CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index f09a3f809146cb4febbf215b41cbd467ab898936..9f989f21f2c5b3babe0f03b60076266efde3ddfc 100644 (file)
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -329,6 +329,17 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
        
 
        if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+               if (!cli_credentials_is_anonymous(io->in.credentials) &&
+                   session->options.ntlmv2_auth &&
+                   session->transport->options.use_spnego)
+               {
+                       /*
+                        * Don't send an NTLMv2_RESPONSE without NTLMSSP
+                        * if we want to use spnego
+                        */
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
                nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
                                                              &flags, 
                                                              session->transport->negotiate.secblob,