74 lines
2.7 KiB
Diff
74 lines
2.7 KiB
Diff
From 5c6fe5a491b16bb658c191cfafb5edc0beb5fab2 Mon Sep 17 00:00:00 2001
|
|
From: Volker Lendecke <vl@samba.org>
|
|
Date: Fri, 20 May 2022 10:55:23 +0200
|
|
Subject: [PATCH 02/25] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP
|
|
length checks
|
|
|
|
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
|
|
can crash winbind. We don't independently check lm_resp_len
|
|
sufficiently.
|
|
|
|
Discovered via Coverity ID 1504444 Out-of-bounds access
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
|
|
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
|
|
---
|
|
source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++--------
|
|
1 file changed, 21 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
|
|
index fdb8120a6fe..651d54b01d3 100644
|
|
--- a/source3/winbindd/winbindd_pam_auth_crap.c
|
|
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
|
|
@@ -42,6 +42,9 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
|
struct winbindd_pam_auth_crap_state *state;
|
|
struct winbindd_domain *domain;
|
|
const char *auth_domain = NULL;
|
|
+ bool lmlength_ok = false;
|
|
+ bool ntlength_ok = false;
|
|
+ bool pwlength_ok = false;
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
struct winbindd_pam_auth_crap_state);
|
|
@@ -140,16 +143,24 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
|
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
|
|
}
|
|
|
|
- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|
|
- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
|
|
- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
|
- request->extra_len != request->data.auth_crap.nt_resp_len) {
|
|
- DBG_ERR("Invalid password length %u/%u\n",
|
|
- request->data.auth_crap.lm_resp_len,
|
|
- request->data.auth_crap.nt_resp_len);
|
|
- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
|
- return tevent_req_post(req, ev);
|
|
- }
|
|
+ lmlength_ok = (request->data.auth_crap.lm_resp_len <=
|
|
+ sizeof(request->data.auth_crap.lm_resp));
|
|
+
|
|
+ ntlength_ok = (request->data.auth_crap.nt_resp_len <=
|
|
+ sizeof(request->data.auth_crap.nt_resp));
|
|
+
|
|
+ ntlength_ok |=
|
|
+ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
|
|
+ (request->extra_len == request->data.auth_crap.nt_resp_len));
|
|
+
|
|
+ pwlength_ok = lmlength_ok && ntlength_ok;
|
|
+
|
|
+ if (!pwlength_ok) {
|
|
+ DBG_ERR("Invalid password length %u/%u\n",
|
|
+ request->data.auth_crap.lm_resp_len,
|
|
+ request->data.auth_crap.nt_resp_len);
|
|
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
|
+ return tevent_req_post(req, ev);
|
|
}
|
|
|
|
subreq = wb_domain_request_send(state, global_event_context(), domain,
|
|
--
|
|
2.34.1
|