CVE-2022-2127: ntlm_auth: cap lanman response length value

[vlendec/samba-autobuild/.git] / source3 / utils / ntlm_auth.c

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 778a0e0e2497bec2614b7eae80b8fa8c26fff027..cff3c53845ffb1e097fb591bf72c8d983d28992e 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -575,10 +575,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
        memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
 
        if (lm_response && lm_response->length) {
+               size_t capped_lm_response_len = MIN(
+                       lm_response->length,
+                       sizeof(request.data.auth_crap.lm_resp));
+
                memcpy(request.data.auth_crap.lm_resp,
                       lm_response->data,
-                      MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
-               request.data.auth_crap.lm_resp_len = lm_response->length;
+                      capped_lm_response_len);
+               request.data.auth_crap.lm_resp_len = capped_lm_response_len;
        }
 
        if (nt_response && nt_response->length) {