Bug 14932 - Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL
Summary: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUF...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.15.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-20 10:16 UTC by Stefan Metzmacher
Modified: 2022-01-19 15:28 UTC (History)
3 users (show)

See Also:


Attachments
Patches for v4-15-test (26.62 KB, patch)
2022-01-17 14:06 UTC, Stefan Metzmacher
jra: review+
Details
Patches for v4-14-test (with less backported tests) (22.02 KB, patch)
2022-01-17 14:07 UTC, Stefan Metzmacher
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2021-12-20 10:16:48 UTC
It seems that some netapp diag tool uses an invalid av_pair blob in order to
test netr_LogonSamLogonEx with NTLMv2.

In NTLMv2_RESPONSE_verify_netlogon_creds() we try to parse the
av_pair in order to apply restriction on the used computer/domain names
for workstation trusts.

Windows doesn't check the av_pair or at least ignore parsing errors
in netr_LogonSamLogonEx(). However a parsing error in the NTLMSSP handling
of an AUTHENTICATE_MESSAGE results in NT_STATUS_INVALID_PARAMETER.

Samba returns NT_STATUS_BUFFER_TOO_SMALL in both cases.
Comment 1 Samba QA Contact 2022-01-04 20:58:04 UTC
This bug was referenced in samba master:

0ef1254f4428ab83ab6c8ca5e3415a1a9e069c92
e7e521fe9b947e553e2bf093e93f1d66ae9c95b9
f123c1a171e59113feb688523b499dab0b824528
23bedd69b2db0dd6de98ed147eddcba799694de7
e0b705d26f0b151ba52d1f9f5504f622fadf7d7c
dd9886100514941aa16af8566faf41501b601a44
Comment 2 Stefan Metzmacher 2022-01-17 14:06:50 UTC
Created attachment 17095 [details]
Patches for v4-15-test
Comment 3 Stefan Metzmacher 2022-01-17 14:07:28 UTC
Created attachment 17096 [details]
Patches for v4-14-test (with less backported tests)
Comment 4 Jeremy Allison 2022-01-18 18:34:42 UTC
Comment on attachment 17095 [details]
Patches for v4-15-test

Sorry Metze, this fails with:

../../source4/torture/rpc/schannel.c: In function ‘test_netlogon_ex_bug14932’:
../../source4/torture/rpc/schannel.c:283:43: error: implicit declaration of function ‘popt_get_cmdline_credentials’ [-Werror=implicit-function-declaration]
  283 |  cli_credentials_get_ntlm_username_domain(popt_get_cmdline_credentials(),
      |                                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 5 Jeremy Allison 2022-01-18 18:35:21 UTC
Comment on attachment 17095 [details]
Patches for v4-15-test

I think the fixes themselves are good, just needs some back-porting to cope with the command-line changes.
Comment 6 Jeremy Allison 2022-01-18 18:42:33 UTC
Comment on attachment 17095 [details]
Patches for v4-15-test

Doh ! Please ignore the previous comments. I applied the 4.14 patch to the 4.15 codebase :-(. Patch for 4.15 is good. Sorry for the noise :-(.
Comment 7 Jeremy Allison 2022-01-18 18:50:51 UTC
Re-assigning to Jule for inclusion in 4.15.next, 4.14.next.
Comment 8 Jule Anger 2022-01-18 19:27:52 UTC
Pushed to autobuild-v4-{15,14}-test.
Comment 9 Samba QA Contact 2022-01-18 20:23:03 UTC
This bug was referenced in samba v4-15-test:

058c8a5278dcf8b282225620ac5cb021095dcff6
3ffd53f9e7603e67d2f1efd1eb359a16b6ae77d8
aa9889230fe647fbe0c4de9326548fd36c526895
a4bf80d820327f6e4f6763760ecce171428bae66
af3c6b570f21efee8bbe5f4fc64836ef8a71d6ce
2a59fd316f7e512c694ef59d8e9780083e00f9bf
Comment 10 Samba QA Contact 2022-01-19 09:12:03 UTC
This bug was referenced in samba v4-14-test:

c51625b48308e3ac5f4e450e748fc17bdd9fb7bf
ab38fec433f42cae11cd6d61a80c40fb57d017c3
74aca02a8f152cc99c32fb4e371a9db34772a5f7
13ba2002bc1d1407eb71a59dbe9d6bbfa153f249
1d181de02de351c106fbea694a922e39ffbbae63
Comment 11 Jule Anger 2022-01-19 14:53:45 UTC
Closing out bug report.

Thanks!
Comment 12 Samba QA Contact 2022-01-19 15:28:59 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.4):

058c8a5278dcf8b282225620ac5cb021095dcff6
3ffd53f9e7603e67d2f1efd1eb359a16b6ae77d8
aa9889230fe647fbe0c4de9326548fd36c526895
a4bf80d820327f6e4f6763760ecce171428bae66
af3c6b570f21efee8bbe5f4fc64836ef8a71d6ce
2a59fd316f7e512c694ef59d8e9780083e00f9bf