From 8d373ee4987cb8e378640c2d119d2f4ab6c993d1 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Fri, 7 Nov 2008 09:07:28 +0100
Subject: [PATCH] ntlm_auth: Put huge NTLMv2 blobs into extra_data on CRAP auth

This fixes bug #5865
---
 source/nsswitch/winbindd_nss.h |   31 ++++++++++++++++---------------
 source/nsswitch/winbindd_pam.c |   24 +++++++++++++++++-------
 source/utils/ntlm_auth.c       |   20 ++++++++++++++++----
 3 files changed, 49 insertions(+), 26 deletions(-)

diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index 8f22e15..742a774 100644
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -188,25 +188,26 @@ typedef struct winbindd_gr {
 } WINBINDD_GR;
 
 
-#define WBFLAG_PAM_INFO3_NDR  		0x0001
-#define WBFLAG_PAM_INFO3_TEXT 		0x0002
-#define WBFLAG_PAM_USER_SESSION_KEY     0x0004
-#define WBFLAG_PAM_LMKEY      		0x0008
-#define WBFLAG_PAM_CONTACT_TRUSTDOM 	0x0010
-#define WBFLAG_QUERY_ONLY		0x0020
-#define WBFLAG_PAM_UNIX_NAME            0x0080
-#define WBFLAG_PAM_AFS_TOKEN            0x0100
-#define WBFLAG_PAM_NT_STATUS_SQUASH     0x0200
+#define WBFLAG_PAM_INFO3_NDR		0x00000001
+#define WBFLAG_PAM_INFO3_TEXT		0x00000002
+#define WBFLAG_PAM_USER_SESSION_KEY	0x00000004
+#define WBFLAG_PAM_LMKEY		0x00000008
+#define WBFLAG_PAM_CONTACT_TRUSTDOM	0x00000010
+#define WBFLAG_QUERY_ONLY		0x00000020
+#define WBFLAG_PAM_UNIX_NAME		0x00000080
+#define WBFLAG_PAM_AFS_TOKEN		0x00000100
+#define WBFLAG_PAM_NT_STATUS_SQUASH	0x00000200
 
 /* This is a flag that can only be sent from parent to child */
-#define WBFLAG_IS_PRIVILEGED            0x0400
+#define WBFLAG_IS_PRIVILEGED		0x00000400
 /* Flag to say this is a winbindd internal send - don't recurse. */
-#define WBFLAG_RECURSE			0x0800
+#define WBFLAG_RECURSE			0x00000800
 
-#define WBFLAG_PAM_KRB5			0x1000
-#define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x2000
-#define WBFLAG_PAM_CACHED_LOGIN		0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY	0x8000
+#define WBFLAG_PAM_KRB5			0x00001000
+#define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
+#define WBFLAG_PAM_CACHED_LOGIN		0x00004000
+#define WBFLAG_PAM_GET_PWD_POLICY	0x00008000
+#define WBFLAG_BIG_NTLMV2_BLOB		0x00010000
 
 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 8751c18..708fc62 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -1762,17 +1762,27 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 
 	if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
 		|| state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
-		DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", 
-			  state->request.data.auth_crap.lm_resp_len, 
-			  state->request.data.auth_crap.nt_resp_len));
-		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		if (!state->request.flags & WBFLAG_BIG_NTLMV2_BLOB ||
+		     state->request.extra_len != state->request.data.auth_crap.nt_resp_len) {
+			DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
+				  state->request.data.auth_crap.lm_resp_len,
+				  state->request.data.auth_crap.nt_resp_len));
+				  result = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		}
 	}
 
 	lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
 					state->request.data.auth_crap.lm_resp_len);
-	nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
-					state->request.data.auth_crap.nt_resp_len);
+	if (state->request.flags & WBFLAG_BIG_NTLMV2_BLOB) {
+		nt_resp = data_blob_talloc(state->mem_ctx,
+					   state->request.extra_data.data,
+					   state->request.data.auth_crap.nt_resp_len);
+	} else {
+		nt_resp = data_blob_talloc(state->mem_ctx,
+					   state->request.data.auth_crap.nt_resp,
+					   state->request.data.auth_crap.nt_resp_len);
+	}
 
 	/* what domain should we contact? */
 	
diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c
index 53647ad..b42fe92 100644
--- a/source/utils/ntlm_auth.c
+++ b/source/utils/ntlm_auth.c
@@ -350,13 +350,25 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	}
 
 	if (nt_response && nt_response->length) {
-		memcpy(request.data.auth_crap.nt_resp, 
-		       nt_response->data, 
-		       MIN(nt_response->length, sizeof(request.data.auth_crap.nt_resp)));
+		if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) {
+			request.flags = request.flags | WBFLAG_BIG_NTLMV2_BLOB;
+			request.extra_len = nt_response->length;
+			request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len);
+			if (request.extra_data.data == NULL) {
+				return NT_STATUS_NO_MEMORY;
+			}
+			memcpy(request.extra_data.data, nt_response->data,
+			       nt_response->length);
+
+		} else {
+			memcpy(request.data.auth_crap.nt_resp,
+			       nt_response->data, nt_response->length);
+		}
                 request.data.auth_crap.nt_resp_len = nt_response->length;
 	}
-	
+
 	result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response);
+	SAFE_FREE(request.extra_data.data);
 
 	/* Display response */
 
-- 
1.5.4.3