CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
authorStefan Metzmacher <metze@samba.org>
Sat, 27 Feb 2016 03:15:38 +0000 (04:15 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:26 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
source4/libcli/cliconnect.c
source4/libcli/raw/rawnegotiate.c
source4/libcli/smb_composite/connect.c
source4/torture/basic/base.c

index 17151923d5b0d967b18819143f981b43773c88a5..35d963eebf8df63d62844892271b348b17dd857a 100644 (file)
@@ -77,7 +77,7 @@ NTSTATUS smbcli_negprot(struct smbcli_state *cli, bool unicode, int maxprotocol)
                return NT_STATUS_NO_MEMORY;
        }
 
                return NT_STATUS_NO_MEMORY;
        }
 
-       return smb_raw_negotiate(cli->transport, unicode, maxprotocol);
+       return smb_raw_negotiate(cli->transport, unicode, PROTOCOL_CORE, maxprotocol);
 }
 
 /* wrapper around smb_raw_sesssetup() */
 }
 
 /* wrapper around smb_raw_sesssetup() */
index 32e8a9195b257103a08533b849e434f5e59ffa68..4b42c2662a0ffd2453b65c7f25ae714022446c98 100644 (file)
@@ -37,6 +37,7 @@ static void smb_raw_negotiate_done(struct tevent_req *subreq);
 struct tevent_req *smb_raw_negotiate_send(TALLOC_CTX *mem_ctx,
                                          struct tevent_context *ev,
                                          struct smbcli_transport *transport,
 struct tevent_req *smb_raw_negotiate_send(TALLOC_CTX *mem_ctx,
                                          struct tevent_context *ev,
                                          struct smbcli_transport *transport,
+                                         int minprotocol,
                                          int maxprotocol)
 {
        struct tevent_req *req;
                                          int maxprotocol)
 {
        struct tevent_req *req;
@@ -58,7 +59,7 @@ struct tevent_req *smb_raw_negotiate_send(TALLOC_CTX *mem_ctx,
        subreq = smbXcli_negprot_send(state, ev,
                                      transport->conn,
                                      timeout_msec,
        subreq = smbXcli_negprot_send(state, ev,
                                      transport->conn,
                                      timeout_msec,
-                                     PROTOCOL_CORE,
+                                     minprotocol,
                                      maxprotocol);
        if (tevent_req_nomem(subreq, req)) {
                return tevent_req_post(req, ev);
                                      maxprotocol);
        if (tevent_req_nomem(subreq, req)) {
                return tevent_req_post(req, ev);
@@ -131,7 +132,8 @@ NTSTATUS smb_raw_negotiate_recv(struct tevent_req *req)
 /*
  Send a negprot command (sync interface)
 */
 /*
  Send a negprot command (sync interface)
 */
-NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode, int maxprotocol)
+NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode,
+                          int minprotocol, int maxprotocol)
 {
        NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
        struct tevent_req *subreq = NULL;
 {
        NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
        struct tevent_req *subreq = NULL;
@@ -140,6 +142,7 @@ NTSTATUS smb_raw_negotiate(struct smbcli_transport *transport, bool unicode, int
        subreq = smb_raw_negotiate_send(transport,
                                        transport->ev,
                                        transport,
        subreq = smb_raw_negotiate_send(transport,
                                        transport->ev,
                                        transport,
+                                       minprotocol,
                                        maxprotocol);
        if (subreq == NULL) {
                return NT_STATUS_NO_MEMORY;
                                        maxprotocol);
        if (subreq == NULL) {
                return NT_STATUS_NO_MEMORY;
index d87d5ecae275159e856e82e2cee8f9fc22839d60..fffa768ac977c2291dc44a0e0421e49849146f0d 100644 (file)
@@ -297,6 +297,7 @@ static NTSTATUS connect_send_negprot(struct composite_context *c,
        state->subreq = smb_raw_negotiate_send(state,
                                               state->transport->ev,
                                               state->transport,
        state->subreq = smb_raw_negotiate_send(state,
                                               state->transport->ev,
                                               state->transport,
+                                              state->transport->options.min_protocol,
                                               state->transport->options.max_protocol);
        NT_STATUS_HAVE_NO_MEMORY(state->subreq);
        tevent_req_set_callback(state->subreq, subreq_handler, c);
                                               state->transport->options.max_protocol);
        NT_STATUS_HAVE_NO_MEMORY(state->subreq);
        tevent_req_set_callback(state->subreq, subreq_handler, c);
index 081f4792843d70b1d45fa50155ed8dbedf6762c9..8f51253db77536c08f88d6de0d476549a1d78f3a 100644 (file)
@@ -371,6 +371,7 @@ static bool run_negprot_nowait(struct torture_context *tctx)
                struct tevent_req *req;
                req = smb_raw_negotiate_send(cli, tctx->ev,
                                             cli->transport,
                struct tevent_req *req;
                req = smb_raw_negotiate_send(cli, tctx->ev,
                                             cli->transport,
+                                            PROTOCOL_CORE,
                                             PROTOCOL_NT1);
                tevent_loop_once(tctx->ev);
                if (!tevent_req_is_in_progress(req)) {
                                             PROTOCOL_NT1);
                tevent_loop_once(tctx->ev);
                if (!tevent_req_is_in_progress(req)) {