From: Gary Lockyer Date: Thu, 24 Sep 2020 01:35:47 +0000 (+1200) Subject: CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check X-Git-Tag: talloc-2.3.2~254 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9b6abf18b873ee83194405719fe993b8fb2073a;p=thirdparty%2Fsamba.git CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check Add check for zero length confounder, to allow setting of passwords 512 bytes long. This does not need to be backported, as it is extremely unlikely that anyone is using 512 byte passwords. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index c217fee9c43..3a80d4f56b0 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1524,7 +1524,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, confounder_len = 512 - new_password.length; enc_blob = data_blob_const(r->in.new_password->data, confounder_len); dec_blob = data_blob_const(password_buf.data, confounder_len); - if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { + if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) { DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", confounder_len); TALLOC_FREE(creds); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0c5ed1f0665..ac8f2eab657 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -909,7 +909,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal confounder_len = 512 - new_password.length; enc_blob = data_blob_const(r->in.new_password->data, confounder_len); dec_blob = data_blob_const(password_buf.data, confounder_len); - if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { + if (confounder_len > 0 && data_blob_cmp(&dec_blob, &enc_blob) == 0) { DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", confounder_len); return NT_STATUS_WRONG_PASSWORD;