cifs: out-of-bound write in build_ntlmssp_auth_blob()

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

cifs: out-of-bound write in build_ntlmssp_auth_blob()

Jerome Marchand

While running some test, KASan detected several out-of-bound write
accesses to the ntlmssp blob in build_ntlmssp_auth_blob(). In this case,
the ntlmssp blob was allocated in sess_auth_rawntlmssp_authenticate().
Its size is an "empirical" 5*sizeof(struct _AUTHENTICATE_MESSAGE) (320B
on x86_64). I don't know where this value comes from or if it was ever
appropriate, but it is currently insufficient: the user and domain name
in UTF16 could take 1kB by themselves. I'm not sure what's the proper
way to fix this. Naively I'd say to allocate the blob dynamically in
While I haven't run into the issue, the size of ntlmssp_blob in
SMB2_sess_setup is too small too (sizeof(struct _NEGOTIATE_MESSAGE) + 500).

Jerome Marchand

signature.asc (484 bytes) Download Attachment