CVE-2016-2114: s4:smb2_server: fix session setup with required signing

[samba.git] / source4 / smb_server / smb2 / sesssetup.c

diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c
index c99b443a35a7195c9513661fd5ba25c8d952988f..5e261a20e40ca3c5f9b5c4f7f5244bb3703d2603 100644 (file)
--- a/source4/smb_server/smb2/sesssetup.c
+++ b/source4/smb_server/smb2/sesssetup.c
@@ -6,7 +6,7 @@
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -15,40 +15,36 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
-#include "auth/credentials/credentials.h"
+#include <tevent.h>
 #include "auth/gensec/gensec.h"
 #include "auth/auth.h"
 #include "libcli/smb2/smb2.h"
 #include "libcli/smb2/smb2_calls.h"
 #include "smb_server/smb_server.h"
-#include "smb_server/service_smb_proto.h"
 #include "smb_server/smb2/smb2_server.h"
 #include "smbd/service_stream.h"
+#include "lib/stream/packet.h"
 
 static void smb2srv_sesssetup_send(struct smb2srv_request *req, union smb_sesssetup *io)
 {
-       uint16_t unknown1;
-
        if (NT_STATUS_IS_OK(req->status)) {
-               unknown1 = 0x0003;
+               /* nothing */
        } else if (NT_STATUS_EQUAL(req->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-               unknown1 = 0x0002;
+               /* nothing */
        } else {
                smb2srv_send_error(req, req->status);
                return;
        }
 
-       SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x08, True, io->smb2.out.secblob.length));
+       SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x08, true, io->smb2.out.secblob.length));
 
-       SSVAL(req->out.hdr, SMB2_HDR_UNKNOWN1,  unknown1);
-       SBVAL(req->out.hdr, SMB2_HDR_UID,       io->smb2.out.uid);
+       SBVAL(req->out.hdr, SMB2_HDR_SESSION_ID,        io->smb2.out.uid);
 
-       SSVAL(req->out.body, 0x02, io->smb2.out._pad);
+       SSVAL(req->out.body, 0x02, io->smb2.out.session_flags);
        SMB2SRV_CHECK(smb2_push_o16s16_blob(&req->out, 0x04, io->smb2.out.secblob));
 
        smb2srv_send_reply(req);
@@ -60,24 +56,28 @@ struct smb2srv_sesssetup_callback_ctx {
        struct smbsrv_session *smb_sess;
 };
 
-static void smb2srv_sesssetup_callback(struct gensec_update_request *greq, void *private_data)
+static void smb2srv_sesssetup_callback(struct tevent_req *subreq)
 {
-       struct smb2srv_sesssetup_callback_ctx *ctx = talloc_get_type(private_data,
+       struct smb2srv_sesssetup_callback_ctx *ctx = tevent_req_callback_data(subreq,
                                                     struct smb2srv_sesssetup_callback_ctx);
        struct smb2srv_request *req = ctx->req;
        union smb_sesssetup *io = ctx->io;
        struct smbsrv_session *smb_sess = ctx->smb_sess;
        struct auth_session_info *session_info = NULL;
+       enum security_user_level user_level;
        NTSTATUS status;
 
-       status = gensec_update_recv(greq, req, &io->smb2.out.secblob);
+       packet_recv_enable(req->smb_conn->packet);
+
+       status = gensec_update_recv(subreq, req, &io->smb2.out.secblob);
+       TALLOC_FREE(subreq);
        if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                goto done;
        } else if (!NT_STATUS_IS_OK(status)) {
                goto failed;
        }
 
-       status = gensec_session_info(smb_sess->gensec_ctx, &session_info);
+       status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info);
        if (!NT_STATUS_IS_OK(status)) {
                goto failed;
        }
@@ -90,11 +90,25 @@ static void smb2srv_sesssetup_callback(struct gensec_update_request *greq, void
        }
        req->session = smb_sess;
 
