Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0003-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0003-CVE-2022-2127.patch of Package samba
From 2eabbe31f64a8456813a502afb05907beb46ffad Mon Sep 17 00:00:00 2001 From: Ralph Boehme <slow@samba.org> Date: Fri, 16 Jun 2023 12:28:47 +0200 Subject: [PATCH 03/25] CVE-2022-2127: ntlm_auth: cap lanman response length value We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the lm_resp buffer, but we don't cap the length indicator. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 Signed-off-by: Ralph Boehme <slow@samba.org> Conflict: NA Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch --- source3/utils/ntlm_auth.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 52a1840..f363f25 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -570,10 +570,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); if (lm_response && lm_response->length) { + size_t capped_lm_response_len = MIN( + lm_response->length, + sizeof(request.data.auth_crap.lm_resp)); + memcpy(request.data.auth_crap.lm_resp, lm_response->data, - MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); - request.data.auth_crap.lm_resp_len = lm_response->length; + capped_lm_response_len); + request.data.auth_crap.lm_resp_len = capped_lm_response_len; } if (nt_response && nt_response->length) { -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.