sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-18 06:04:06 +03:00
Code

CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks

Browse Source 
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Volker Lendecke 2022-05-20 10:55:23 +02:00 committed by Jule Anger
parent 1dd3ae281b
commit 5c6fe5a491
1 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
source3/winbindd/winbindd_pam_auth_crap.c
View File

@ -42,6 +42,9 @@ struct tevent_req *winbindd_pam_auth_crap_send(
struct winbindd_pam_auth_crap_state *state;
struct winbindd_domain *domain;
const char *auth_domain = NULL;
bool lmlength_ok = false;
bool ntlength_ok = false;
bool pwlength_ok = false;
req = tevent_req_create(mem_ctx, &state,
struct winbindd_pam_auth_crap_state);
@ -140,16 +143,24 @@ struct tevent_req *winbindd_pam_auth_crap_send(
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
}
if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
request->extra_len != request->data.auth_crap.nt_resp_len) {
DBG_ERR("Invalid password length %u/%u\n",
request->data.auth_crap.lm_resp_len,
request->data.auth_crap.nt_resp_len);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
lmlength_ok = (request->data.auth_crap.lm_resp_len <=
sizeof(request->data.auth_crap.lm_resp));
ntlength_ok = (request->data.auth_crap.nt_resp_len <=
sizeof(request->data.auth_crap.nt_resp));
ntlength_ok |=
((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
(request->extra_len == request->data.auth_crap.nt_resp_len));
pwlength_ok = lmlength_ok && ntlength_ok;
if (!pwlength_ok) {
DBG_ERR("Invalid password length %u/%u\n",
request->data.auth_crap.lm_resp_len,
request->data.auth_crap.nt_resp_len);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
subreq = wb_domain_request_send(state, global_event_context(), domain,