From 7dbe3c67368a1b5d81564b61650f1e85beb4e1c8 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 13 Nov 2019 12:52:44 +0100 Subject: [PATCH 142/187] libcli:auth: Check return code of SMBOWFencrypt_ntv2() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 3db2ca2dcf367a6c57071a76668d19f3cbf62565) --- libcli/auth/ntlm_check.c | 18 +++++++++++++++--- libcli/auth/smbencrypt.c | 20 ++++++++++++++++++-- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index ba0051d7aea..5058add3811 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -93,6 +93,7 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, uint8_t kr[16]; uint8_t value_from_encryption[16]; DATA_BLOB client_key_data; + NTSTATUS status; if (part_passwd == NULL) { DEBUG(10,("No password set - DISALLOWING access\n")); @@ -125,7 +126,13 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, return false; } - SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); + status = SMBOWFencrypt_ntv2(kr, + sec_blob, + &client_key_data, + value_from_encryption); + if (!NT_STATUS_IS_OK(status)) { + return false; + } #if DEBUG_PASSWORD DEBUG(100,("Part password (P16) was |\n")); @@ -142,7 +149,6 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx, data_blob_clear_free(&client_key_data); if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { if (user_sess_key != NULL) { - NTSTATUS status; *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); status = SMBsesskeygen_ntv2(kr, @@ -202,7 +208,13 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, return false; } - SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); + status = SMBOWFencrypt_ntv2(kr, + sec_blob, + &client_key_data, + value_from_encryption); + if (!NT_STATUS_IS_OK(status)) { + return false; + } *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16); status = SMBsesskeygen_ntv2(kr, value_from_encryption, diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index e7ed0630cdc..e33d29de19d 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -493,6 +493,7 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, uint8_t ntlmv2_response[16]; DATA_BLOB ntlmv2_client_data; DATA_BLOB final_response; + NTSTATUS status; TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0, "NTLMv2_generate_response internal context"); @@ -507,7 +508,14 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, nttime, names_blob); /* Given that data, and the challenge from the server, generate a response */ - SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response); + status = SMBOWFencrypt_ntv2(ntlm_v2_hash, + server_chal, + &ntlmv2_client_data, + ntlmv2_response); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(mem_ctx); + return data_blob(NULL, 0); + } final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length); @@ -528,13 +536,21 @@ static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx, uint8_t lmv2_response[16]; DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8); DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24); + NTSTATUS status; /* LMv2 */ /* client-supplied random data */ generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length); /* Given that data, and the challenge from the server, generate a response */ - SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response); + status = SMBOWFencrypt_ntv2(ntlm_v2_hash, + server_chal, + &lmv2_client_data, + lmv2_response); + if (!NT_STATUS_IS_OK(status)) { + data_blob_free(&lmv2_client_data); + return data_blob(NULL, 0); + } memcpy(final_response.data, lmv2_response, sizeof(lmv2_response)); /* after the first 16 bytes is the random data we generated above, -- 2.23.0