE(frame);
+			return status;
 		}
 
 		spnego_state->neg_oid = cur_sec->oid;
@@ -1056,7 +1057,8 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
 	}
 
 	DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
-	status = NT_STATUS_INVALID_PARAMETER;
+	TALLOC_FREE(frame);
+	return NT_STATUS_INVALID_PARAMETER;
 
  reply:
 	if (spnego_state->simulate_w2k) {
@@ -1118,7 +1120,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
 		if (!NT_STATUS_IS_OK(status)) {
 			DBG_WARNING("failed to verify mechListMIC: %s\n",
 				    nt_errstr(status));
-			goto server_response;
+			return status;
 		}
 
 		spnego_state->needs_mic_check = false;
@@ -1130,6 +1132,11 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
 		status = gensec_update_ev(spnego_state->sub_sec_security,
 					  out_mem_ctx, ev,
 					  sub_in, &sub_out);
+		if (GENSEC_UPDATE_IS_NTERROR(status)) {
+			DEBUG(2, ("SPNEGO login failed: %s\n",
+				  nt_errstr(status)));
+			return status;
+		}
 		if (NT_STATUS_IS_OK(status)) {
 			spnego_state->sub_sec_ready = true;
 		}
@@ -1166,7 +1173,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
 		if (!NT_STATUS_IS_OK(status)) {
 			DBG_WARNING("failed to verify mechListMIC: %s\n",
 				    nt_errstr(status));
-			goto server_response;
+			return status;
 		}
 
 		spnego_state->needs_mic_check = false;