summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-16 14:37:20 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-16 21:09:17 +1000
commit6832d5e9334f93d2b41fa50580379a2381311748 (patch)
treec4cb065d6ca93f4f367a2329b14a6eac90d163af /source4/auth
parentd5a4e53ad8dd572b9469530dfcd37601e2905a88 (diff)
downloadsamba-6832d5e9334f93d2b41fa50580379a2381311748.tar.gz
samba-6832d5e9334f93d2b41fa50580379a2381311748.tar.bz2
samba-6832d5e9334f93d2b41fa50580379a2381311748.zip
libcli/auth/ntlmssp Be clear about talloc parents for session keys
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 6e3cf8a8ff..8623c1da8e 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -149,6 +149,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state,
*/
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
@@ -188,11 +189,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned)gensec_ntlmssp->server_info->user_session_key.length));
*user_session_key = gensec_ntlmssp->server_info->user_session_key;
+ talloc_steal(mem_ctx, user_session_key->data);
+ gensec_ntlmssp->server_info->user_session_key = data_blob_null;
}
if (gensec_ntlmssp->server_info->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
+ talloc_steal(mem_ctx, lm_session_key->data);
+ gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
}
return nt_status;
}