mirror of
https://github.com/samba-team/samba.git
synced 2025-01-03 01:18:10 +03:00
CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks to parent process
The winbindd_dual_pam_auth_crap() function will be converted to a local
RPC call handler and it won't receive a winbindd_cli_state struct. Move
the checks accessing this struct to the parent.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 74a511a8ea
)
This commit is contained in:
parent
76fc517cc5
commit
1dd3ae281b
@ -2671,18 +2671,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
|
|||||||
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
|
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
|
||||||
name_domain, name_user));
|
name_domain, name_user));
|
||||||
|
|
||||||
if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
|
|
||||||
|| state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
|
|
||||||
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
|
||||||
state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
|
|
||||||
DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
|
|
||||||
state->request->data.auth_crap.lm_resp_len,
|
|
||||||
state->request->data.auth_crap.nt_resp_len));
|
|
||||||
result = NT_STATUS_INVALID_PARAMETER;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
|
lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
|
||||||
state->request->data.auth_crap.lm_resp_len);
|
state->request->data.auth_crap.lm_resp_len);
|
||||||
|
|
||||||
|
@ -140,6 +140,18 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
|||||||
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
|
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|
||||||
|
|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
|
||||||
|
if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
||||||
|
request->extra_len != request->data.auth_crap.nt_resp_len) {
|
||||||
|
DBG_ERR("Invalid password length %u/%u\n",
|
||||||
|
request->data.auth_crap.lm_resp_len,
|
||||||
|
request->data.auth_crap.nt_resp_len);
|
||||||
|
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||||
|
return tevent_req_post(req, ev);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
subreq = wb_domain_request_send(state, global_event_context(), domain,
|
subreq = wb_domain_request_send(state, global_event_context(), domain,
|
||||||
request);
|
request);
|
||||||
if (tevent_req_nomem(subreq, req)) {
|
if (tevent_req_nomem(subreq, req)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user