s3-smbd Ensure we do not read past the end of a possible NTLMSSP blob

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 683f6b2c150a51c721cecbcd1ed638206494190d..54c469c25a2b65d534847a09365d874537557f87 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -1154,7 +1154,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
                return;
        }
 
-       if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
+       if (blob1.length > 7 && strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
                DATA_BLOB chal;
 
                if (!vuser->auth_ntlmssp_state) {

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 45acff277857de44b35f06b5a008318639af87d6..a3283117b450f516c1a0cb5df75c2f94c536749f 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -758,7 +758,7 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
                                                out_session_flags,
                                                out_security_buffer,
                                                out_session_id);
-       } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
+       } else if (in_security_buffer.length > 7 && strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
                return smbd_smb2_raw_ntlmssp_auth(session,
                                                smb2req,
                                                in_security_mode,