Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0000-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0000-CVE-2016-2124-s4-libcli-sesssetup-don-t-fallback-to-.patch of Package samba
From 4290223ed40183e5f01c25da00df438b9ccf302a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Thu, 24 Nov 2016 09:12:59 +0100 Subject: [PATCH 254/266] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to Conflict: NA Reference: https://git.samba.org/samba.git/?p=samba.git;a=patch;h=4290223ed40183e5f01c25da00df438b9ccf302a non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher <metze@samba.org> --- source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 6ee4929e8d7..a0a1f4baa56 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se struct composite_context *c; struct sesssetup_state *state; NTSTATUS status; + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(io->in.credentials); c = composite_create(session, session->transport->ev); if (c == NULL) return NULL; @@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* no session setup at all in earliest protocol varients */ if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } ZERO_STRUCT(io->out); composite_done(c); return c; @@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* see what session setup interface we will use */ if (session->transport->negotiate.protocol < PROTOCOL_NT1) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_old(c, session, io, &state->req); } else if (!session->transport->options.use_spnego || !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_nt1(c, session, io, &state->req); } else { struct tevent_req *subreq = NULL; -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.