The Samba-Bugzilla – Attachment 3718 Details for
Bug 5865
ntlm_auth helper rejects NTLMv2 with INVALID_PARAMETER if NTLM response part >256 bytes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
0001-ntlm_auth-Put-huge-NTLMv2-blobs-into-extra_data-on.patch (text/plain), 5.12 KB, created by
Kai Blin
on 2008-11-07 02:11:44 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Kai Blin
Created:
2008-11-07 02:11:44 UTC
Size:
5.12 KB
patch
obsolete
>From 8d373ee4987cb8e378640c2d119d2f4ab6c993d1 Mon Sep 17 00:00:00 2001 >From: Kai Blin <kai@samba.org> >Date: Fri, 7 Nov 2008 09:07:28 +0100 >Subject: [PATCH] ntlm_auth: Put huge NTLMv2 blobs into extra_data on CRAP auth > >This fixes bug #5865 >--- > source/nsswitch/winbindd_nss.h | 31 ++++++++++++++++--------------- > source/nsswitch/winbindd_pam.c | 24 +++++++++++++++++------- > source/utils/ntlm_auth.c | 20 ++++++++++++++++---- > 3 files changed, 49 insertions(+), 26 deletions(-) > >diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h >index 8f22e15..742a774 100644 >--- a/source/nsswitch/winbindd_nss.h >+++ b/source/nsswitch/winbindd_nss.h >@@ -188,25 +188,26 @@ typedef struct winbindd_gr { > } WINBINDD_GR; > > >-#define WBFLAG_PAM_INFO3_NDR 0x0001 >-#define WBFLAG_PAM_INFO3_TEXT 0x0002 >-#define WBFLAG_PAM_USER_SESSION_KEY 0x0004 >-#define WBFLAG_PAM_LMKEY 0x0008 >-#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x0010 >-#define WBFLAG_QUERY_ONLY 0x0020 >-#define WBFLAG_PAM_UNIX_NAME 0x0080 >-#define WBFLAG_PAM_AFS_TOKEN 0x0100 >-#define WBFLAG_PAM_NT_STATUS_SQUASH 0x0200 >+#define WBFLAG_PAM_INFO3_NDR 0x00000001 >+#define WBFLAG_PAM_INFO3_TEXT 0x00000002 >+#define WBFLAG_PAM_USER_SESSION_KEY 0x00000004 >+#define WBFLAG_PAM_LMKEY 0x00000008 >+#define WBFLAG_PAM_CONTACT_TRUSTDOM 0x00000010 >+#define WBFLAG_QUERY_ONLY 0x00000020 >+#define WBFLAG_PAM_UNIX_NAME 0x00000080 >+#define WBFLAG_PAM_AFS_TOKEN 0x00000100 >+#define WBFLAG_PAM_NT_STATUS_SQUASH 0x00000200 > > /* This is a flag that can only be sent from parent to child */ >-#define WBFLAG_IS_PRIVILEGED 0x0400 >+#define WBFLAG_IS_PRIVILEGED 0x00000400 > /* Flag to say this is a winbindd internal send - don't recurse. */ >-#define WBFLAG_RECURSE 0x0800 >+#define WBFLAG_RECURSE 0x00000800 > >-#define WBFLAG_PAM_KRB5 0x1000 >-#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000 >-#define WBFLAG_PAM_CACHED_LOGIN 0x4000 >-#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 >+#define WBFLAG_PAM_KRB5 0x00001000 >+#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x00002000 >+#define WBFLAG_PAM_CACHED_LOGIN 0x00004000 >+#define WBFLAG_PAM_GET_PWD_POLICY 0x00008000 >+#define WBFLAG_BIG_NTLMV2_BLOB 0x00010000 > > #define WINBINDD_MAX_EXTRA_DATA (128*1024) > >diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c >index 8751c18..708fc62 100644 >--- a/source/nsswitch/winbindd_pam.c >+++ b/source/nsswitch/winbindd_pam.c >@@ -1762,17 +1762,27 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, > > if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp) > || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) { >- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", >- state->request.data.auth_crap.lm_resp_len, >- state->request.data.auth_crap.nt_resp_len)); >- result = NT_STATUS_INVALID_PARAMETER; >- goto done; >+ if (!state->request.flags & WBFLAG_BIG_NTLMV2_BLOB || >+ state->request.extra_len != state->request.data.auth_crap.nt_resp_len) { >+ DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", >+ state->request.data.auth_crap.lm_resp_len, >+ state->request.data.auth_crap.nt_resp_len)); >+ result = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ } > } > > lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp, > state->request.data.auth_crap.lm_resp_len); >- nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp, >- state->request.data.auth_crap.nt_resp_len); >+ if (state->request.flags & WBFLAG_BIG_NTLMV2_BLOB) { >+ nt_resp = data_blob_talloc(state->mem_ctx, >+ state->request.extra_data.data, >+ state->request.data.auth_crap.nt_resp_len); >+ } else { >+ nt_resp = data_blob_talloc(state->mem_ctx, >+ state->request.data.auth_crap.nt_resp, >+ state->request.data.auth_crap.nt_resp_len); >+ } > > /* what domain should we contact? */ > >diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c >index 53647ad..b42fe92 100644 >--- a/source/utils/ntlm_auth.c >+++ b/source/utils/ntlm_auth.c >@@ -350,13 +350,25 @@ NTSTATUS contact_winbind_auth_crap(const char *username, > } > > if (nt_response && nt_response->length) { >- memcpy(request.data.auth_crap.nt_resp, >- nt_response->data, >- MIN(nt_response->length, sizeof(request.data.auth_crap.nt_resp))); >+ if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) { >+ request.flags = request.flags | WBFLAG_BIG_NTLMV2_BLOB; >+ request.extra_len = nt_response->length; >+ request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len); >+ if (request.extra_data.data == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ memcpy(request.extra_data.data, nt_response->data, >+ nt_response->length); >+ >+ } else { >+ memcpy(request.data.auth_crap.nt_resp, >+ nt_response->data, nt_response->length); >+ } > request.data.auth_crap.nt_resp_len = nt_response->length; > } >- >+ > result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); >+ SAFE_FREE(request.extra_data.data); > > /* Display response */ > >-- >1.5.4.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 5865
:
3706
| 3718