Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0002-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0002-CVE-2022-2127.patch of Package samba
From 5c6fe5a491b16bb658c191cfafb5edc0beb5fab2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke <vl@samba.org> Date: Fri, 20 May 2022 10:55:23 +0200 Subject: [PATCH 02/25] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you can crash winbind. We don't independently check lm_resp_len sufficiently. Discovered via Coverity ID 1504444 Out-of-bounds access BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 Signed-off-by: Volker Lendecke <vl@samba.org> Conflict: NA Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch --- source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c index fdb8120a6fe..651d54b01d3 100644 --- a/source3/winbindd/winbindd_pam_auth_crap.c +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -42,6 +42,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( struct winbindd_pam_auth_crap_state *state; struct winbindd_domain *domain; const char *auth_domain = NULL; + bool lmlength_ok = false; + bool ntlength_ok = false; + bool pwlength_ok = false; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_auth_crap_state); @@ -140,16 +143,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); } - if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) - || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { - if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || - request->extra_len != request->data.auth_crap.nt_resp_len) { - DBG_ERR("Invalid password length %u/%u\n", - request->data.auth_crap.lm_resp_len, - request->data.auth_crap.nt_resp_len); - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); - return tevent_req_post(req, ev); - } + lmlength_ok = (request->data.auth_crap.lm_resp_len <= + sizeof(request->data.auth_crap.lm_resp)); + + ntlength_ok = (request->data.auth_crap.nt_resp_len <= + sizeof(request->data.auth_crap.nt_resp)); + + ntlength_ok |= + ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && + (request->extra_len == request->data.auth_crap.nt_resp_len)); + + pwlength_ok = lmlength_ok && ntlength_ok; + + if (!pwlength_ok) { + DBG_ERR("Invalid password length %u/%u\n", + request->data.auth_crap.lm_resp_len, + request->data.auth_crap.nt_resp_len); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); } subreq = wb_domain_request_send(state, global_event_context(), domain, -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.