CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks to parent process

The winbindd_dual_pam_auth_crap() function will be converted to a local
RPC call handler and it won't receive a winbindd_cli_state struct. Move
the checks accessing this struct to the parent.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index e600ad27e54fd91a22dfd8a93af626c35464bd14..e77673bf1733aedfe9320fca08dc46794926873e 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2671,18 +2671,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
        DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
                  name_domain, name_user));
 
-       if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
-               || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
-               if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
-                    state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
-                       DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
-                                 state->request->data.auth_crap.lm_resp_len,
-                                 state->request->data.auth_crap.nt_resp_len));
-                       result = NT_STATUS_INVALID_PARAMETER;
-                       goto done;
-               }
-       }
-
        lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
                                        state->request->data.auth_crap.lm_resp_len);
 

diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index a6f13806df978e686f2f7257ce182e4cc984e017..fdb8120a6fe76cfcb7e11e1e497062b7254d401a 100644 (file)
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -140,6 +140,18 @@ struct tevent_req *winbindd_pam_auth_crap_send(
                fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
        }
 
+       if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
+               || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
+               if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
+                    request->extra_len != request->data.auth_crap.nt_resp_len) {
+                       DBG_ERR("Invalid password length %u/%u\n",
+                               request->data.auth_crap.lm_resp_len,
+                               request->data.auth_crap.nt_resp_len);
+                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       return tevent_req_post(req, ev);
+               }
+       }
+
        subreq = wb_domain_request_send(state, global_event_context(), domain,
                                        request);
        if (tevent_req_nomem(subreq, req)) {