From 6832d5e9334f93d2b41fa50580379a2381311748 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 16 Sep 2010 14:37:20 +1000 Subject: libcli/auth/ntlmssp Be clear about talloc parents for session keys The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell --- source4/auth/ntlmssp/ntlmssp_server.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source4/auth/ntlmssp') diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 6e3cf8a8ff..8623c1da8e 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -149,6 +149,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, */ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *mem_ctx, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct gensec_ntlmssp_context *gensec_ntlmssp = @@ -188,11 +189,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DEBUG(10, ("Got NT session key of length %u\n", (unsigned)gensec_ntlmssp->server_info->user_session_key.length)); *user_session_key = gensec_ntlmssp->server_info->user_session_key; + talloc_steal(mem_ctx, user_session_key->data); + gensec_ntlmssp->server_info->user_session_key = data_blob_null; } if (gensec_ntlmssp->server_info->lm_session_key.length) { DEBUG(10, ("Got LM session key of length %u\n", (unsigned)gensec_ntlmssp->server_info->lm_session_key.length)); *lm_session_key = gensec_ntlmssp->server_info->lm_session_key; + talloc_steal(mem_ctx, lm_session_key->data); + gensec_ntlmssp->server_info->lm_session_key = data_blob_null; } return nt_status; } -- cgit