CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get...
authorStefan Metzmacher <metze@samba.org>
Tue, 24 Nov 2015 20:24:47 +0000 (21:24 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:23 +0000 (19:25 +0200)
If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
auth/credentials/credentials_ntlm.c

index 4e122772dea8c750897e788b004e1c8ad9d09ea9..3711b1eda418e302ff7ee4a0ed4a0944bd273977 100644 (file)
@@ -110,6 +110,12 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
 
                /* LM Key is incompatible... */
                *flags &= ~CLI_CRED_LANMAN_AUTH;
+               if (lm_response.length != 0) {
+                       /*
+                        * We should not expose the lm key.
+                        */
+                       memset(lm_response.data, 0, lm_response.length);
+               }
        } else if (*flags & CLI_CRED_NTLM2) {
                MD5_CTX md5_session_nonce_ctx;
                uint8_t session_nonce[16];