r12919: Ensure we never 'extend' the session key length, or fill in past the

length of the (possibly null) pointer.

In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.

This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>

Andrew Bartlett

diff --git a/source/auth/ntlmssp/ntlmssp.c b/source/auth/ntlmssp/ntlmssp.c
index 9452ac3e96efc69c05cb8378b52187540b1b13c6..2b20608c82cd56c53d112d91daea931762920be4 100644 (file)
--- a/source/auth/ntlmssp/ntlmssp.c
+++ b/source/auth/ntlmssp/ntlmssp.c
@@ -279,11 +279,15 @@ void ntlmssp_handle_neg_flags(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
 
 void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state) 
 {
+       /* Nothing to weaken.  We certainly don't want to 'extend' the length... */
+       if (!gensec_ntlmssp_state->session_key.length < 8) {
+               return;
+       }
+
        /* Key weakening not performed on the master key for NTLM2
           and does not occour for NTLM1.  Therefore we only need
           to do this for the LM_KEY.  
        */
-
        if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
                if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {