Commit 81213a88 authored by Hans Leidekker's avatar Hans Leidekker Committed by Alexandre Julliard

secur32: Fix potential leaks of the NTLM session key.

parent 25f34789
...@@ -281,6 +281,7 @@ void cleanup_helper(PNegoHelper helper) ...@@ -281,6 +281,7 @@ void cleanup_helper(PNegoHelper helper)
return; return;
HeapFree(GetProcessHeap(), 0, helper->com_buf); HeapFree(GetProcessHeap(), 0, helper->com_buf);
HeapFree(GetProcessHeap(), 0, helper->session_key);
/* closing stdin will terminate ntlm_auth */ /* closing stdin will terminate ntlm_auth */
close(helper->pipe_out); close(helper->pipe_out);
......
...@@ -825,7 +825,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -825,7 +825,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
ret = SEC_E_BUFFER_TOO_SMALL; ret = SEC_E_BUFFER_TOO_SMALL;
if ((phContext == NULL) && (pInput == NULL)) if ((phContext == NULL) && (pInput == NULL))
{ {
HeapFree(GetProcessHeap(), 0, helper->session_key);
cleanup_helper(helper); cleanup_helper(helper);
phNewContext->dwUpper = 0; phNewContext->dwUpper = 0;
phNewContext->dwLower = 0; phNewContext->dwLower = 0;
...@@ -844,7 +843,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -844,7 +843,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
ret = SEC_E_BUFFER_TOO_SMALL; ret = SEC_E_BUFFER_TOO_SMALL;
if ((phContext == NULL) && (pInput == NULL)) if ((phContext == NULL) && (pInput == NULL))
{ {
HeapFree(GetProcessHeap(), 0, helper->session_key);
cleanup_helper(helper); cleanup_helper(helper);
phNewContext->dwUpper = 0; phNewContext->dwUpper = 0;
phNewContext->dwLower = 0; phNewContext->dwLower = 0;
...@@ -858,7 +856,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -858,7 +856,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
ret = SEC_E_INTERNAL_ERROR; ret = SEC_E_INTERNAL_ERROR;
if ((phContext == NULL) && (pInput == NULL)) if ((phContext == NULL) && (pInput == NULL))
{ {
HeapFree(GetProcessHeap(), 0, helper->session_key);
cleanup_helper(helper); cleanup_helper(helper);
phNewContext->dwUpper = 0; phNewContext->dwUpper = 0;
phNewContext->dwLower = 0; phNewContext->dwLower = 0;
...@@ -907,8 +904,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -907,8 +904,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
helper->session_key = HeapAlloc(GetProcessHeap(), 0, bin_len); helper->session_key = HeapAlloc(GetProcessHeap(), 0, bin_len);
if(!helper->session_key) if(!helper->session_key)
{ {
TRACE("Failed to allocate memory for session key\n"); ret = SEC_E_INSUFFICIENT_MEMORY;
ret = SEC_E_INTERNAL_ERROR;
goto isc_end; goto isc_end;
} }
memcpy(helper->session_key, bin, bin_len); memcpy(helper->session_key, bin, bin_len);
...@@ -1288,7 +1284,13 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext( ...@@ -1288,7 +1284,13 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(
if(strncmp(buffer, "BH ", 3) == 0) if(strncmp(buffer, "BH ", 3) == 0)
{ {
TRACE("Helper sent %s\n", debugstr_a(buffer+3)); TRACE("Helper sent %s\n", debugstr_a(buffer+3));
HeapFree(GetProcessHeap(), 0, helper->session_key);
helper->session_key = HeapAlloc(GetProcessHeap(), 0, 16); helper->session_key = HeapAlloc(GetProcessHeap(), 0, 16);
if (!helper->session_key)
{
ret = SEC_E_INSUFFICIENT_MEMORY;
goto asc_end;
}
/*FIXME: Generate the dummy session key = MD4(MD4(password))*/ /*FIXME: Generate the dummy session key = MD4(MD4(password))*/
memset(helper->session_key, 0 , 16); memset(helper->session_key, 0 , 16);
} }
...@@ -1300,11 +1302,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext( ...@@ -1300,11 +1302,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(
TRACE("Failed to decode session key\n"); TRACE("Failed to decode session key\n");
} }
TRACE("Session key is %s\n", debugstr_a(buffer+3)); TRACE("Session key is %s\n", debugstr_a(buffer+3));
HeapFree(GetProcessHeap(), 0, helper->session_key);
helper->session_key = HeapAlloc(GetProcessHeap(), 0, 16); helper->session_key = HeapAlloc(GetProcessHeap(), 0, 16);
if(!helper->session_key) if(!helper->session_key)
{ {
TRACE("Failed to allocate memory for session key\n"); ret = SEC_E_INSUFFICIENT_MEMORY;
ret = SEC_E_INTERNAL_ERROR;
goto asc_end; goto asc_end;
} }
memcpy(helper->session_key, bin, 16); memcpy(helper->session_key, bin, 16);
...@@ -1356,7 +1358,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle phContex ...@@ -1356,7 +1358,6 @@ static SECURITY_STATUS SEC_ENTRY ntlm_DeleteSecurityContext(PCtxtHandle phContex
phContext->dwLower = 0; phContext->dwLower = 0;
SECUR32_arc4Cleanup(helper->crypt.ntlm.a4i); SECUR32_arc4Cleanup(helper->crypt.ntlm.a4i);
HeapFree(GetProcessHeap(), 0, helper->session_key);
SECUR32_arc4Cleanup(helper->crypt.ntlm2.send_a4i); SECUR32_arc4Cleanup(helper->crypt.ntlm2.send_a4i);
SECUR32_arc4Cleanup(helper->crypt.ntlm2.recv_a4i); SECUR32_arc4Cleanup(helper->crypt.ntlm2.recv_a4i);
HeapFree(GetProcessHeap(), 0, helper->crypt.ntlm2.send_sign_key); HeapFree(GetProcessHeap(), 0, helper->crypt.ntlm2.send_sign_key);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment