|
29 | 29 | #include "smb_signing.h" |
30 | 30 |
|
31 | 31 | #include <assert.h> |
32 | | -#include <cstdint> |
33 | 32 | #include <ctype.h> |
34 | 33 | #include <gcrypt.h> |
35 | 34 | #include <glib.h> |
@@ -263,8 +262,7 @@ nasl_get_sign (lex_ctxt *lexic) |
263 | 262 |
|
264 | 263 | uint8_t calc_md5_mac[16]; |
265 | 264 | if (simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf, |
266 | | - (size_t) buflen, seq_num, |
267 | | - calc_md5_mac) |
| 265 | + (size_t) buflen, seq_num, calc_md5_mac) |
268 | 266 | != 0) |
269 | 267 | { |
270 | 268 | nasl_perror (lexic, "get_signature: OOB read\n"); |
@@ -916,17 +914,30 @@ nasl_ntlmv2_hash (lex_ctxt *lexic) |
916 | 914 |
|
917 | 915 | /* NTLMv2 */ |
918 | 916 |
|
919 | | - /* We also get to specify some random data */ |
| 917 | + /* We also get to specify some random data. |
| 918 | + To avoid DoS we set an uper limit for client chal length. |
| 919 | + At the moment of fixing this, the max lenght used in a nasl script is 64. |
| 920 | + */ |
| 921 | + if (client_chal_length > 4096) |
| 922 | + { |
| 923 | + nasl_perror (lexic, "Length to big. Max is 4096\n"); |
| 924 | + return NULL; |
| 925 | + } |
| 926 | + |
920 | 927 | ntlmv2_client_data = g_malloc0 (client_chal_length); |
921 | 928 | for (i = 0; i < client_chal_length; i++) |
922 | 929 | ntlmv2_client_data[i] = rand () % 256; |
923 | 930 |
|
924 | 931 | if (hash_len != 16) |
925 | | - nasl_perror (lexic, "owf_in must have a length of 16\n"); |
| 932 | + { |
| 933 | + nasl_perror (lexic, "owf_in must have a length of 16\n"); |
| 934 | + return NULL; |
| 935 | + } |
926 | 936 |
|
927 | 937 | /* Given that data, and the challenge from the server, generate a response */ |
928 | | - SMBOWFencrypt_ntv2_ntlmssp (ntlm_v2_hash, server_chal, 8, ntlmv2_client_data, |
929 | | - client_chal_length, ntlmv2_response); |
| 938 | + SMBOWFencrypt_ntv2_ntlmssp ( |
| 939 | + ntlm_v2_hash, server_chal, get_var_size_by_name (lexic, "cryptkey"), |
| 940 | + ntlmv2_client_data, client_chal_length, ntlmv2_response); |
930 | 941 |
|
931 | 942 | /* put it into nt_response, for the code below to put into the packet */ |
932 | 943 | final_response = g_malloc0 (client_chal_length + sizeof (ntlmv2_response)); |
|
0 commit comments