s3:smb2cli: validate the opcode from the server is as expected

metze

diff --git a/source3/libsmb/smb2cli_base.c b/source3/libsmb/smb2cli_base.c
index 94c518fe3a74ae2c0678d7fd0e85c1b282e84542..aff59e42129ff32b4d22e49bdd9262484462e857 100644 (file)
--- a/source3/libsmb/smb2cli_base.c
+++ b/source3/libsmb/smb2cli_base.c
@@ -547,9 +547,11 @@ static void smb2cli_inbuf_received(struct tevent_req *subreq)
                uint8_t *inbuf_ref = NULL;
                struct iovec *cur = &iov[i];
                uint8_t *inhdr = (uint8_t *)cur[0].iov_base;
+               uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
+               uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
+               uint16_t req_opcode;
 
-               req = cli_smb2_find_pending(
-                       cli, BVAL(inhdr, SMB2_HDR_MESSAGE_ID));
+               req = cli_smb2_find_pending(cli, mid);
                if (req == NULL) {
                        /*
                         * TODO: handle oplock breaks and async responses
@@ -564,9 +566,18 @@ static void smb2cli_inbuf_received(struct tevent_req *subreq)
                        TALLOC_FREE(frame);
                        return;
                }
-               smb2cli_req_unset_pending(req);
                state = tevent_req_data(req, struct smb2cli_req_state);
 
+               req_opcode = SVAL(state->hdr, SMB2_HDR_OPCODE);
+               if (opcode != req_opcode) {
+                       status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+                       smb2cli_notify_pending(cli, status);
+                       TALLOC_FREE(frame);
+                       return;
+               }
+
+               smb2cli_req_unset_pending(req);
+
                /*
                 * There might be more than one response
                 * we need to defer the notifications