Read beyond end of buffer in init_id_info2()

Martin Buck mb-tmp-fnzon.bet at gromit.dyndns.org
Mon Feb 28 14:52:48 GMT 2005


On Thu, Feb 24, 2005 at 02:48:36PM +1100, Andrew Bartlett wrote:
> Now, on the NTLMv2 issue, it may be an issue that the member server is
> changing the domain name.  If the domain name changes, then
> cryptographic things break.  In a domain member situation, this
> shouldn't happen, but that's where I would start looking.

Indeed, that's the case. Samba was sending an uppercase domain name to the
PDC while the client was supplying a lower case one.

I tried two different workarounds which allowed me to successfully connect
to the share:
* Entering the user name on the XP client with an upper case domain name.
In this case, Samba's conversion to upper case is a null operation, so the
NTLMv2 password hash doesn't break.
* Converting the domain name to lower case in init_id_info2() before
putting it into the NET_ID_INFO_2 structure and continuing to use a lower
case domain name on the client.

I'm not exactly happy with both workarounds, but then, maybe I just don't
understand the philosophy behind NT's handling of domain names WRT case
sensitivity (if there is one :-)

IMO, the most elegant solution would be to change check_ntdomain_security()
to not pass the result of lp_workgroup() to domain_client_validate(), but
to use user_info->client_domain instead. This seems to contain the original
domain name as it was supplied by the client. Of course, there's a risk of
breaking domain name comparisons which now no longer can assume that the
domain name is always upper case...

Martin


More information about the samba-technical mailing list