64 lines
2.2 KiB
Diff
64 lines
2.2 KiB
Diff
From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 20 Jun 2023 15:33:02 +0200
|
|
Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
|
|
|
|
This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
|
|
calling srv_init_signing() very early after accepting the connection in
|
|
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
|
|
Autobuild-User(master): Jule Anger <janger@samba.org>
|
|
Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
|
|
---
|
|
.../samba3.smb2.session-require-signing | 1 -
|
|
source3/smbd/smb2_signing.c | 19 ++++++++-----------
|
|
2 files changed, 8 insertions(+), 12 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
|
|
|
|
diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
|
|
deleted file mode 100644
|
|
index 53b7a7022a8..00000000000
|
|
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
|
|
+++ /dev/null
|
|
@@ -1 +0,0 @@
|
|
-^samba3.smb2.session-require-signing.bug15397
|
|
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
|
|
index ef4a54d5710..73d07380dfa 100644
|
|
--- a/source3/smbd/smb2_signing.c
|
|
+++ b/source3/smbd/smb2_signing.c
|
|
@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
|
|
return false;
|
|
}
|
|
|
|
+ /*
|
|
+ * For SMB2 all we need to know is if signing is mandatory.
|
|
+ * It is always allowed and desired, whatever the smb.conf says.
|
|
+ */
|
|
+ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
|
+
|
|
#if defined(WITH_SMB1SERVER)
|
|
- if (conn->protocol >= PROTOCOL_SMB2_02) {
|
|
-#endif
|
|
- /*
|
|
- * For SMB2 all we need to know is if signing is mandatory.
|
|
- * It is always allowed and desired, whatever the smb.conf says.
|
|
- */
|
|
- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
|
-#if defined(WITH_SMB1SERVER)
|
|
- } else {
|
|
- ok = smb1_srv_init_signing(lp_ctx, conn);
|
|
- }
|
|
+ ok = smb1_srv_init_signing(lp_ctx, conn);
|
|
#endif
|
|
+
|
|
talloc_unlink(conn, lp_ctx);
|
|
return ok;
|
|
}
|
|
--
|
|
2.39.3
|
|
|