Package: cvsnt Version: 2.5.03.2382-2 Severity: normal Tags: patch NTLMSSP authentication against a Windows cvsnt server fails.
I have an older, hacked cvsnt version which works, and by comparing tcpdumps I found out that the pointer field of the second string (domain/workstation) of the type 1 NTLM message built by buildSmbNtlmAuthRequest() points past the end of the message when the domain argument is an empty string. The server then immediately rejects the auth request with a "[80090308] The parameter is incorrect." reply. The attached patch fixes this, and makes NTLM auth work for me. (The older cvsnt version I have set the offset field to some totally bogus value when the string length is zero, thus I believe the offset value doesn't matter at all in this case, as long as it doesn't point past the end of the packet.) Thanks, Johannes -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.19-rc2 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages cvsnt depends on: ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library ii libexpat 1.95.8-3.3 XML parsing C library - runtime li ii libgcc1 1:4.1.1-16 GCC support library ii libkrb53 1.4.4-3 MIT Kerberos runtime libraries ii libssl0. 0.9.7k-3 SSL shared libraries ii libstdc+ 1:3.3.6-13 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages cvsnt recommends: ii netbase 4.27 Basic TCP/IP networking system -- no debconf information
--- cvsnt-2.5.03.2382/protocols/ntlm/smbutil.c.orig 2006-10-21 03:30:43.000000000 +0200 +++ cvsnt-2.5.03.2382/protocols/ntlm/smbutil.c 2006-10-21 03:50:05.000000000 +0200 @@ -258,6 +258,12 @@ buildSmbNtlmAuthRequest_userlen (tSmbNtl /* FIXME this should be workstation, not username */ AddBytes (request, user, user, user_len); AddString (request, domain, domain); + /* offset must not point past end of message (otherwise server responds + * with "The parameter is incorrect."), however if the string length + * is zero it doesn't matter where exactly the offset points to, I think + */ + if (!domain || !*domain) + request->domain.offset--; } void
