diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-03-01 10:25:54 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:24 +0200 |
commit | 70452c90a51a16be0e20517bd1936149490fc947 (patch) | |
tree | 70e38749e223bcd4687d03501d042fb04b4b05c5 /source4/smb_server | |
parent | 4fb68674953b9814cae67c371baab5a0f76d6c2c (diff) | |
download | samba-70452c90a51a16be0e20517bd1936149490fc947.tar.gz |
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source4/smb_server')
-rw-r--r-- | source4/smb_server/smb/sesssetup.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 4ebc0c47718..e06853afcd4 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -263,6 +263,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) const char *remote_machine = NULL; struct tevent_req *subreq; struct sesssetup_context *state; + bool allow_raw = lpcfg_raw_ntlmv2_auth(req->smb_conn->lp_ctx); sess->nt1.out.vuid = 0; sess->nt1.out.action = 0; @@ -338,6 +339,15 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) user_info->password.response.nt = sess->nt1.in.password2; user_info->password.response.nt.data = talloc_steal(user_info, sess->nt1.in.password2.data); + if (!allow_raw && user_info->password.response.nt.length >= 48) { + /* + * NTLMv2_RESPONSE has at least 48 bytes + * and should only be supported via NTLMSSP. + */ + status = NT_STATUS_INVALID_PARAMETER; + goto failed; + } + subreq = auth_check_password_send(state, req->smb_conn->connection->event.ctx, state->auth_context, |