From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 24 Nov 2015 20:24:47 +0000 (+0100)
Subject: CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get... 
X-Git-Tag: samba-4.2.10~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d783b781675fe25f3d4326721c9ee3c5359ec62;p=thirdparty%2Fsamba.git

CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()

If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 8c6be395226..cf152fc49f5 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -110,6 +110,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
 
 		/* LM Key is incompatible... */
 		*flags &= ~CLI_CRED_LANMAN_AUTH;
+		if (lm_response.length != 0) {
+			/*
+			 * We should not expose the lm key.
+			 */
+			memset(lm_response.data, 0, lm_response.length);
+		}
 	} else if (*flags & CLI_CRED_NTLM2) {
 		MD5_CTX md5_session_nonce_ctx;
 		uint8_t session_nonce[16];