Skip to content

Commit 5ef971d

Browse files
committed
Fix: nasl_ntlmv2_hash(). Do length validation.
1 parent 7e14093 commit 5ef971d

1 file changed

Lines changed: 18 additions & 7 deletions

File tree

nasl/nasl_crypto.c

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@
2929
#include "smb_signing.h"
3030

3131
#include <assert.h>
32-
#include <cstdint>
3332
#include <ctype.h>
3433
#include <gcrypt.h>
3534
#include <glib.h>
@@ -263,8 +262,7 @@ nasl_get_sign (lex_ctxt *lexic)
263262

264263
uint8_t calc_md5_mac[16];
265264
if (simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf,
266-
(size_t) buflen, seq_num,
267-
calc_md5_mac)
265+
(size_t) buflen, seq_num, calc_md5_mac)
268266
!= 0)
269267
{
270268
nasl_perror (lexic, "get_signature: OOB read\n");
@@ -916,17 +914,30 @@ nasl_ntlmv2_hash (lex_ctxt *lexic)
916914

917915
/* NTLMv2 */
918916

919-
/* We also get to specify some random data */
917+
/* We also get to specify some random data.
918+
To avoid DoS we set an uper limit for client chal length.
919+
At the moment of fixing this, the max lenght used in a nasl script is 64.
920+
*/
921+
if (client_chal_length > 4096)
922+
{
923+
nasl_perror (lexic, "Length to big. Max is 4096\n");
924+
return NULL;
925+
}
926+
920927
ntlmv2_client_data = g_malloc0 (client_chal_length);
921928
for (i = 0; i < client_chal_length; i++)
922929
ntlmv2_client_data[i] = rand () % 256;
923930

924931
if (hash_len != 16)
925-
nasl_perror (lexic, "owf_in must have a length of 16\n");
932+
{
933+
nasl_perror (lexic, "owf_in must have a length of 16\n");
934+
return NULL;
935+
}
926936

927937
/* Given that data, and the challenge from the server, generate a response */
928-
SMBOWFencrypt_ntv2_ntlmssp (ntlm_v2_hash, server_chal, 8, ntlmv2_client_data,
929-
client_chal_length, ntlmv2_response);
938+
SMBOWFencrypt_ntv2_ntlmssp (
939+
ntlm_v2_hash, server_chal, get_var_size_by_name (lexic, "cryptkey"),
940+
ntlmv2_client_data, client_chal_length, ntlmv2_response);
930941

931942
/* put it into nt_response, for the code below to put into the packet */
932943
final_response = g_malloc0 (client_chal_length + sizeof (ntlmv2_response));

0 commit comments

Comments
 (0)