Bug 5865 - ntlm_auth helper rejects NTLMv2 with INVALID_PARAMETER if NTLM response part >256 bytes
ntlm_auth helper rejects NTLMv2 with INVALID_PARAMETER if NTLM response part ...
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool
x86 Linux
: P3 normal
: none
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2008-11-02 05:56 UTC by Jamie Stallwood
Modified: 2008-11-10 06:16 UTC (History)
1 user (show)

See Also:

NTLMSSP packet data (4.41 KB, text/plain)
2008-11-02 05:57 UTC, Jamie Stallwood
no flags Details
Proposed patch (5.12 KB, patch)
2008-11-07 02:11 UTC, Kai Blin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jamie Stallwood 2008-11-02 05:56:17 UTC
Squid 3.0-STABLE9 and Samba 3.0.28 from CentOS 5 binary RPMs.
squid authenticating XP and Vista machines using NTLM: 
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

[2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)  Got NTLMSSP neg_flags=0xa208b207
[2008/10/15 09:26:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)  Got user=[YXXXXXXX] domain=[YXXXXXXX] workstation=[YXXXXXXX] len1=24 len2=264
[2008/10/15 09:26:07, 3] utils/ntlm_auth.c:winbind_pw_check(515)  Login for user [YXXXXXXX]\[YXXXXXXX]@[YXXXXXXX] failed due to [Invalid parameter]

Tracing back through the Samba code, I found this was the failure point:

1713 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,   
1714                                                  struct winbindd_cli_state *state)   
1715 {   
1757         if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)   
1758                 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {   
1759                 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",   
1760                           state->request.data.auth_crap.lm_resp_len,   
1761                           state->request.data.auth_crap.nt_resp_len));   
1762                 result = NT_STATUS_INVALID_PARAMETER;   
1763                 goto done;   
1764         }   

The helper was copying the Base64-Decoded NTLM section into a structure nt_resp which was of type FSTRING, which relies on the following header:

/usr/src/samba-3.0.28/source/include/pstring.h, line 29
#define FSTRING_LEN 256

The NTLM(v2) part of the NTLMSSP Auth packet was 264 bytes, and didn't fit into the 256-byte buffer, got truncated and rejected as invalid!!

On my customer site, I got round this by hacking squid to remove AV_PAIR's 3&4 (FQDN of workstation and domain) to truncate the NT_RESP part to <256.
Comment 1 Jamie Stallwood 2008-11-02 05:57:02 UTC
Created attachment 3706 [details]
NTLMSSP packet data
Comment 2 Kai Blin 2008-11-04 01:03:18 UTC
Looking into this. I'm not sure what the best fix for this would be, yet.
Comment 3 Kai Blin 2008-11-05 13:42:03 UTC
Hm, tricky. I was hoping to stash the blob in the "extra_data" field if it's too big to fit into an fstring, but that's already in use when called via ntlm_auth.

I'm not sure if there's any fix that's more elegant than your truncating in squid. :(
Comment 4 Kai Blin 2008-11-07 02:11:44 UTC
Created attachment 3718 [details]
Proposed patch

Hi. This patch is the most elegant solution I came up with. Could you please check if this works for you?
Comment 5 Volker Lendecke 2008-11-07 02:27:29 UTC
Before checking in, can you split off the reformatting?


Comment 6 Jamie Stallwood 2008-11-10 05:01:00 UTC
Works for me.
Comment 7 Kai Blin 2008-11-10 06:16:46 UTC
Great, I pushed the patch to the test branches for 3.0, 3.2 and 3.3 as well as to the development tree.

Thanks for catching this.