summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-13 23:08:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:03 -0500
commit8e42a0c63c772731c4b756d8cd7db6a842a5f969 (patch)
tree9556c7e94cb552437295ba4330cd4fa670bb8a4e
parent5d9f51064444f6d41f4e4c3766afdd77cd96b9e3 (diff)
downloadsamba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.tar.gz
samba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.tar.bz2
samba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.zip
r12919: Ensure we never 'extend' the session key length, or fill in past the
length of the (possibly null) pointer. In reality this should come to us either 16 or 0 bytes in length, but this is the safest test. This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk> Andrew Bartlett (This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 9452ac3e96..2b20608c82 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -279,11 +279,15 @@ void ntlmssp_handle_neg_flags(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
{
+ /* Nothing to weaken. We certainly don't want to 'extend' the length... */
+ if (!gensec_ntlmssp_state->session_key.length < 8) {
+ return;
+ }
+
/* Key weakening not performed on the master key for NTLM2
and does not occour for NTLM1. Therefore we only need
to do this for the LM_KEY.
*/
-
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {