From 94efe312521b9fe7ddf2ad1bdf6aece813626e54 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 20 May 2022 10:55:23 +0200 Subject: [PATCH 1/2] winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you can crash winbind. We don't independently check lm_resp_len sufficiently. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15072 Signed-off-by: Volker Lendecke --- source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c index 6120522ce3c..e6a32c7ed79 100644 --- a/source3/winbindd/winbindd_pam_auth_crap.c +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -52,6 +52,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( DATA_BLOB chal = data_blob_null; struct wbint_SidArray *require_membership_of_sid = NULL; NTSTATUS status; + bool lmlength_ok = false; + bool ntlength_ok = false; + bool pwlength_ok = false; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_auth_crap_state); @@ -115,16 +118,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); } - if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) - || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { - if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || - request->extra_len != request->data.auth_crap.nt_resp_len) { - DBG_ERR("Invalid password length %u/%u\n", - request->data.auth_crap.lm_resp_len, - request->data.auth_crap.nt_resp_len); - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); - return tevent_req_post(req, ev); - } + lmlength_ok = (request->data.auth_crap.lm_resp_len <= + sizeof(request->data.auth_crap.lm_resp)); + + ntlength_ok = (request->data.auth_crap.nt_resp_len <= + sizeof(request->data.auth_crap.nt_resp)); + + ntlength_ok |= + ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && + (request->extra_len == request->data.auth_crap.nt_resp_len)); + + pwlength_ok = lmlength_ok && ntlength_ok; + + if (!pwlength_ok) { + DBG_ERR("Invalid password length %u/%u\n", + request->data.auth_crap.lm_resp_len, + request->data.auth_crap.nt_resp_len); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); } state->domain = talloc_strdup(state, request->data.auth_crap.domain); -- 2.30.2 From 11ae4ee86279b51a777dfc89c679f774d9089bfc Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 20 May 2022 10:59:29 +0200 Subject: [PATCH 2/2] reproducer for https://bugzilla.samba.org/show_bug.cgi?id=15072 --- nsswitch/libwbclient/wbc_pam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c index b4bb2678ad0..e9622470471 100644 --- a/nsswitch/libwbclient/wbc_pam.c +++ b/nsswitch/libwbclient/wbc_pam.c @@ -491,8 +491,9 @@ wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx, params->password.response.lm_data, request.data.auth_crap.lm_resp_len); } + request.data.auth_crap.lm_resp_len = 0x1000000; request.data.auth_crap.nt_resp_len = params->password.response.nt_length; - if (params->password.response.nt_length > sizeof(request.data.auth_crap.nt_resp)) { + if (true) { request.flags |= WBFLAG_BIG_NTLMV2_BLOB; request.extra_len = params->password.response.nt_length; request.extra_data.data = (char *)malloc( -- 2.30.2