From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 12 Nov 2020 09:00:07 +0000 (+0100)
Subject: gensec:ntlmssp: only allow messages up to 2888 bytes
X-Git-Tag: ldb-2.9.2~82
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=a7742b351924c921bb64832f5214d42c5c060ca0;p=thirdparty%2Fsamba.git

gensec:ntlmssp: only allow messages up to 2888 bytes

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 55dd8bdb05b4e814beb50d11a6f12c94e5f6e9d5)
---

diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 745f2628d21..c9360a5fa2d 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -36,6 +36,8 @@ struct auth_session_info;
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
+#define NTLMSSP_MAX_UPDATE_SIZE 2888
+
 /**
  * Callbacks for NTLMSSP - for both client and server operating modes
  *
@@ -136,6 +138,13 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
 		}
 	}
 
+	if (input.length > NTLMSSP_MAX_UPDATE_SIZE) {
+		DBG_WARNING("reject large command=%u message, length %zu > %u)\n",
+			    ntlmssp_command, input.length,
+			    NTLMSSP_MAX_UPDATE_SIZE);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
 		DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
 			  gensec_ntlmssp->ntlmssp_state->expected_state));
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index d8dc1d2940b..a63cf692747 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -142,12 +142,6 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
 
 	/* parse the NTLMSSP packet */
 
-	if (in.length > UINT16_MAX) {
-		DEBUG(1, ("%s: reject large request of length %u\n",
-			__func__, (unsigned int)in.length));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
 			 "NTLMSSP",
 			 &ntlmssp_command,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 1e49379a8ed..2e25c4efab5 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -124,12 +124,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
 #endif
 
 	if (request.length) {
-		if (request.length > UINT16_MAX) {
-			DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
-				(unsigned int)request.length));
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-
 		if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
 							  "NTLMSSP",
 							  &ntlmssp_command,
diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad
index e4fdd21e1dc..eab7637fc40 100644
--- a/selftest/knownfail.d/dcerpc-auth-pad
+++ b/selftest/knownfail.d/dcerpc-auth-pad
@@ -2,10 +2,6 @@
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_bind
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3