1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00

CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks

With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Volker Lendecke 2022-05-20 10:55:23 +02:00 committed by Jule Anger
parent f2c18045a5
commit 19dcb036cb

View File

@ -52,6 +52,9 @@ struct tevent_req *winbindd_pam_auth_crap_send(
DATA_BLOB chal = data_blob_null;
struct wbint_SidArray *require_membership_of_sid = NULL;
NTSTATUS status;
bool lmlength_ok = false;
bool ntlength_ok = false;
bool pwlength_ok = false;
req = tevent_req_create(mem_ctx, &state,
struct winbindd_pam_auth_crap_state);
@ -115,16 +118,24 @@ struct tevent_req *winbindd_pam_auth_crap_send(
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
}
if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
request->extra_len != request->data.auth_crap.nt_resp_len) {
DBG_ERR("Invalid password length %u/%u\n",
request->data.auth_crap.lm_resp_len,
request->data.auth_crap.nt_resp_len);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
lmlength_ok = (request->data.auth_crap.lm_resp_len <=
sizeof(request->data.auth_crap.lm_resp));
ntlength_ok = (request->data.auth_crap.nt_resp_len <=
sizeof(request->data.auth_crap.nt_resp));
ntlength_ok |=
((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
(request->extra_len == request->data.auth_crap.nt_resp_len));
pwlength_ok = lmlength_ok && ntlength_ok;
if (!pwlength_ok) {
DBG_ERR("Invalid password length %u/%u\n",
request->data.auth_crap.lm_resp_len,
request->data.auth_crap.nt_resp_len);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
state->domain = talloc_strdup(state, request->data.auth_crap.domain);