Bug 5865 - ntlm_auth helper rejects NTLMv2 with INVALID_PARAMETER if NTLM response part >256 bytes
Summary: ntlm_auth helper rejects NTLMv2 with INVALID_PARAMETER if NTLM response part ...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool (show other bugs)
Version: 3.0.28
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: http://linux-blog.project76.co.uk/arc...
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-02 05:56 UTC by Jamie Stallwood
Modified: 2008-11-10 06:16 UTC (History)
1 user (show)

See Also:

Attachments
NTLMSSP packet data (4.41 KB, text/plain)
2008-11-02 05:57 UTC, Jamie Stallwood 		no flags Details
Proposed patch (5.12 KB, patch)
2008-11-07 02:11 UTC, Kai Blin 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jamie Stallwood 2008-11-02 05:56:17 UTC 
Squid 3.0-STABLE9 and Samba 3.0.28 from CentOS 5 binary RPMs.
squid authenticating XP and Vista machines using NTLM: 
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp


[2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)  Got NTLMSSP neg_flags=0xa208b207
[2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)  Got user=[YXXXXXXX] domain=[YXXXXXXX] workstation=[YXXXXXXX] len1=24 len2=264
[2008/10/15 09:26:07, 3] utils/ntlm_auth.c:winbind_pw_check(515)  Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid parameter]


Tracing back through the Samba code, I found this was the failure point:

/usr/src/samba-3.0.28/source/nsswitch/winbindd_pam.c   
1713 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,   
1714                                                  struct winbindd_cli_state *state)   
1715 {   
....   
....   
1757         if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)   
1758                 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {   
1759                 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",   
1760                           state->request.data.auth_crap.lm_resp_len,   
1761                           state->request.data.auth_crap.nt_resp_len));   
1762                 result = NT_STATUS_INVALID_PARAMETER;   
1763                 goto done;   
1764         }   
1765


The helper was copying the Base64-Decoded NTLM section into a structure nt_resp which was of type FSTRING, which relies on the following header:


/usr/src/samba-3.0.28/source/include/pstring.h, line 29
#define FSTRING_LEN 256


The NTLM(v2) part of the NTLMSSP Auth packet was 264 bytes, and didn't fit into the 256-byte buffer, got truncated and rejected as invalid!!



On my customer site, I got round this by hacking squid to remove AV_PAIR's 3&4 (FQDN of workstation and domain) to truncate the NT_RESP part to <256.
Comment 1 Jamie Stallwood 2008-11-02 05:57:02 UTC 
Created attachment 3706 [details]
NTLMSSP packet data
Comment 2 Kai Blin 2008-11-04 01:03:18 UTC 
Looking into this. I'm not sure what the best fix for this would be, yet.
Comment 3 Kai Blin 2008-11-05 13:42:03 UTC 
Hm, tricky. I was hoping to stash the blob in the "extra_data" field if it's too big to fit into an fstring, but that's already in use when called via ntlm_auth.

I'm not sure if there's any fix that's more elegant than your truncating in squid. :(
Comment 4 Kai Blin 2008-11-07 02:11:44 UTC 
Created attachment 3718 [details]
Proposed patch

Hi. This patch is the most elegant solution I came up with. Could you please check if this works for you?
Comment 5 Volker Lendecke 2008-11-07 02:27:29 UTC 
Before checking in, can you split off the reformatting?

Thanks,

Volker
Comment 6 Jamie Stallwood 2008-11-10 05:01:00 UTC 
Works for me.
Comment 7 Kai Blin 2008-11-10 06:16:46 UTC 
Great, I pushed the patch to the test branches for 3.0, 3.2 and 3.3 as well as to the development tree.

Thanks for catching this.