libcli/auth/ntlmssp Be clear about talloc parents for session keys

Andrew Bartlett abartlet at
Thu Sep 16 16:01:04 MDT 2010

On Thu, 2010-09-16 at 12:00 -0700, Jeremy Allison wrote:
> On Thu, Sep 16, 2010 at 01:08:03PM +0200, Andrew Tridgell wrote:
> > The branch, master has been updated
> >        via  b04b8b5 wbclient: gr_mem can be NULL
> >        via  a163284 wbclient: paranoid check for double free
> >        via  ff515ff tdb: added TDB_NO_FSYNC env variable
> >        via  a394a81 torture/raw Allow one more 'not implemented' status return as a valid response
> >        via  4083b8a s4-torture assert that we get a temp datagram socket.
> >        via  6832d5e libcli/auth/ntlmssp Be clear about talloc parents for session keys
> >        via  d5a4e53 s4-kdc: prevent segfault on bad trust strings
> >        via  dc59de5 s4-netlogon: added IDL for netr_DsrUpdateReadOnlyServerDnsRecords
> >        via  5958997 s4-rpcserver: allow saving of bad RPC packets
> >        via  83a24ff pidl: prevent ndr_print_*() dying on NULL pointers
> >       from  14340a4 idl: Added EPMAPPER_STATUS_CANT_PERFORM_OP.
> > 
> >;a=shortlog;h=master
> > 
> > commit 6832d5e9334f93d2b41fa50580379a2381311748
> > Author: Andrew Bartlett <abartlet at>
> > Date:   Thu Sep 16 14:37:20 2010 +1000
> > 
> >     libcli/auth/ntlmssp Be clear about talloc parents for session keys
> >     
> >     The previous API was not clear as to who owned the returned session key.
> >     This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
> >     and avoids making allocations - we steal and zero instead.
> >     
> >     Andrew Bartlett
> >     
> >     Signed-off-by: Andrew Tridgell <tridge at>
> Andrew(s) - this looks like it would be neccessary for 3.6.0
> but the cherry-pick doesn't apply. Can you please review and
> back port for the next production release, thanks !

I've looked into it, and it seems not to be required (as long as
auth_ntlmssp_state has the same lifetime as ntlmssp_state, which as far
as I can tell it does), but for clarity I'll move the allocations in
auth_ntlmssp_check_password() across.  I won't do the full change to
steal etc, because the code is a different structure here (not the new
common code). 

See this proposed patch, which passes 'make test' (I've not checked with
vagrind however).  

The original valgrind error showed up in a run Tridge did of source4 -
there we have 'session key' tests that check all the NTLMSSP flag
codepaths - but as this is (in master) common code I needed to tidy up
all the callers. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-ntlmssp-Allocate-ntlmssp-session-keys-on-ntlmssp_.patch
Type: text/x-patch
Size: 1737 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list