From dd9886100514941aa16af8566faf41501b601a44 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 17 Dec 2021 23:32:28 +0100
Subject: auth/ntlmssp: make sure we return INVALID_PARAMETER for
 NTLMv2_RESPONSE parsing errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  4 20:57:41 UTC 2022 on sn-devel-184
---
 auth/ntlmssp/ntlmssp_server.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'auth')

diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 939aa0ef4aa..ce78af1d32d 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -532,6 +532,14 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
 					(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
 		if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
 			nt_status = ndr_map_error2ntstatus(err);
+			if (NT_STATUS_EQUAL(nt_status, NT_STATUS_BUFFER_TOO_SMALL)) {
+				/*
+				 * Note that invalid blobs should result in
+				 * INVALID_PARAMETER, as demonstrated by
+				 * smb2.session.ntlmssp_bug14932
+				 */
+				nt_status = NT_STATUS_INVALID_PARAMETER;
+			}
 			DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for "
 				 "user=[%s] domain=[%s] workstation=[%s] - %s %s\n",
 				 __func__, ntlmssp_state->nt_resp.length,
-- 
cgit v1.2.1