Bug 3618: ntlm_smb_lm_auth rejects correct passwords

diff --git a/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc b/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
index 8f3145de9416264944bd57a0f1a29fd7765ac0d1..d5a05855b915e5a1513d2e2d10c4d5fa61f7e224 100644 (file)
--- a/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
+++ b/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
@@ -262,12 +262,21 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
     memcpy(user, tmp.str, tmp.l);
     *(user + tmp.l) = '\0';
 
-    /* Authenticating against the NT response doesn't seem to work... */
-    tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
-    if (tmp.str == NULL || tmp.l == 0) {
-        fprintf(stderr, "No auth at all. Returning no-auth\n");
-        ntlm_errno = NTLM_ERR_LOGON;
-        return NULL;
+    // grab the *response blobs. these are fixed length 24 bytes of binary
+    const ntlmhdr *packet = &(auth->hdr);
+    {
+        const strhdr * str = &auth->lmresponse;
+
+        int16_t len = le16toh(str->len);
+        int32_t offset = le32toh(str->offset);
+
+        if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
+            debug("LM response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
+            ntlm_errno = NTLM_ERR_LOGON;
+            return NULL;
+        }
+        tmp.str = (char *)packet + offset;
+        tmp.l = len;
     }
     if (tmp.l > MAX_PASSWD_LEN) {
         debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
@@ -275,6 +284,7 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
         return NULL;
     }
 
+    /* Authenticating against the NT response doesn't seem to work... in SMB LM helper. */
     memcpy(pass, tmp.str, tmp.l);
     pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
 
@@ -288,8 +298,20 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
         return NULL;
     }
 
-    tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->ntresponse, auth->flags);
-    if (tmp.str != NULL && tmp.l != 0) {
+    /* still fetch the NT response and check validity against empty password */
+    {
+        const strhdr * str = &auth->ntresponse;
+        int16_t len = le16toh(str->len);
+        int32_t offset = le32toh(str->offset);
+
+        if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
+            debug("NT response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
+            ntlm_errno = NTLM_ERR_LOGON;
+            return NULL;
+        }
+        tmp.str = (char *)packet + offset;
+        tmp.l = len;
+
         debug("Empty NT pass detection: user: '%s', ours:'%s', his: '%s' (length: %d)\n",
               user,ntencoded_empty_pass,tmp.str,tmp.l);
         if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) {
@@ -300,8 +322,6 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
     }
 #endif
 
-    /* TODO: check against empty password!!!!! */
-
     debug("checking domain: '%s', user: '%s', pass='%s'\n", domain, user, pass);
 
     rv = SMB_Logon_Server(handle, user, pass, domain, 1);