CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()

If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer and don't send it over the net. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-11-24 21:24:47 +0100
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:23 +0200
commit: 8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318 (patch)
tree: ca971981fc4ede9e18e113d8892a57e142fb090d /auth/credentials
parent: 8cd1a2a118b544af7d08a3b79cdbd09384d86af3 (diff)
download: samba-8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 4e122772dea..3711b1eda41 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -110,6 +110,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
 
 		/* LM Key is incompatible... */
 		*flags &= ~CLI_CRED_LANMAN_AUTH;
+		if (lm_response.length != 0) {
+			/*
+			 * We should not expose the lm key.
+			 */
+			memset(lm_response.data, 0, lm_response.length);
+		}
 	} else if (*flags & CLI_CRED_NTLM2) {
 		MD5_CTX md5_session_nonce_ctx;
 		uint8_t session_nonce[16];
author	Stefan Metzmacher <metze@samba.org>	2015-11-24 21:24:47 +0100
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:23 +0200
commit	8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318 (patch)
tree	ca971981fc4ede9e18e113d8892a57e142fb090d /auth/credentials
parent	8cd1a2a118b544af7d08a3b79cdbd09384d86af3 (diff)
download	samba-8a647ae1e1c355f48b0d2a5a6c8bb0105e3d2318.tar.gz