git.samba.org / amitay / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 22e22d8)
CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
authorStefan Metzmacher <metze@samba.org>
Mon, 12 Dec 2016 05:07:56 +0000 (06:07 +0100)
committerKarolin Seeger <kseeger@samba.org>
Wed, 20 Sep 2017 11:04:10 +0000 (13:04 +0200)
With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
source3/libsmb/clidfs.c patch | blob | history

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 7e2cdaa88360f79968ea036cff6fe9e6b207c4b0..0dfb8b336064595490561b7be2b5630dde651055 100644 (file)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -26,6 +26,7 @@
 #include "trans2.h"
 #include "libsmb/nmblib.h"
 #include "../libcli/smb/smbXcli_base.h"
+#include "auth/credentials/credentials.h"
 
 /********************************************************************
  Important point.
@@ -144,9 +145,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
        char *servicename;
        char *sharename;
        char *newserver, *newshare;
-       const char *username;
-       const char *password;
-       const char *domain;
        NTSTATUS status;
        int flags = 0;
        enum protocol_types protocol = PROTOCOL_NONE;
@@ -229,21 +227,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
                smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
        }
 
-       username = get_cmdline_auth_info_username(auth_info);
-       password = get_cmdline_auth_info_password(auth_info);
-       domain = get_cmdline_auth_info_domain(auth_info);
-       if ((domain == NULL) || (domain[0] == '\0')) {
-               domain = lp_workgroup();
-       }
-
        creds = get_cmdline_auth_info_creds(auth_info);
 
        status = cli_session_setup_creds(c, creds);
        if (!NT_STATUS_IS_OK(status)) {
                /* If a password was not supplied then
                 * try again with a null username. */
-               if (password[0] || !username[0] ||
-                       get_cmdline_auth_info_use_kerberos(auth_info) ||
+               if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
+                       cli_credentials_authentication_requested(creds) ||
+                       cli_credentials_is_anonymous(creds) ||
                        !NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
                {
                        d_printf("session setup failed: %s\n",
Amitay's Samba development tree