diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-09-16 14:37:20 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-09-16 21:09:17 +1000 |
commit | 6832d5e9334f93d2b41fa50580379a2381311748 (patch) | |
tree | c4cb065d6ca93f4f367a2329b14a6eac90d163af /source4/auth | |
parent | d5a4e53ad8dd572b9469530dfcd37601e2905a88 (diff) | |
download | samba-6832d5e9334f93d2b41fa50580379a2381311748.tar.gz samba-6832d5e9334f93d2b41fa50580379a2381311748.tar.bz2 samba-6832d5e9334f93d2b41fa50580379a2381311748.zip |
libcli/auth/ntlmssp Be clear about talloc parents for session keys
The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 6e3cf8a8ff..8623c1da8e 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -149,6 +149,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, */ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *mem_ctx, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct gensec_ntlmssp_context *gensec_ntlmssp = @@ -188,11 +189,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DEBUG(10, ("Got NT session key of length %u\n", (unsigned)gensec_ntlmssp->server_info->user_session_key.length)); *user_session_key = gensec_ntlmssp->server_info->user_session_key; + talloc_steal(mem_ctx, user_session_key->data); + gensec_ntlmssp->server_info->user_session_key = data_blob_null; } if (gensec_ntlmssp->server_info->lm_session_key.length) { DEBUG(10, ("Got LM session key of length %u\n", (unsigned)gensec_ntlmssp->server_info->lm_session_key.length)); *lm_session_key = gensec_ntlmssp->server_info->lm_session_key; + talloc_steal(mem_ctx, lm_session_key->data); + gensec_ntlmssp->server_info->lm_session_key = data_blob_null; } return nt_status; } |