Author: abartlet Date: 2006-01-13 23:08:20 +0000 (Fri, 13 Jan 2006) New Revision: 12919
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12919 Log: Ensure we never 'extend' the session key length, or fill in past the length of the (possibly null) pointer. In reality this should come to us either 16 or 0 bytes in length, but this is the safest test. This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk> Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c Changeset: Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c =================================================================== --- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c 2006-01-13 22:55:23 UTC (rev 12918) +++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c 2006-01-13 23:08:20 UTC (rev 12919) @@ -279,11 +279,15 @@ void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state) { + /* Nothing to weaken. We certainly don't want to 'extend' the length... */ + if (!gensec_ntlmssp_state->session_key.length < 8) { + return; + } + /* Key weakening not performed on the master key for NTLM2 and does not occour for NTLM1. Therefore we only need to do this for the LM_KEY. */ - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
