cifs: dynamic allocation of ntlmssp blob

In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated statically and its size is an "empirical" 5*sizeof(struct _AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value comes from or if it was ever appropriate, but it is currently insufficient: the user and domain name in UTF16 could take 1kB by themselves. Because of that, build_ntlmssp_auth_blob() might corrupt memory (out-of-bounds write). The size of ntlmssp_blob in SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE) + 500). This patch allocates the blob dynamically in build_ntlmssp_auth_blob(). Signed-off-by: Jerome Marchand <jmarchan@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com> CC: Stable <stable@vger.kernel.org>
author: Jerome Marchand 2016-05-26 11:52:25 +0200
committer: Steve French 2016-06-23 23:45:07 -0500
commit: b8da344b74c822e966c6d19d6b2321efe82c5d97 (patch)
tree: f4b6a50200af4e957e3ba0872e3555b74be21679 /fs/cifs/ntlmssp.h
parent: 202d772ba02b1deb8835a631cd8255943d1906a0 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/cifs/ntlmssp.h b/fs/cifs/ntlmssp.h
index 848249fa120f..3079b38f0afb 100644
--- a/fs/cifs/ntlmssp.h
+++ b/fs/cifs/ntlmssp.h
@@ -133,6 +133,6 @@ typedef struct _AUTHENTICATE_MESSAGE {
 
 int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, struct cifs_ses *ses);
 void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, struct cifs_ses *ses);
-int build_ntlmssp_auth_blob(unsigned char *pbuffer, u16 *buflen,
+int build_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen,
 			struct cifs_ses *ses,
 			const struct nls_table *nls_cp);
author	Jerome Marchand	2016-05-26 11:52:25 +0200
committer	Steve French	2016-06-23 23:45:07 -0500
commit	b8da344b74c822e966c6d19d6b2321efe82c5d97 (patch)
tree	f4b6a50200af4e957e3ba0872e3555b74be21679 /fs/cifs/ntlmssp.h
parent	202d772ba02b1deb8835a631cd8255943d1906a0 (diff)