]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check
authorGary Lockyer <gary@catalyst.net.nz>
Thu, 24 Sep 2020 01:35:47 +0000 (13:35 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 16 Oct 2020 04:45:40 +0000 (04:45 +0000)
Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source3/rpc_server/netlogon/srv_netlog_nt.c
source4/rpc_server/netlogon/dcerpc_netlogon.c

index c217fee9c43c75a4557e3fd97a0d37091efc8af9..3a80d4f56b0d9a8f9e167506bce0d5974c1cfaa3 100644 (file)
@@ -1524,7 +1524,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
        confounder_len = 512 - new_password.length;
        enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
        dec_blob = data_blob_const(password_buf.data, confounder_len);
-       if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
+       if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) {
                DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
                            confounder_len);
                TALLOC_FREE(creds);
index 0c5ed1f06650b23b4463de91596b33b0113d3b6c..ac8f2eab657adab271fff8de17564a7c4ae58a13 100644 (file)
@@ -909,7 +909,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
        confounder_len = 512 - new_password.length;
        enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
        dec_blob = data_blob_const(password_buf.data, confounder_len);
-       if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
+       if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) {
                DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
                            confounder_len);
                return NT_STATUS_WRONG_PASSWORD;