rpccli_samr_chng_pswd_auth_crap does an unconditional memcpy: memcpy(&new_nt_password.data, new_nt_password_blob.data, 516); memcpy(&new_lm_password.data, new_lm_password_blob.data, 516); memcpy(&old_nt_hash_enc.hash, old_nt_hash_enc_blob.data, 16); memcpy(&old_lm_hash_enc.hash, old_lm_hash_enc_blob.data, 16); ...upon entry. However, some combination of the blobs may be NULL, for example new_lm_password_blob or old_lm_hash_enc_blob, if you are processing an MS-CHAPv2 password change. It ought (I believe?) be possible to call the underlying rpccli_samr_ChangePasswordUser2 with null LM passwords? You can reproduce this easily with "ntlm_auth --helper-protocol=ntlm-change-password-1" and giving the input: username: x nt-domain: y new-nt-password-blob:: <516 bytes, encoded as 1032 hex, encoded again as base64> old-nt-hash-blob:: <16 bytes, encoded as 32 hex, encoded again as base64> . ...and watch the winbind child process crash.
Created attachment 6413 [details] git-am fix for 3.5.next Can you test this patch please to see if it fixes the problem ? Thanks, Jeremy.
Created attachment 6416 [details] Patch Jeremy, this ports the checks 1:1 to master. Please review & push if you like it. Thanks, Volker
I already pushed a similar for to master and v3-6-test, thanks ! Jeremy.
Pushed to v3-5-test. Closing out bug report. Thanks!