From 8e42a0c63c772731c4b756d8cd7db6a842a5f969 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 13 Jan 2006 23:08:20 +0000
Subject: r12919: Ensure we never 'extend' the session key length, or fill in
 past the length of the (possibly null) pointer.

In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.

This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>

Andrew Bartlett
(This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
---
 source4/auth/ntlmssp/ntlmssp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'source4/auth')

diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 9452ac3e96..2b20608c82 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -279,11 +279,15 @@ void ntlmssp_handle_neg_flags(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
 
 void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state) 
 {
+	/* Nothing to weaken.  We certainly don't want to 'extend' the length... */
+	if (!gensec_ntlmssp_state->session_key.length < 8) {
+		return;
+	}
+
 	/* Key weakening not performed on the master key for NTLM2
 	   and does not occour for NTLM1.  Therefore we only need
 	   to do this for the LM_KEY.  
 	*/
-
 	if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
 		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
 			
-- 
cgit