The Samba-Bugzilla – Bug 8088
rpccli_samr_chng_pswd_auth_crap segfaults if any input blobs are null
Last modified: 2011-08-31 20:56:47 UTC
rpccli_samr_chng_pswd_auth_crap does an unconditional memcpy:
memcpy(&new_nt_password.data, new_nt_password_blob.data, 516);
memcpy(&new_lm_password.data, new_lm_password_blob.data, 516);
memcpy(&old_nt_hash_enc.hash, old_nt_hash_enc_blob.data, 16);
memcpy(&old_lm_hash_enc.hash, old_lm_hash_enc_blob.data, 16);
...upon entry. However, some combination of the blobs may be NULL, for example new_lm_password_blob or old_lm_hash_enc_blob, if you are processing an MS-CHAPv2 password change.
It ought (I believe?) be possible to call the underlying rpccli_samr_ChangePasswordUser2 with null LM passwords?
You can reproduce this easily with "ntlm_auth --helper-protocol=ntlm-change-password-1" and giving the input:
new-nt-password-blob:: <516 bytes, encoded as 1032 hex, encoded again as base64>
old-nt-hash-blob:: <16 bytes, encoded as 32 hex, encoded again as base64>
...and watch the winbind child process crash.
Created attachment 6413 [details]
git-am fix for 3.5.next
Can you test this patch please to see if it fixes the problem ?
Created attachment 6416 [details]
Jeremy, this ports the checks 1:1 to master. Please review & push if you like it.
I already pushed a similar for to master and v3-6-test, thanks !
Pushed to v3-5-test.
Closing out bug report.