gensec:ntlmssp: only allow messages up to 2888 bytes

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 55dd8bdb05)

auth/ntlmssp/ntlmssp.c

@@ -36,6 +36,8 @@ struct auth_session_info;
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
+#define NTLMSSP_MAX_UPDATE_SIZE 2888
+
 /**
  * Callbacks for NTLMSSP - for both client and server operating modes
  *
@@ -136,6 +138,13 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
 		}
 	}
 
+	if (input.length > NTLMSSP_MAX_UPDATE_SIZE) {
+		DBG_WARNING("reject large command=%u message, length %zu > %u)\n",
+			    ntlmssp_command, input.length,
+			    NTLMSSP_MAX_UPDATE_SIZE);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
 		DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
 			  gensec_ntlmssp->ntlmssp_state->expected_state));

auth/ntlmssp/ntlmssp_client.c

@@ -142,12 +142,6 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
 
 	/* parse the NTLMSSP packet */
 
-	if (in.length > UINT16_MAX) {
-		DEBUG(1, ("%s: reject large request of length %u\n",
-			__func__, (unsigned int)in.length));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
 			 "NTLMSSP",
 			 &ntlmssp_command,

auth/ntlmssp/ntlmssp_server.c

@@ -124,12 +124,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
 #endif
 
 	if (request.length) {
-		if (request.length > UINT16_MAX) {
-			DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
-				(unsigned int)request.length));
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-
 		if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
 							  "NTLMSSP",
 							  &ntlmssp_command,

selftest/knownfail.d/dcerpc-auth-pad

@@ -2,10 +2,6 @@
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_bind
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3