sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

CVE-2022-2127: ntlm_auth: cap lanman response length value

Browse Source 
We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Ralph Boehme 2023-06-16 12:28:47 +02:00 committed by Jule Anger
parent 5c6fe5a491
commit 2eabbe31f6
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source3/utils/ntlm_auth.c
View File

@ -576,10 +576,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
if (lm_response && lm_response->length) { if (lm_response && lm_response->length) {
size_t capped_lm_response_len = MIN(
lm_response->length,
sizeof(request.data.auth_crap.lm_resp));
memcpy(request.data.auth_crap.lm_resp, memcpy(request.data.auth_crap.lm_resp,
lm_response->data, lm_response->data,
MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); capped_lm_response_len);
request.data.auth_crap.lm_resp_len = lm_response->length; request.data.auth_crap.lm_resp_len = capped_lm_response_len;
} }
if (nt_response && nt_response->length) { if (nt_response && nt_response->length) {