libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotia...

Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES
structures containing DataLength field that includes the padding
[0]. Microsoft has since clarified that only values smaller than
the size are considered invalid [1].

While parsing the NegotiateContext it is ensured that DataLength
does not exceed the message bounds. Also, the value is not
actually used anywhere outside the validation. Thus values
greater than the actual data size are safe to use. This patch
makes Samba fail only on values that are too small for the (fixed
size) payload.

[0] https://lists.samba.org/archive/samba/2019-February/221139.html
[1] https://lists.samba.org/archive/cifs-protocol/2019-March/003210.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13869

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Mar 31 01:11:09 UTC 2019 on sn-devel-144

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index d12e63902d944404b165583a9233e5b0e6b2b5fc..211539403d4b5c6d851ceb11a6001c643b270292 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5062,7 +5062,7 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
                        return;
                }
 
-               if (cipher->data.length != (2 + 2 * cipher_count)) {
+               if (cipher->data.length < (2 + 2 * cipher_count)) {
                        tevent_req_nterror(req,
                                        NT_STATUS_INVALID_NETWORK_RESPONSE);
                        return;