[squid-users] problem with ntlm_smb_lm_auth helper

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 17 12:57:42 UTC 2015 

On 17/09/2015 10:24 p.m., Emmanuel Garette wrote:
> Le 16/09/2015 11:40, Amos Jeffries a écrit :
>> On 16/09/2015 9:05 p.m., Emmanuel Garette wrote:
>>> Le 07/09/2015 18:40, Amos Jeffries a écrit :
>>>> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>>>> Seems to be ok for me. Thanks for your fast reply.
>>>>>
>>>>> Need I open a bug in bugzilla ?
>>>>>
>>>> No need. I think this may be one of the existing ones about this helper.
>>>> Thanks for the feedback it should be applied to the current versions
>>>> shortly.
>>> Hi,
>>>
>>> Today I found a new problem. All work fine with computer join into
>>> windows domain. Not for computer user CNTLM (not in the domain).
>>>
>>> In debug mode I can see this error:
>>>
>>>> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
>>> 108, fetch len: 0, offset: 108)
>>>
>>> If I understand, there is no NT password.
>>>
>>> In older code, there was this line:
>>>
>>>> tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse);
>>>> if (tmp.str != NULL && tmp.l != 0) {
>>> The NT password was check only if len was different to 0.
>>>
>>> In this part of your patch:
>>>> /* still fetch the NT response and check validity against empty
>>> password */
>>>>      {
>>>>          const strhdr * str = &auth->ntresponse;
>>>>          int16_t len = le16toh(str->len);
>>>>          int32_t offset = le32toh(str->offset);
>>>>          if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
>>> offset == 0) {
>>>
>>> if I replace last line with:
>>>
>>>> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
>>> auth_length || offset == 0) {
>>>
>>> Everything works well.
>> By that do you mean it rejects with "Empty NT password supplied for
>> user" ?  or that it accepts the login?
> I'm not familar with NTLM protocol, but in my case NT password seems to
> be empty (length 0). In this case, older version of helper accept it.
> The new one exit with error "insane data". That why I propose to test if
> len is not null.

The change you mention makes a random bit of memory after the NTLM token
get compared against the empty-password hash value.

So I was a little surprised that it would even have the appearance of
working.

I have patched the helper for 3.5.9 to make it completely skip the
ntresponse field when it has 0 length.

Amos

More information about the squid-users mailing list