incorrect password length - bug?

Gerald (Jerry) Carter jerry at samba.org
Wed Jan 29 19:51:35 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 29 Jan 2003, Pierre Belanger wrote:

> Reference:
> 
> http://lists.samba.org/pipermail/samba-technical/2001-August/015596.html
> 
> I was playing around with smbpasswd last night. I first thought
> something committed in CVS broke something, I checked all changes
> made since the past 1-2 days and found nothing :(  I than
> downgraded to an old copie of samba I kept and was quite surprised
> to see I was still having the same behavior!
> 
> Here we go. Using smbpasswd -r localhost -U <username>
> if you type in the wrong current (old) password, smbd
> reports:
> 
> [2003/01/29 14:13:05, 0] smbd/chgpasswd.c:check_oem_password(817)
> check_oem_password: incorrect password length (1980737076).
> 
> This value comes from new_pw_len = IVAL(lmdata, 512) in
> chgpasswd.c . I tried hard to find the reason, even with
> debug level @ 9, I caaaaan't :(

The passeord change is done by sending a large buffer and encrypting it 
with the old password.  The first 512 bytes a random junk and the 
clear text of the new password is tagged on.  Since you used a wrong old 
password, the buffer cannot be decryptesd correctly when smbd uses the 
correct password.  Thus the length field is invalid.  Make sense?

I could be more specific, but I would need to look back at that code 
again to refresh my memory.

I think there was a password change bug in older 2.2 releases (pre 2.2.6 
IIRC).  The post you cite might have been an unsupportd info level.  I 
can't remember.  



cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+ODDIIR7qMdg1EfYRArDhAJ9csgoqCZJXz+VAR7tmeD06zyrdlACgyXf+
vggjtLZOnhjV4NfffDbky8I=
=wukB
-----END PGP SIGNATURE-----



More information about the samba-technical mailing list