From 452f0cd19b5274e12e8f54b88e377aee7d8ff8e6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 10 Mar 2021 16:12:12 +0100
Subject: [PATCH] libcli/smb: don't copy the key to a stack variable in
 smb2_signing_{encrypt,decrypt}_pdu()

The key size should always match now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 libcli/smb/smb2_signing.c | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index a4effb8b31e..bfcd6ea233a 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -630,7 +630,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 	uint32_t iv_size = 0;
 	uint32_t key_size = 0;
 	size_t tag_size = 0;
-	uint8_t _key[16] = {0};
 	gnutls_cipher_algorithm_t algo = 0;
 	gnutls_datum_t key;
 	gnutls_datum_t iv;
@@ -679,19 +678,19 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 	key_size = gnutls_cipher_get_key_size(algo);
 	tag_size = gnutls_cipher_get_tag_size(algo);
 
-	if (key_size > sizeof(_key)) {
-		return NT_STATUS_BUFFER_TOO_SMALL;
+	if (key_size != encryption_key->blob.length) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	if (tag_size != 16) {
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
 	key = (gnutls_datum_t) {
-		.data = _key,
+		.data = encryption_key->blob.data,
 		.size = key_size,
 	};
 
-	memcpy(key.data,
-	       encryption_key->blob.data,
-	       MIN(encryption_key->blob.length, key.size));
-
 	iv = (gnutls_datum_t) {
 		.data = tf + SMB2_TF_NONCE,
 		.size = iv_size,
@@ -821,8 +820,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 
 	status = NT_STATUS_OK;
 out:
-	ZERO_ARRAY(_key);
-
 	return status;
 }
 
@@ -839,7 +836,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 	uint32_t iv_size = 0;
 	uint32_t key_size = 0;
 	size_t tag_size = 0;
-	uint8_t _key[16] = {0};
 	gnutls_cipher_algorithm_t algo = 0;
 	gnutls_datum_t key;
 	gnutls_datum_t iv;
@@ -896,19 +892,19 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 	key_size = gnutls_cipher_get_key_size(algo);
 	tag_size = gnutls_cipher_get_tag_size(algo);
 
-	if (key_size > sizeof(_key)) {
-		return NT_STATUS_BUFFER_TOO_SMALL;
+	if (key_size != decryption_key->blob.length) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	if (tag_size != 16) {
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
 	key = (gnutls_datum_t) {
-		.data = _key,
+		.data = decryption_key->blob.data,
 		.size = key_size,
 	};
 
-	memcpy(key.data,
-	       decryption_key->blob.data,
-	       MIN(decryption_key->blob.length, key.size));
-
 	iv = (gnutls_datum_t) {
 		.data = tf + SMB2_TF_NONCE,
 		.size = iv_size,
@@ -1038,7 +1034,5 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 
 	status = NT_STATUS_OK;
 out:
-	ZERO_ARRAY(_key);
-
 	return status;
 }
-- 
2.47.3