libcli/auth/ntlmssp Be clear about talloc parents for session keys

The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 6e3cf8a8ff..8623c1da8e 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -149,6 +149,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state,
  */
 
 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
+					    TALLOC_CTX *mem_ctx,
 					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
 	struct gensec_ntlmssp_context *gensec_ntlmssp =
@@ -188,11 +189,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 		DEBUG(10, ("Got NT session key of length %u\n",
 			   (unsigned)gensec_ntlmssp->server_info->user_session_key.length));
 		*user_session_key = gensec_ntlmssp->server_info->user_session_key;
+		talloc_steal(mem_ctx, user_session_key->data);
+		gensec_ntlmssp->server_info->user_session_key = data_blob_null;
 	}
 	if (gensec_ntlmssp->server_info->lm_session_key.length) {
 		DEBUG(10, ("Got LM session key of length %u\n",
 			   (unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
 		*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
+		talloc_steal(mem_ctx, lm_session_key->data);
+		gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
 	}
 	return nt_status;
 }