diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-10-23 06:06:35 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:21:37 -0500 |
commit | 95424817274295c56da3d3a5dc1ba3b2d75b0f8d (patch) | |
tree | 3894ecda4eb0c817b546e33d5fb16b97eddbc88f | |
parent | 5bfc0d63170521ad8d451ffcfbb30ee5b140dfbb (diff) | |
download | samba-95424817274295c56da3d3a5dc1ba3b2d75b0f8d.tar.gz samba-95424817274295c56da3d3a5dc1ba3b2d75b0f8d.tar.bz2 samba-95424817274295c56da3d3a5dc1ba3b2d75b0f8d.zip |
r19464: Reject passwords that cannot be converted into UCS2.
Andrew Bartlett
(This used to be commit c843fce7a0e9b91c4d2de44e7a9ad9599b33ec5c)
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 8 | ||||
-rw-r--r-- | source4/libcli/auth/smbencrypt.c | 10 |
2 files changed, 15 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index e6752716ab..506c17a5fd 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -1249,7 +1249,13 @@ _PUBLIC_ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ct if (E_deshash(new_pass, local_lmNewHash.hash)) { lmNewHash = &local_lmNewHash; } - E_md4hash(new_pass, local_ntNewHash.hash); + if (!E_md4hash(new_pass, local_ntNewHash.hash)) { + /* If we can't convert this password to UCS2, then we should not accept it */ + if (reject_reason) { + *reject_reason = SAMR_REJECT_OTHER; + } + return NT_STATUS_PASSWORD_RESTRICTION; + } ntNewHash = &local_ntNewHash; } diff --git a/source4/libcli/auth/smbencrypt.c b/source4/libcli/auth/smbencrypt.c index 67da795a44..296d44f5d4 100644 --- a/source4/libcli/auth/smbencrypt.c +++ b/source4/libcli/auth/smbencrypt.c @@ -63,18 +63,24 @@ BOOL SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24]) * @param p16 return password hashed with md4, caller allocated 16 byte buffer */ -void E_md4hash(const char *passwd, uint8_t p16[16]) +BOOL E_md4hash(const char *passwd, uint8_t p16[16]) { int len; void *wpwd; len = push_ucs2_talloc(NULL, &wpwd, passwd); - SMB_ASSERT(len >= 2); + if (len < 2) { + /* We don't want to return fixed data, as most callers + * don't check */ + mdfour(p16, passwd, strlen(passwd)); + return False; + } len -= 2; mdfour(p16, wpwd, len); talloc_free(wpwd); + return True; } /** |