From: Ralph Boehme <slow@samba.org>
Date: Fri, 16 Jun 2023 10:28:47 +0000 (+0200)
Subject: CVE-2022-2127: ntlm_auth: cap lanman response length value
X-Git-Tag: samba-4.18.5~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b09567397c2f394ca224c189cfbb1bee9688a96f;p=thirdparty%2Fsamba.git

CVE-2022-2127: ntlm_auth: cap lanman response length value

We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 34f96526d3f..30b31e80576 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -575,10 +575,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
 
 	if (lm_response && lm_response->length) {
+		size_t capped_lm_response_len = MIN(
+			lm_response->length,
+			sizeof(request.data.auth_crap.lm_resp));
+
 		memcpy(request.data.auth_crap.lm_resp,
 		       lm_response->data,
-		       MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
-		request.data.auth_crap.lm_resp_len = lm_response->length;
+		       capped_lm_response_len);
+		request.data.auth_crap.lm_resp_len = capped_lm_response_len;
 	}
 
 	if (nt_response && nt_response->length) {