+       user_level = security_session_user_level(smb_sess->session_info, NULL);
+       if (user_level >= SECURITY_USER) {
+               if (smb_sess->smb2_signing.required) {
+                       /* activate smb2 signing on the session */
+                       smb_sess->smb2_signing.active = true;
+               }
+               /* we need to sign the session setup response */
+               req->is_signed = true;
+       }
+
 done:
        io->smb2.out.uid = smb_sess->vuid;
 failed:
-       req->status = auth_nt_status_squash(status);
+       req->status = nt_status_squash(status);
        smb2srv_sesssetup_send(req, io);
+       if (!NT_STATUS_IS_OK(status) && !
+           NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+               talloc_free(smb_sess);
+       }
 }
 
 static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_sesssetup *io)
@@ -103,12 +117,13 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
        struct smb2srv_sesssetup_callback_ctx *callback_ctx;
        struct smbsrv_session *smb_sess = NULL;
        uint64_t vuid;
+       struct tevent_req *subreq;
 
-       io->smb2.out._pad       = 0;
+       io->smb2.out.session_flags = 0;
        io->smb2.out.uid        = 0;
        io->smb2.out.secblob = data_blob(NULL, 0);
 
-       vuid = BVAL(req->in.hdr, SMB2_HDR_UID);
+       vuid = BVAL(req->in.hdr, SMB2_HDR_SESSION_ID);
 
        /*
         * only when we got '0' we should allocate a new session
@@ -116,19 +131,18 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
        if (vuid == 0) {
                struct gensec_security *gensec_ctx;
 
-               status = gensec_server_start(req,
-                                            req->smb_conn->connection->event.ctx,
-                                            req->smb_conn->connection->msg_ctx,
-                                            &gensec_ctx);
+               status = samba_server_gensec_start(req,
+                                                  req->smb_conn->connection->event.ctx,
+                                                  req->smb_conn->connection->msg_ctx,
+                                                  req->smb_conn->lp_ctx,
+                                                  req->smb_conn->negotiate.server_credentials,
+                                                  "cifs",
+                                                  &gensec_ctx);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
                        goto failed;
                }
 
-               gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials);
-
-               gensec_set_target_service(gensec_ctx, "cifs");
-
                gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
 
                status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
@@ -138,7 +152,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
                }
 
                /* allocate a new session */
-               smb_sess = smbsrv_session_new(req->smb_conn, gensec_ctx);
+               smb_sess = smbsrv_session_new(req->smb_conn, req->smb_conn, gensec_ctx);
                if (!smb_sess) {
                        status = NT_STATUS_INSUFFICIENT_RESOURCES;
                        goto failed;
@@ -157,6 +171,12 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
                goto failed;
        }
 
+       if (smb_sess->session_info) {
+               /* see WSPP test suite - test 11 */
+               status = NT_STATUS_REQUEST_NOT_ACCEPTED;
+               goto failed;
+       }
+
        if (!smb_sess->gensec_ctx) {
                status = NT_STATUS_INTERNAL_ERROR;
                DEBUG(1, ("Internal ERROR: no gensec_ctx on session: %s\n", nt_errstr(status)));
@@ -169,14 +189,32 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
        callback_ctx->io        = io;
        callback_ctx->smb_sess  = smb_sess;
 
-       gensec_update_send(smb_sess->gensec_ctx, io->smb2.in.secblob,
-                          smb2srv_sesssetup_callback, callback_ctx);
+       subreq = gensec_update_send(callback_ctx,
+                                   req->smb_conn->connection->event.ctx,
+                                   smb_sess->gensec_ctx,
+                                   io->smb2.in.secblob);
+       if (!subreq) goto nomem;
+       tevent_req_set_callback(subreq, smb2srv_sesssetup_callback, callback_ctx);
+
+       /* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client.
+          This is deliberate as windows does not set it even when it does 
+          set SMB2_NEGOTIATE_SIGNING_REQUIRED */
+       if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
+               smb_sess->smb2_signing.required = true;
+       }
+
+       /* disable receipt of more packets on this socket until we've
+          finished with the session setup. This avoids a problem with
+          crashes if we get EOF on the socket while processing a session
+          setup */
+       packet_recv_disable(req->smb_conn->packet);
+
        return;
 nomem:
        status = NT_STATUS_NO_MEMORY;
 failed:
        talloc_free(smb_sess);
-       req->status = auth_nt_status_squash(status);
+       req->status = nt_status_squash(status);
        smb2srv_sesssetup_send(req, io);
 }
 
