gensec:ntlmssp: only allow messages up to 2888 bytes

author Stefan Metzmacher <metze@samba.org>

Thu, 12 Nov 2020 09:00:07 +0000 (10:00 +0100)

committer Jule Anger <janger@samba.org>

Thu, 7 Nov 2024 08:18:16 +0000 (08:18 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 12 Nov 2020 09:00:07 +0000 (10:00 +0100)
committer Jule Anger <janger@samba.org>
Thu, 7 Nov 2024 08:18:16 +0000 (08:18 +0000)
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c

index 745f2628d21f0d2ea4fd7376d510533b69215ad7..c9360a5fa2d80e758d72af7095d0a8b7d251986c 100644 (file)
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -36,6 +36,8 @@ struct auth_session_info;
  #undef DBGC_CLASS
  #define DBGC_CLASS DBGC_AUTH
  
+#define NTLMSSP_MAX_UPDATE_SIZE 2888
+
  /**
   * Callbacks for NTLMSSP - for both client and server operating modes
   *
@@ -136,6 +138,13 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
                 }
         }
  
+       if (input.length > NTLMSSP_MAX_UPDATE_SIZE) {
+               DBG_WARNING("reject large command=%u message, length %zu > %u)\n",
+                           ntlmssp_command, input.length,
+                           NTLMSSP_MAX_UPDATE_SIZE);
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
         if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
                 DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
                           gensec_ntlmssp->ntlmssp_state->expected_state));
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c

index d8dc1d2940bfc37232069767c33be40bf931d609..a63cf6927479993905b781ec2f3b60ea102d4a48 100644 (file)
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -142,12 +142,6 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
  
         /* parse the NTLMSSP packet */
  
-       if (in.length > UINT16_MAX) {
-               DEBUG(1, ("%s: reject large request of length %u\n",
-                       __func__, (unsigned int)in.length));
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-
         ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
                          "NTLMSSP",
                          &ntlmssp_command,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c

index 1e49379a8ed6668e2e57a386dd51e49d643d326d..2e25c4efab57a5551749a79e8b636cb05feda084 100644 (file)
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -124,12 +124,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
  #endif
  
         if (request.length) {
-               if (request.length > UINT16_MAX) {
-                       DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
-                               (unsigned int)request.length));
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-
                 if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
                                                           "NTLMSSP",
                                                           &ntlmssp_command,
diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad

index e4fdd21e1dcec00515c0a4a4c471ddd765f1f633..eab7637fc407e9f408313aab3c98a40af40f6c95 100644 (file)
--- a/selftest/knownfail.d/dcerpc-auth-pad
+++ b/selftest/knownfail.d/dcerpc-auth-pad
@@ -2,10 +2,6 @@
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_auth3
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_alter
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_bind
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
  ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3
author	Stefan Metzmacher <metze@samba.org>
	Thu, 12 Nov 2020 09:00:07 +0000 (10:00 +0100)
committer	Jule Anger <janger@samba.org>
	Thu, 7 Nov 2024 08:18:16 +0000 (08:18 +0000)
auth/ntlmssp/ntlmssp.c		patch \| blob \| blame \| history
auth/ntlmssp/ntlmssp_client.c		patch \| blob \| blame \| history
auth/ntlmssp/ntlmssp_server.c		patch \| blob \| blame \| history
selftest/knownfail.d/dcerpc-auth-pad		patch \| blob \| blame \| history