• Jerome Marchand's avatar
    cifs: dynamic allocation of ntlmssp blob · b8da344b
    Jerome Marchand authored
    In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
    statically and its size is an "empirical" 5*sizeof(struct
    _AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
    comes from or if it was ever appropriate, but it is currently
    insufficient: the user and domain name in UTF16 could take 1kB by
    themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
    memory (out-of-bounds write). The size of ntlmssp_blob in
    SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
    + 500).
    
    This patch allocates the blob dynamically in
    build_ntlmssp_auth_blob().
    Signed-off-by: 's avatarJerome Marchand <jmarchan@redhat.com>
    Signed-off-by: 's avatarSteve French <smfrench@gmail.com>
    CC: Stable <stable@vger.kernel.org>
    b8da344b
ntlmssp.h 5.66 KB