sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

s3:smbd: improve the error returns for invalid session binding requests

Browse Source 
This brings us closer to what a Windows Server with GMAC signing
returns.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Stefan Metzmacher 2021-03-08 02:05:55 +01:00
parent 1025e1bfea
commit 898caeae63
2 changed files with 33 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
selftest/knownfail.d/smb2.session
View File

@ -1,28 +1,4 @@
^samba3.smb2.session.*.bind_negative_smb3signCtoHs
# These tests fail with INVALID_PARAMETER as
# we required the same client guid for session binds
^samba3.smb2.session.*.bind_negative_smb3signCtoHd
^samba3.smb2.session.*.bind_negative_smb3signCtoGs
^samba3.smb2.session.*.bind_negative_smb3signCtoGd
^samba3.smb2.session.*.bind_negative_smb3signHtoCs
^samba3.smb2.session.*.bind_negative_smb3signHtoCd
^samba3.smb2.session.*.bind_negative_smb3signHtoGs
^samba3.smb2.session.*.bind_negative_smb3signHtoGd
^samba3.smb2.session.*.bind_negative_smb3signGtoCs
^samba3.smb2.session.*.bind_negative_smb3signGtoCd
^samba3.smb2.session.*.bind_negative_smb3signGtoHs
^samba3.smb2.session.*.bind_negative_smb3signGtoHd
^samba3.smb2.session.*.bind_negative_smb3sneGtoCs
^samba3.smb2.session.*.bind_negative_smb3sneGtoCd
^samba3.smb2.session.*.bind_negative_smb3sneGtoHs
^samba3.smb2.session.*.bind_negative_smb3sneGtoHd
^samba3.smb2.session.*.bind_negative_smb3sneCtoGs
^samba3.smb2.session.*.bind_negative_smb3sneCtoGd
^samba3.smb2.session.*.bind_negative_smb3sneHtoGs
^samba3.smb2.session.*.bind_negative_smb3sneHtoGd
^samba3.smb2.session.*.bind_negative_smb3signC30toGs
^samba3.smb2.session.*.bind_negative_smb3signC30toGd
^samba3.smb2.session.*.bind_negative_smb3signH2XtoGs
^samba3.smb2.session.*.bind_negative_smb3signH2XtoGd
^samba3.smb2.session.*.bind_negative_smb3signGtoC30s
^samba3.smb2.session.*.bind_negative_smb3signGtoC30d
^samba3.smb2.session.*.bind_negative_smb3signGtoH2Xs
^samba3.smb2.session.*.bind_negative_smb3signGtoH2Xd

47
source3/smbd/smb2_sesssetup.c
View File

@ -691,16 +691,6 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
state->in_security_buffer = in_security_buffer;
if (in_flags & SMB2_SESSION_FLAG_BINDING) {
if (smb2req->xconn->protocol < PROTOCOL_SMB3_00) {
tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
return tevent_req_post(req, ev);
}
if (!smb2req->xconn->client->server_multi_channel_enabled) {
tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
return tevent_req_post(req, ev);
}
if (in_session_id == 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
@ -711,6 +701,29 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
if ((smb2req->session->global->signing_algo >= SMB2_SIGNING_AES128_GMAC) &&
(smb2req->xconn->smb2.server.sign_algo != smb2req->session->global->signing_algo))
{
tevent_req_nterror(req, NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
return tevent_req_post(req, ev);
}
if ((smb2req->xconn->smb2.server.sign_algo >= SMB2_SIGNING_AES128_GMAC) &&
(smb2req->session->global->signing_algo != smb2req->xconn->smb2.server.sign_algo))
{
tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
return tevent_req_post(req, ev);
}
if (smb2req->xconn->protocol < PROTOCOL_SMB3_00) {
tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
return tevent_req_post(req, ev);
}
if (!smb2req->xconn->client->server_multi_channel_enabled) {
tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
return tevent_req_post(req, ev);
}
if (!smb2req->do_signing) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
@ -723,17 +736,19 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
if (smb2req->session->global->signing_algo
!= smb2req->xconn->smb2.server.sign_algo)
if (smb2req->session->global->encryption_cipher
!= smb2req->xconn->smb2.server.cipher)
{
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
if (smb2req->session->global->encryption_cipher
!= smb2req->xconn->smb2.server.cipher)
{
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
status = smb2req->session->status;
if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_LOGON_SESSION_STATE)) {
/*
* This comes from smb2srv_session_lookup_global().
*/
tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
return tevent_req_post(req, ev);
}