From 36112a442fd851d79fef847bf75d570454116df8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 26 Jul 2011 14:11:56 +1000
Subject: s3-smbd Ensure we do not read past the end of a possible NTLMSSP blob

Signed-off-by: Andrew Tridgell <tridge@samba.org>
---
 source3/smbd/sesssetup.c      | 2 +-
 source3/smbd/smb2_sesssetup.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 683f6b2c15..54c469c25a 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -1154,7 +1154,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		return;
 	}
 
-	if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
+	if (blob1.length > 7 && strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
 		DATA_BLOB chal;
 
 		if (!vuser->auth_ntlmssp_state) {
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 45acff2778..a3283117b4 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -758,7 +758,7 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 						out_session_flags,
 						out_security_buffer,
 						out_session_id);
-	} else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
+	} else if (in_security_buffer.length > 7 && strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
 		return smbd_smb2_raw_ntlmssp_auth(session,
 						smb2req,
 						in_security_mode,
-- 
cgit