forked from Lainports/freebsd-ports
fe49557452
The security defects addressed in these fixes are described at https://www.samba.org/samba/history/samba-4.16.11.html PR: 273595 Approved by: maintainer timeout
67 lines
2.9 KiB
Diff
67 lines
2.9 KiB
Diff
From d2a03a12c607e00654b21a91d487c3408b394eaf Mon Sep 17 00:00:00 2001
|
|
From: Samuel Cabrero <scabrero@samba.org>
|
|
Date: Thu, 24 Feb 2022 17:48:27 +0100
|
|
Subject: [PATCH 01/21] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks
|
|
to parent process
|
|
|
|
The winbindd_dual_pam_auth_crap() function will be converted to a local
|
|
RPC call handler and it won't receive a winbindd_cli_state struct. Move
|
|
the checks accessing this struct to the parent.
|
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374)
|
|
---
|
|
source3/winbindd/winbindd_pam.c | 12 ------------
|
|
source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++
|
|
2 files changed, 12 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
|
index 59dd18e27b8..9e799b3a191 100644
|
|
--- a/source3/winbindd/winbindd_pam.c
|
|
+++ b/source3/winbindd/winbindd_pam.c
|
|
@@ -2698,18 +2698,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
|
|
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
|
|
name_domain, name_user));
|
|
|
|
- if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
|
|
- || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
|
|
- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
|
- state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
|
|
- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
|
|
- state->request->data.auth_crap.lm_resp_len,
|
|
- state->request->data.auth_crap.nt_resp_len));
|
|
- result = NT_STATUS_INVALID_PARAMETER;
|
|
- goto done;
|
|
- }
|
|
- }
|
|
-
|
|
lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
|
|
state->request->data.auth_crap.lm_resp_len);
|
|
|
|
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
|
|
index 40cab81b5ea..310d50fdde2 100644
|
|
--- a/source3/winbindd/winbindd_pam_auth_crap.c
|
|
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
|
|
@@ -138,6 +138,18 @@ struct tevent_req *winbindd_pam_auth_crap_send(
|
|
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
|
|
}
|
|
|
|
+ if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|
|
+ || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
|
|
+ if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
|
|
+ request->extra_len != request->data.auth_crap.nt_resp_len) {
|
|
+ DBG_ERR("Invalid password length %u/%u\n",
|
|
+ request->data.auth_crap.lm_resp_len,
|
|
+ request->data.auth_crap.nt_resp_len);
|
|
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
|
+ return tevent_req_post(req, ev);
|
|
+ }
|
|
+ }
|
|
+
|
|
subreq = wb_domain_request_send(state, global_event_context(), domain,
|
|
request);
|
|
if (tevent_req_nomem(subreq, req)) {
|
|
--
|
|
2.41.0
|
|
|