Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
confounder_len = 512 - new_password.length;
enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
dec_blob = data_blob_const(password_buf.data, confounder_len);
- if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
+ if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) {
DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
confounder_len);
TALLOC_FREE(creds);
confounder_len = 512 - new_password.length;
enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
dec_blob = data_blob_const(password_buf.data, confounder_len);
- if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
+ if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) {
DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
confounder_len);
return NT_STATUS_WRONG_PASSWORD;