From e067c523b17951a93b6daafd349e9371f8f81e56 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 16 Jun 2023 12:28:47 +0200
Subject: [PATCH] CVE-2022-2127: ntlm_auth: cap lanman response length value

We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow@samba.org>
---
 source3/utils/ntlm_auth.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 778a0e0e249..cff3c53845f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -575,10 +575,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
 
 	if (lm_response && lm_response->length) {
+		size_t capped_lm_response_len = MIN(
+			lm_response->length,
+			sizeof(request.data.auth_crap.lm_resp));
+
 		memcpy(request.data.auth_crap.lm_resp,
 		       lm_response->data,
-		       MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
-		request.data.auth_crap.lm_resp_len = lm_response->length;
+		       capped_lm_response_len);
+		request.data.auth_crap.lm_resp_len = capped_lm_response_len;
 	}
 
 	if (nt_response && nt_response->length) {
-- 
2.11.4.GIT