@@ -292,14 +292,7 @@ build_avpair_blob(struct cifsSesInfo *ses, const struct nls_table *nls_cp)
wlen = strlen(ses->server->hostname);
ses->tilen = size + 2 * (2 * dlen) + 2 * (2 * wlen) + 8;
- ses->tiblob = kzalloc(ses->tilen, GFP_KERNEL);
- if (!ses->tiblob) {
- ses->tilen = 0;
- cERROR(1, "Challenge target info allocation failure");
- return -ENOMEM;
- }
-
- blobptr = ses->tiblob;
+ blobptr = ses->auth_key.data.ntlmv2.tiblob;
attrptr = (struct ntlmssp2_name *) blobptr;
attrptr->type = cpu_to_le16(NTLMSSP_AV_NB_DOMAIN_NAME);
@@ -369,11 +362,11 @@ find_domain_name(struct cifsSesInfo *ses)
unsigned char *blobend;
struct ntlmssp2_name *attrptr;
- if (!ses->tilen || !ses->tiblob)
+ if (!ses->tilen)
return 0;
- blobptr = ses->tiblob;
- blobend = ses->tiblob + ses->tilen;
+ blobptr = ses->auth_key.data.ntlmv2.tiblob;
+ blobend = blobptr + ses->tilen;
while (blobptr + onesize < blobend) {
attrptr = (struct ntlmssp2_name *) blobptr;
@@ -510,12 +503,12 @@ setup_ntlmv2_rsp(struct cifsSesInfo *ses, char *resp_buf,
memcpy(&ses->auth_key.data.ntlmv2.resp, resp_buf,
sizeof(struct ntlmv2_resp));
ses->auth_key.len = 16 + sizeof(struct ntlmv2_resp);
+ if (ses->tilen)
+ ses->auth_key.len += ses->tilen;
return 0;
setup_ntlmv2_rsp_ret:
- kfree(ses->tiblob);
- ses->tiblob = NULL;
ses->tilen = 0;
return rc;
@@ -533,7 +526,8 @@ void CalcNTLMv2_response(const struct cifsSesInfo *ses,
sizeof(struct ntlmv2_resp) - 8, &context);
if (ses->tilen)
- hmac_md5_update(ses->tiblob, ses->tilen, &context);
+ hmac_md5_update(ses->auth_key.data.ntlmv2.tiblob, ses->tilen,
+ &context);
hmac_md5_final(v2_session_response, &context);
/* cifs_dump_mem("v2_sess_rsp: ", v2_session_response, 32); */
@@ -105,6 +105,7 @@ struct session_key {
struct {
char key[16];
struct ntlmv2_resp resp;
+ unsigned char tiblob[CIFS_MAX_NTLMV2_AVPAIR_SIZE];
} ntlmv2;
} data;
};
@@ -226,7 +227,6 @@ struct cifsSesInfo {
struct session_key auth_key;
char ntlmv2_hash[16];
unsigned int tilen; /* length of the target info blob */
- unsigned char *tiblob; /* target info blob in challenge response */
bool need_reconnect:1; /* connection reset, uid now invalid */
};
/* no more than one of the following three session flags may be set */
@@ -136,6 +136,11 @@
#define CIFS_SESS_KEY_SIZE (24)
/*
+ * Max expected size of an av pair blob in ntlmv2 auth exchange
+ */
+#define CIFS_MAX_NTLMV2_AVPAIR_SIZE (1024)
+
+/*
* Maximum user name length
*/
#define CIFS_UNLEN (20)
@@ -1787,7 +1787,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
goto get_ses_fail;
ses->tilen = 0;
- ses->tiblob = NULL;
/* new SMB session uses our server ref */
ses->server = server;
if (server->addr.sockAddr6.sin6_family == AF_INET6)
@@ -411,15 +411,9 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
tioffset = cpu_to_le16(pblob->TargetInfoArray.BufferOffset);
tilen = cpu_to_le16(pblob->TargetInfoArray.Length);
ses->tilen = tilen;
- if (ses->tilen) {
- ses->tiblob = kmalloc(tilen, GFP_KERNEL);
- if (!ses->tiblob) {
- cERROR(1, "Challenge target info allocation failure");
- ses->tilen = 0;
- return -ENOMEM;
- }
- memcpy(ses->tiblob, bcc_ptr + tioffset, ses->tilen);
- }
+ if (ses->tilen && ses->tilen <= CIFS_MAX_NTLMV2_AVPAIR_SIZE)
+ memcpy(ses->auth_key.data.ntlmv2.tiblob, bcc_ptr + tioffset,
+ ses->tilen);
return 0;
}
@@ -505,16 +499,13 @@ static int build_ntlmssp_auth_blob(unsigned char *pbuffer,
memcpy(tmp, (char *)&ntlmv2_response, size);
tmp += size;
if (ses->tilen > 0) {
- memcpy(tmp, ses->tiblob, ses->tilen);
+ memcpy(tmp, ses->auth_key.data.ntlmv2.tiblob, ses->tilen);
tmp += ses->tilen;
}
sec_blob->NtChallengeResponse.Length = cpu_to_le16(size + ses->tilen);
sec_blob->NtChallengeResponse.MaximumLength =
cpu_to_le16(size + ses->tilen);
- kfree(ses->tiblob);
- ses->tiblob = NULL;
- ses->tilen = 0;
if (ses->domainName == NULL) {
sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
@@ -750,15 +741,12 @@ ssetup_ntlmssp_authenticate:
bcc_ptr += sizeof(struct ntlmv2_resp);
kfree(v2_sess_key);
if (ses->tilen > 0) {
- memcpy(bcc_ptr, ses->tiblob, ses->tilen);
+ memcpy(bcc_ptr, ses->auth_key.data.ntlmv2.tiblob,
+ ses->tilen);
bcc_ptr += ses->tilen;
pSMB->req_no_secext.CaseSensitivePasswordLength =
cpu_to_le16(sizeof(struct ntlmv2_resp) +
ses->tilen);
- /* we never did allocate ses->domainName to free */
- kfree(ses->tiblob);
- ses->tiblob = NULL;
- ses->tilen = 0;
} else
pSMB->req_no_secext.CaseSensitivePasswordLength =
cpu_to_le16(sizeof(struct ntlmv2_resp));