mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you can crash winbind. We don't independently check lm_resp_len sufficiently. Discovered via Coverity ID 1504444 Out-of-bounds access BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 Signed-off-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
parent
f2c18045a5
commit
19dcb036cb
@ -52,6 +52,9 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
||||
DATA_BLOB chal = data_blob_null;
|
||||
struct wbint_SidArray *require_membership_of_sid = NULL;
|
||||
NTSTATUS status;
|
||||
bool lmlength_ok = false;
|
||||
bool ntlength_ok = false;
|
||||
bool pwlength_ok = false;
|
||||
|
||||
req = tevent_req_create(mem_ctx, &state,
|
||||
struct winbindd_pam_auth_crap_state);
|
||||
@ -115,16 +118,24 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
||||
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
|
||||
}
|
||||
|
||||
if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|
||||
|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
|
||||
if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
||||
request->extra_len != request->data.auth_crap.nt_resp_len) {
|
||||
DBG_ERR("Invalid password length %u/%u\n",
|
||||
request->data.auth_crap.lm_resp_len,
|
||||
request->data.auth_crap.nt_resp_len);
|
||||
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
lmlength_ok = (request->data.auth_crap.lm_resp_len <=
|
||||
sizeof(request->data.auth_crap.lm_resp));
|
||||
|
||||
ntlength_ok = (request->data.auth_crap.nt_resp_len <=
|
||||
sizeof(request->data.auth_crap.nt_resp));
|
||||
|
||||
ntlength_ok |=
|
||||
((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
|
||||
(request->extra_len == request->data.auth_crap.nt_resp_len));
|
||||
|
||||
pwlength_ok = lmlength_ok && ntlength_ok;
|
||||
|
||||
if (!pwlength_ok) {
|
||||
DBG_ERR("Invalid password length %u/%u\n",
|
||||
request->data.auth_crap.lm_resp_len,
|
||||
request->data.auth_crap.nt_resp_len);
|
||||
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
state->domain = talloc_strdup(state, request->data.auth_crap.domain);
|
||||
|
Loading…
x
Reference in New Issue
Block a user