diff options
author | Jerome Marchand <jmarchan@redhat.com> | 2016-05-26 11:52:25 +0200 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-08-22 22:38:20 +0100 |
commit | 44b522de8d3e3579bee0b95ebaef3de0265658de (patch) | |
tree | 094b004dbf1ff87b13c21dda2deaada06c034724 /drivers/hid | |
parent | 30622d3dbf69f757fcca2d63678e5cfbd5af9113 (diff) | |
download | linux-stable-44b522de8d3e3579bee0b95ebaef3de0265658de.tar.gz linux-stable-44b522de8d3e3579bee0b95ebaef3de0265658de.tar.bz2 linux-stable-44b522de8d3e3579bee0b95ebaef3de0265658de.zip |
cifs: dynamic allocation of ntlmssp blob
commit b8da344b74c822e966c6d19d6b2321efe82c5d97 upstream.
In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
statically and its size is an "empirical" 5*sizeof(struct
_AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
comes from or if it was ever appropriate, but it is currently
insufficient: the user and domain name in UTF16 could take 1kB by
themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
memory (out-of-bounds write). The size of ntlmssp_blob in
SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
+ 500).
This patch allocates the blob dynamically in
build_ntlmssp_auth_blob().
Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers/hid')
0 files changed, 0 insertions, 0 deletions