diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-13 23:08:20 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:03 -0500 |
commit | 8e42a0c63c772731c4b756d8cd7db6a842a5f969 (patch) | |
tree | 9556c7e94cb552437295ba4330cd4fa670bb8a4e /source4/auth/ntlmssp | |
parent | 5d9f51064444f6d41f4e4c3766afdd77cd96b9e3 (diff) | |
download | samba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.tar.gz samba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.tar.bz2 samba-8e42a0c63c772731c4b756d8cd7db6a842a5f969.zip |
r12919: Ensure we never 'extend' the session key length, or fill in past the
length of the (possibly null) pointer.
In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.
This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>
Andrew Bartlett
(This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
Diffstat (limited to 'source4/auth/ntlmssp')
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 9452ac3e96..2b20608c82 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -279,11 +279,15 @@ void ntlmssp_handle_neg_flags(struct gensec_ntlmssp_state *gensec_ntlmssp_state, void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state) { + /* Nothing to weaken. We certainly don't want to 'extend' the length... */ + if (!gensec_ntlmssp_state->session_key.length < 8) { + return; + } + /* Key weakening not performed on the master key for NTLM2 and does not occour for NTLM1. Therefore we only need to do this for the LM_KEY. */ - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { |