Hello, attached patch allows LM authentication for older (Win9x) clients which do not pass NTLM response in type 3 message. It also fixes crash in dovecot-auth (empty credentials could be passed to hex_to_binary function if NTLM2 was negotiated). Please consider applying. Best regards. -- Andrey Panin | Linux and UNIX system administrator pazke at donpac.ru | PGP key: wwwkeys.pgp.net -------------- next part -------------- diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c dovecot-1.0-test52/src/auth/mech-ntlm.c --- dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c 2004-10-22 17:32:27.000000000 +0400 +++ dovecot-1.0-test52/src/auth/mech-ntlm.c 2004-11-10 16:45:53.000000000 +0300 @@ -42,10 +42,15 @@ lm_credentials_callback(const char *cred const unsigned char *client_response; unsigned char lm_response[LM_RESPONSE_SIZE]; unsigned char hash[LM_HASH_SIZE]; + unsigned int response_length; buffer_t *hash_buffer; int ret; - if (credentials == NULL) { + response_length + ntlmssp_buffer_length(request->response, lm_response); + client_response = ntlmssp_buffer_data(request->response, lm_response); + + if ((credentials == NULL) || (response_length < LM_RESPONSE_SIZE)) { mech_auth_finish(auth_request, NULL, 0, FALSE); return; } @@ -54,8 +59,6 @@ lm_credentials_callback(const char *cred hash, sizeof(hash)); hex_to_binary(credentials, hash_buffer); - client_response = ntlmssp_buffer_data(request->response, lm_response); - ntlmssp_v1_response(hash, request->challenge, lm_response); ret = memcmp(lm_response, client_response, LM_RESPONSE_SIZE) == 0; @@ -75,10 +78,18 @@ ntlm_credentials_callback(const char *cr buffer_t *hash_buffer; int ret; - if (credentials == NULL && !request->ntlm2_negotiated) { - passdb->lookup_credentials(auth_request, - PASSDB_CREDENTIALS_LANMAN, - lm_credentials_callback); + response_length + ntlmssp_buffer_length(request->response, ntlm_response); + client_response = ntlmssp_buffer_data(request->response, ntlm_response); + + if ((credentials == NULL) || (response_length == 0)) { + /* We can't use LM authentication if NTLM2 was negotiated */ + if (request->ntlm2_negotiated) + mech_auth_finish(auth_request, NULL, 0, FALSE); + else + passdb->lookup_credentials(auth_request, + PASSDB_CREDENTIALS_LANMAN, + lm_credentials_callback); return; } @@ -86,9 +97,6 @@ ntlm_credentials_callback(const char *cr hash, sizeof(hash)); hex_to_binary(credentials, hash_buffer); - response_length - ntlmssp_buffer_length(request->response, ntlm_response); - client_response = ntlmssp_buffer_data(request->response, ntlm_response); if (response_length > NTLMSSP_RESPONSE_SIZE) { unsigned char ntlm_v2_response[NTLMSSP_V2_RESPONSE_SIZE]; diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c --- dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c 2004-10-22 17:32:27.000000000 +0400 +++ dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c 2004-11-10 16:28:33.000000000 +0300 @@ -180,13 +180,19 @@ static int ntlmssp_check_buffer(const st size_t data_size, const char **error) { uint32_t offset = read_le32(&buffer->offset); + uint16_t length = read_le16(&buffer->length); + uint16_t space = read_le16(&buffer->space); + + /* Empty buffer is ok */ + if (!length && !space) + return 1; if (offset >= data_size) { *error = "buffer offset out of bounds"; return 0; } - if (offset + read_le16(&buffer->space) > data_size) { + if (offset + space > data_size) { *error = "buffer end out of bounds"; return 0; } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20041110/b661f21e/attachment-0001.bin>