From 86114412cc12b49b094ab201051d244f40b3f5b4 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 22 Mar 2016 16:30:42 +0100 Subject: [PATCH] CVE-2016-2114: s3:smbd: enforce "server signing = mandatory" MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This fixes a regression that was introduced by commit abb24bf8e874d525382e994af7ae432212775153 ("s3:smbd: make use of better SMB signing negotiation"). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source3/smbd/sesssetup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index d68bcb68cc6..25b2ed64483 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -37,6 +37,7 @@ #include "../libcli/security/security.h" #include "auth/gensec/gensec.h" #include "lib/conn_tdb.h" +#include "../libcli/smb/smb_signing.h" /**************************************************************************** Add the standard 'Samba' signature to the end of the session setup. @@ -599,7 +600,8 @@ void reply_sesssetup_and_X(struct smb_request *req) struct smbd_server_connection *sconn = req->sconn; bool doencrypt = xconn->smb1.negprot.encrypted_passwords; bool signing_allowed = false; - bool signing_mandatory = false; + bool signing_mandatory = smb_signing_is_mandatory( + xconn->smb1.signing_state); START_PROFILE(SMBsesssetupX); -- 2.11.4.GIT