Read beyond end of buffer in init_id_info2()
abartlet at samba.org
Thu Feb 24 03:48:36 GMT 2005
On Tue, 2005-02-22 at 14:44 +0100, Martin Buck wrote:
> I'm still struggling with my "Samba can't authenticate XP clients with
> lmcompatibilitylevel=3 against NT4 SP6a PDC" problem (see
> http://lists.samba.org/archive/samba-technical/2005-February/039612.html ).
> While debugging this, I had a closer look at init_id_info2(). In my case,
> this gets called with nt_chal_resp_len = 164, which will cause a read
> beyond the end of a buffer on the stack.
Well spotted. We don't need those stack variables, so I've removed that
code completely from Samba 3.0.
Now, on the NTLMv2 issue, it may be an issue that the member server is
changing the domain name. If the domain name changes, then
cryptographic things break. In a domain member situation, this
shouldn't happen, but that's where I would start looking.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050224/6bb32acb/attachment.bin
More information about the samba-technical