Read beyond end of buffer in init_id_info2()

Andrew Bartlett abartlet at
Thu Feb 24 03:48:36 GMT 2005

On Tue, 2005-02-22 at 14:44 +0100, Martin Buck wrote:
> Hi,
> I'm still struggling with my "Samba can't authenticate XP clients with
> lmcompatibilitylevel=3 against NT4 SP6a PDC" problem (see
> ).
> While debugging this, I had a closer look at init_id_info2(). In my case,
> this gets called with nt_chal_resp_len = 164, which will cause a read
> beyond the end of a buffer on the stack. 

Well spotted.  We don't need those stack variables, so I've removed that
code completely from Samba 3.0.

Now, on the NTLMv2 issue, it may be an issue that the member server is
changing the domain name.  If the domain name changes, then
cryptographic things break.  In a domain member situation, this
shouldn't happen, but that's where I would start looking.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list