CVE-2022-2127: ntlm_auth: cap lanman response length value

author Ralph Boehme <slow@samba.org>

Fri, 16 Jun 2023 10:28:47 +0000 (12:28 +0200)

committer Jule Anger <janger@samba.org>

Fri, 14 Jul 2023 13:16:16 +0000 (15:16 +0200)
author Ralph Boehme <slow@samba.org>
Fri, 16 Jun 2023 10:28:47 +0000 (12:28 +0200)
committer Jule Anger <janger@samba.org>
Fri, 14 Jul 2023 13:16:16 +0000 (15:16 +0200)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c

index ceb22e597f7bc50847f049e8eda4f04d011fef1c..8ce453f4b924cefc0fdf7755cfbc898d1e62400e 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -576,10 +576,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
         memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
  
         if (lm_response && lm_response->length) {
+               size_t capped_lm_response_len = MIN(
+                       lm_response->length,
+                       sizeof(request.data.auth_crap.lm_resp));
+
                 memcpy(request.data.auth_crap.lm_resp,
                        lm_response->data,
-                      MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
-               request.data.auth_crap.lm_resp_len = lm_response->length;
+                      capped_lm_response_len);
+               request.data.auth_crap.lm_resp_len = capped_lm_response_len;
         }
  
         if (nt_response && nt_response->length) {
author	Ralph Boehme <slow@samba.org>
	Fri, 16 Jun 2023 10:28:47 +0000 (12:28 +0200)
committer	Jule Anger <janger@samba.org>
	Fri, 14 Jul 2023 13:16:16 +0000 (15:16 +0200)