From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 9 Sep 2015 16:36:42 +0000 (-0700)
Subject: Bug 3618: ntlm_smb_lm_auth rejects correct passwords
X-Git-Tag: SQUID_3_5_9~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e629fd95d9d8b49d3728a00876985e0da2d8dc66;p=thirdparty%2Fsquid.git

Bug 3618: ntlm_smb_lm_auth rejects correct passwords
---

diff --git a/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc b/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
index 0b4efccfcd..756c8ca1de 100644
--- a/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
+++ b/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
@@ -246,12 +246,21 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
     memcpy(user, tmp.str, tmp.l);
     *(user + tmp.l) = '\0';
 
-    /* Authenticating against the NT response doesn't seem to work... */
-    tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
-    if (tmp.str == NULL || tmp.l == 0) {
-        fprintf(stderr, "No auth at all. Returning no-auth\n");
-        ntlm_errno = NTLM_ERR_LOGON;
-        return NULL;
+    // grab the *response blobs. these are fixed length 24 bytes of binary
+    const ntlmhdr *packet = &(auth->hdr);
+    {
+        const strhdr * str = &auth->lmresponse;
+
+        int16_t len = le16toh(str->len);
+        int32_t offset = le32toh(str->offset);
+
+        if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
+            debug("LM response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
+            ntlm_errno = NTLM_ERR_LOGON;
+            return NULL;
+        }
+        tmp.str = (char *)packet + offset;
+        tmp.l = len;
     }
     if (tmp.l > MAX_PASSWD_LEN) {
         debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
@@ -259,6 +268,7 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
         return NULL;
     }
 
+    /* Authenticating against the NT response doesn't seem to work... in SMB LM helper. */
     memcpy(pass, tmp.str, tmp.l);
     pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
 
@@ -272,8 +282,20 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
         return NULL;
     }
 
-    tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->ntresponse, auth->flags);
-    if (tmp.str != NULL && tmp.l != 0) {
+    /* still fetch the NT response and check validity against empty password */
+    {
+        const strhdr * str = &auth->ntresponse;
+        int16_t len = le16toh(str->len);
+        int32_t offset = le32toh(str->offset);
+
+        if (len != ENCODED_PASS_LEN || offset + len > auth_length || offset == 0) {
+            debug("NT response: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", auth_length, len, offset);
+            ntlm_errno = NTLM_ERR_LOGON;
+            return NULL;
+        }
+        tmp.str = (char *)packet + offset;
+        tmp.l = len;
+
         debug("Empty NT pass detection: user: '%s', ours:'%s', his: '%s' (length: %d)\n",
               user,ntencoded_empty_pass,tmp.str,tmp.l);
         if (memcmp(tmp.str,lmencoded_empty_pass,ENCODED_PASS_LEN)==0) {
@@ -284,8 +306,6 @@ ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
     }
 #endif
 
-    /* TODO: check against empty password!!!!! */
-
     debug("checking domain: '%s', user: '%s', pass='%s'\n", domain, user, pass);
 
     rv = SMB_Logon_Server(handle, user, pass, domain, 1);