From 86808d66f30136850f857b749e768c88de3a079f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Nov 2020 17:03:29 +0100 Subject: [PATCH] gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state This matches Windows (at least Server 2012_R2). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- auth/gensec/spnego.c | 24 +++++++++++++++++------- selftest/knownfail.d/dcerpc-auth-pad | 3 --- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 378ba3402c4..741d85b9a5e 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1758,6 +1758,7 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security, const DATA_BLOB in, TALLOC_CTX *mem_ctx, DATA_BLOB *full_in) { + DATA_BLOB consume = data_blob_null; struct spnego_state *spnego_state = talloc_get_type_abort(gensec_security->private_data, struct spnego_state); @@ -1824,17 +1825,26 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } + consume = in; expected = spnego_state->in_needed - spnego_state->in_frag.length; - if (in.length > expected) { + if (consume.length > expected) { + if (spnego_state->state_position != SPNEGO_SERVER_START) { + /* + * we got more than expected + */ + return NT_STATUS_INVALID_PARAMETER; + } + /* - * we got more than expected + * In SPNEGO_SERVER_START we need to ignore unexpected + * bytes at the end. */ - return NT_STATUS_INVALID_PARAMETER; + consume.length = expected; } - if (in.length == spnego_state->in_needed) { + if (consume.length == spnego_state->in_needed) { /* - * if the in.length contains the full blob + * if the consume.length contains the full blob * we are done. * * Note: this implies spnego_state->in_frag.length == 0, @@ -1842,13 +1852,13 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security, * because we already know that we did not get * more than expected. */ - *full_in = in; + *full_in = consume; spnego_state->in_needed = 0; return NT_STATUS_OK; } ok = data_blob_append(spnego_state, &spnego_state->in_frag, - in.data, in.length); + consume.data, consume.length); if (!ok) { return NT_STATUS_NO_MEMORY; } diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad index eab7637fc40..cbfd1442c86 100644 --- a/selftest/knownfail.d/dcerpc-auth-pad +++ b/selftest/knownfail.d/dcerpc-auth-pad @@ -1,7 +1,4 @@ -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_alter -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_auth3 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3 -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3