@@ -184,24 +222,39 @@ void smb2srv_sesssetup_recv(struct smb2srv_request *req)
 {
        union smb_sesssetup *io;
 
-       SMB2SRV_CHECK_BODY_SIZE(req, 0x18, True);
+       SMB2SRV_CHECK_BODY_SIZE(req, 0x18, true);
        SMB2SRV_TALLOC_IO_PTR(io, union smb_sesssetup);
 
-       io->smb2.level          = RAW_SESSSETUP_SMB2;
-       io->smb2.in._pad        = SVAL(req->in.body, 0x02);
-       io->smb2.in.unknown2    = IVAL(req->in.body, 0x04);
-       io->smb2.in.unknown3    = IVAL(req->in.body, 0x08);
+       io->smb2.level                 = RAW_SESSSETUP_SMB2;
+       io->smb2.in.vc_number          = CVAL(req->in.body, 0x02);
+       io->smb2.in.security_mode      = CVAL(req->in.body, 0x03);
+       io->smb2.in.capabilities       = IVAL(req->in.body, 0x04);
+       io->smb2.in.channel            = IVAL(req->in.body, 0x08);
+       io->smb2.in.previous_sessionid = BVAL(req->in.body, 0x10);
        SMB2SRV_CHECK(smb2_pull_o16s16_blob(&req->in, io, req->in.body+0x0C, &io->smb2.in.secblob));
-       io->smb2.in.unknown4    = BVAL(req->in.body, 0x10);
 
        smb2srv_sesssetup_backend(req, io);
 }
 
-static NTSTATUS smb2srv_logoff_backend(struct smb2srv_request *req)
+static int smb2srv_cleanup_session_destructor(struct smbsrv_session **session)
 {
        /* TODO: call ntvfs backends to close file of this session */
-       talloc_free(req->session);
-       req->session = NULL;
+       DEBUG(0,("free session[%p]\n", *session));
+       talloc_free(*session);
+       return 0;
+}
+
+static NTSTATUS smb2srv_logoff_backend(struct smb2srv_request *req)
+{
+       struct smbsrv_session **session_ptr;
+
+       /* we need to destroy the session after sending the reply */
+       session_ptr = talloc(req, struct smbsrv_session *);
+       NT_STATUS_HAVE_NO_MEMORY(session_ptr);
+
+       *session_ptr = req->session;
+       talloc_set_destructor(session_ptr, smb2srv_cleanup_session_destructor);
+
        return NT_STATUS_OK;
 }
 
@@ -212,7 +265,7 @@ static void smb2srv_logoff_send(struct smb2srv_request *req)
                return;
        }
 
-       SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x04, False, 0));
+       SMB2SRV_CHECK(smb2srv_setup_reply(req, 0x04, false, 0));
 
        SSVAL(req->out.body, 0x02, 0);
 
@@ -221,11 +274,7 @@ static void smb2srv_logoff_send(struct smb2srv_request *req)
 
 void smb2srv_logoff_recv(struct smb2srv_request *req)
 {
-       uint16_t _pad;
-
-       SMB2SRV_CHECK_BODY_SIZE(req, 0x04, False);
-
-       _pad    = SVAL(req->in.body, 0x02);
+       SMB2SRV_CHECK_BODY_SIZE(req, 0x04, false);
 
        req->status = smb2srv_logoff_backend(req);