CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_stat...

ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 9186ce993e8c611136d1a0a9c11cbfbe43d79232..1a8e66e63e29bb921e3186c101cd790eaa37f546 100644 (file)
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -151,6 +151,10 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
        }
 
+       if (ntlmssp_state->allow_lm_key) {
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+       }
+
        if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
        }

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 839d0595460e8b07dd6b47aacbdd261a4426be4b..096d48d83e197f39b4de1c672f414e07458c6748 100644 (file)
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -636,6 +636,10 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
                ntlmssp_state->allow_lm_key = false;
        }
 
+       if (ntlmssp_state->allow_lm_key) {
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+       }
+
        if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
                /*
                 * We need to set this to allow a later SetPassword

diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 262bf61201c99315cb082b68415ea7b55388eaaa..4ae6101f025635acbd14f85805a1a04edca530d9 100644 (file)
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -85,20 +85,24 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
                ntlmssp_state->unicode = false;
        }
 
-       if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
-               /* other end forcing us to use LM */
-               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-               ntlmssp_state->use_ntlmv2 = false;
-       } else {
+       /*
+        * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+        * has priority over NTLMSSP_NEGOTIATE_LM_KEY
+        */
+       if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+       }
+
+       if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
        }
 
-       if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+       if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
        }
 
-       if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+       if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
        }
 
        if (!(flags & NTLMSSP_NEGOTIATE_128)) {