From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 14 Aug 2017 12:13:18 +0200 Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher --- source3/libsmb/clientgen.c | 13 +++++++++++++ source3/libsmb/proto.h | 1 + 2 files changed, 14 insertions(+) diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index bc5c1b1ce3c..3e8523e5ce8 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli) return cli->smb1.pid; } +bool cli_state_is_encryption_on(struct cli_state *cli) +{ + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { + return smb1cli_conn_encryption_on(cli->conn); + } + + if (cli->smb2.tcon == NULL) { + return false; + } + + return smb2cli_tcon_is_encryption_on(cli->smb2.tcon); +} + bool cli_state_has_tcon(struct cli_state *cli) { uint16_t tid = cli_state_get_tid(cli); diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h index 764f3fc1b12..67fa43e4e4a 100644 --- a/source3/libsmb/proto.h +++ b/source3/libsmb/proto.h @@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli); uint16_t cli_state_get_vc_num(struct cli_state *cli); uint32_t cli_setpid(struct cli_state *cli, uint32_t pid); uint32_t cli_getpid(struct cli_state *cli); +bool cli_state_is_encryption_on(struct cli_state *cli); bool cli_state_has_tcon(struct cli_state *cli); uint16_t cli_state_get_tid(struct cli_state *cli); uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid); -- 2.13.5 From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 17 Dec 2016 10:36:49 +0100 Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher --- source3/libsmb/clidfs.c | 4 ++-- source3/libsmb/libsmb_context.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index c477d7c6a46..99818a681e3 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, "IPC$", dfs_auth_info, false, - smb1cli_conn_encryption_on(rootcli->conn), + cli_state_is_encryption_on(rootcli), smbXcli_conn_protocol(rootcli->conn), 0, 0x20, @@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, dfs_refs[count].share, dfs_auth_info, false, - smb1cli_conn_encryption_on(rootcli->conn), + cli_state_is_encryption_on(rootcli), smbXcli_conn_protocol(rootcli->conn), 0, 0x20, diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c index ed6ca2b1b9f..b55cf1e2d15 100644 --- a/source3/libsmb/libsmb_context.c +++ b/source3/libsmb/libsmb_context.c @@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context, for (s = context->internal->servers; s; s = s->next) { num_servers++; - if (!smb1cli_conn_encryption_on(s->cli->conn)) { + if (!cli_state_is_encryption_on(s->cli)) { return (void *)false; } } -- 2.13.5