cifs: dynamic allocation of ntlmssp blob
authorJerome Marchand <jmarchan@redhat.com>
Thu, 26 May 2016 09:52:25 +0000 (11:52 +0200)
committerSteve French <smfrench@gmail.com>
Fri, 24 Jun 2016 04:45:07 +0000 (23:45 -0500)
commitb8da344b74c822e966c6d19d6b2321efe82c5d97
treef4b6a50200af4e957e3ba0872e3555b74be21679
parent202d772ba02b1deb8835a631cd8255943d1906a0
cifs: dynamic allocation of ntlmssp blob

In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
statically and its size is an "empirical" 5*sizeof(struct
_AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
comes from or if it was ever appropriate, but it is currently
insufficient: the user and domain name in UTF16 could take 1kB by
themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
memory (out-of-bounds write). The size of ntlmssp_blob in
SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
+ 500).

This patch allocates the blob dynamically in
build_ntlmssp_auth_blob().

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
CC: Stable <stable@vger.kernel.org>
fs/cifs/ntlmssp.h
fs/cifs/sess.c
fs/cifs/smb2pdu.c