Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0009-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0009-CVE-2022-38023.patch of Package samba
From de121d6c613c6e83e49f2622391d1705077646a4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Tue, 6 Dec 2022 10:56:29 +0100 Subject: [PATCH 08/29] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17698 --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6f5a6e500db4..010c3e136779 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -62,6 +62,21 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, const struct dcesrv_interface *iface) { + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + static bool warned_global_schannel_once = false; + + if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! + */ + D_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes' (the default), " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); + warned_global_schannel_once = true; + } + return dcesrv_interface_bind_reject_connect(context, iface); } @@ -627,7 +642,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; uint16_t opnum = dce_call->pkt.u.request.opnum; const char *opname = "<unknown>"; - static bool warned_global_once = false; if (opnum < ndr_table_netlogon.num_calls) { opname = ndr_table_netlogon.calls[opnum].name; @@ -679,16 +693,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc return NT_STATUS_ACCESS_DENIED; } - if (!schannel_global_required && !warned_global_once) { - /* - * We want admins to notice their misconfiguration! - */ - DBG_ERR("CVE-2020-1472(ZeroLogon): " - "Please configure 'server schannel = yes', " - "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); - warned_global_once = true; - } - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { DBG_ERR("CVE-2020-1472(ZeroLogon): " "%s request (opnum[%u]) WITH schannel from " -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.