[Dovecot] [PATCH] NTLM update and crashfix
Andrey Panin
pazke at donpac.ru
Wed Nov 10 15:59:27 EET 2004
Hello,
attached patch allows LM authentication for older (Win9x) clients
which do not pass NTLM response in type 3 message. It also fixes
crash in dovecot-auth (empty credentials could be passed to
hex_to_binary function if NTLM2 was negotiated).
Please consider applying.
Best regards.
--
Andrey Panin | Linux and UNIX system administrator
pazke at donpac.ru | PGP key: wwwkeys.pgp.net
-------------- next part --------------
diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c dovecot-1.0-test52/src/auth/mech-ntlm.c
--- dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c 2004-10-22 17:32:27.000000000 +0400
+++ dovecot-1.0-test52/src/auth/mech-ntlm.c 2004-11-10 16:45:53.000000000 +0300
@@ -42,10 +42,15 @@ lm_credentials_callback(const char *cred
const unsigned char *client_response;
unsigned char lm_response[LM_RESPONSE_SIZE];
unsigned char hash[LM_HASH_SIZE];
+ unsigned int response_length;
buffer_t *hash_buffer;
int ret;
- if (credentials == NULL) {
+ response_length =
+ ntlmssp_buffer_length(request->response, lm_response);
+ client_response = ntlmssp_buffer_data(request->response, lm_response);
+
+ if ((credentials == NULL) || (response_length < LM_RESPONSE_SIZE)) {
mech_auth_finish(auth_request, NULL, 0, FALSE);
return;
}
@@ -54,8 +59,6 @@ lm_credentials_callback(const char *cred
hash, sizeof(hash));
hex_to_binary(credentials, hash_buffer);
- client_response = ntlmssp_buffer_data(request->response, lm_response);
-
ntlmssp_v1_response(hash, request->challenge, lm_response);
ret = memcmp(lm_response, client_response, LM_RESPONSE_SIZE) == 0;
@@ -75,10 +78,18 @@ ntlm_credentials_callback(const char *cr
buffer_t *hash_buffer;
int ret;
- if (credentials == NULL && !request->ntlm2_negotiated) {
- passdb->lookup_credentials(auth_request,
- PASSDB_CREDENTIALS_LANMAN,
- lm_credentials_callback);
+ response_length =
+ ntlmssp_buffer_length(request->response, ntlm_response);
+ client_response = ntlmssp_buffer_data(request->response, ntlm_response);
+
+ if ((credentials == NULL) || (response_length == 0)) {
+ /* We can't use LM authentication if NTLM2 was negotiated */
+ if (request->ntlm2_negotiated)
+ mech_auth_finish(auth_request, NULL, 0, FALSE);
+ else
+ passdb->lookup_credentials(auth_request,
+ PASSDB_CREDENTIALS_LANMAN,
+ lm_credentials_callback);
return;
}
@@ -86,9 +97,6 @@ ntlm_credentials_callback(const char *cr
hash, sizeof(hash));
hex_to_binary(credentials, hash_buffer);
- response_length =
- ntlmssp_buffer_length(request->response, ntlm_response);
- client_response = ntlmssp_buffer_data(request->response, ntlm_response);
if (response_length > NTLMSSP_RESPONSE_SIZE) {
unsigned char ntlm_v2_response[NTLMSSP_V2_RESPONSE_SIZE];
diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c
--- dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c 2004-10-22 17:32:27.000000000 +0400
+++ dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c 2004-11-10 16:28:33.000000000 +0300
@@ -180,13 +180,19 @@ static int ntlmssp_check_buffer(const st
size_t data_size, const char **error)
{
uint32_t offset = read_le32(&buffer->offset);
+ uint16_t length = read_le16(&buffer->length);
+ uint16_t space = read_le16(&buffer->space);
+
+ /* Empty buffer is ok */
+ if (!length && !space)
+ return 1;
if (offset >= data_size) {
*error = "buffer offset out of bounds";
return 0;
}
- if (offset + read_le16(&buffer->space) > data_size) {
+ if (offset + space > data_size) {
*error = "buffer end out of bounds";
return 0;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20041110/b661f21e/attachment-0001.bin>
More information about the dovecot
mailing list