From 5bba8c393d78235111cc5d744bb393847ca16283 Mon Sep 17 00:00:00 2001 From: Ralph Wuerthner Date: Thu, 29 Mar 2018 10:00:41 +0200 Subject: [PATCH] s3:smb2_tcon: Add check to prevent non-DFS clients from connecting to an msdfs proxy. Signed-off-by: Ralph Wuerthner Reviewed-by: David Disseldorp Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Apr 7 05:05:22 CEST 2018 on sn-devel-144 --- source3/smbd/smb2_tcon.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 07e01cddd46..ebd31602efc 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -270,6 +270,21 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, return NT_STATUS_BAD_NETWORK_NAME; } + /* Handle non-DFS clients attempting connections to msdfs proxy */ + if (lp_host_msdfs()) { + char *proxy = lp_msdfs_proxy(talloc_tos(), snum); + + if ((proxy != NULL) && (*proxy != '\0')) { + DBG_NOTICE("refusing connection to dfs proxy share " + "'%s' (pointing to %s)\n", + service, + proxy); + TALLOC_FREE(proxy); + return NT_STATUS_BAD_NETWORK_NAME; + } + TALLOC_FREE(proxy); + } + if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && (conn->smb2.server.cipher != 0)) {