winpr/ntlm: Fix endianness in ntlm_av_pair_list

Data in ntlm_av_pair_list are accessed directly, which doesn't work on big endian machines currently. The recieved data are stored as little endian. Use conversion macros from endian.h to load and store the data properly. https://github.com/FreeRDP/FreeRDP/issues/2520
2016-04-22 14:43:40 +02:00 · 2016-04-22 14:43:40 +02:00 · 95a1b53940
commit 95a1b53940
parent 8d468ea6b5
3 changed files with 48 additions and 27 deletions
--- a/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.c
@ -57,8 +57,8 @@ const char* const AV_PAIR_STRINGS[] =
 void ntlm_av_pair_list_init(NTLM_AV_PAIR* pAvPairList)
 {
 	NTLM_AV_PAIR* pAvPair = pAvPairList;
-	pAvPair->AvId = MsvAvEOL;
-	pAvPair->AvLen = 0;
+	ntlm_av_pair_set_id(pAvPair, MsvAvEOL);
+	ntlm_av_pair_set_len(pAvPair, 0);
 }

 ULONG ntlm_av_pair_list_length(NTLM_AV_PAIR* pAvPairList)
@ -69,7 +69,7 @@ ULONG ntlm_av_pair_list_length(NTLM_AV_PAIR* pAvPairList)
 	if (!pAvPair)
 		return 0;

-	while (pAvPair->AvId != MsvAvEOL)
+	while (ntlm_av_pair_get_id(pAvPair) != MsvAvEOL)
 	{
 		pAvPair = ntlm_av_pair_get_next_pointer(pAvPair);
 	}
@ -87,12 +87,14 @@ void ntlm_print_av_pair_list(NTLM_AV_PAIR* pAvPairList)

 	WLog_INFO(TAG, "AV_PAIRs =");

-	while (pAvPair->AvId != MsvAvEOL)
+	while (ntlm_av_pair_get_id(pAvPair) != MsvAvEOL)
 	{
 		WLog_INFO(TAG, "\t%s AvId: %d AvLen: %d",
-				  AV_PAIR_STRINGS[pAvPair->AvId],
-				  pAvPair->AvId, pAvPair->AvLen);
-		winpr_HexDump(TAG, WLOG_INFO, ntlm_av_pair_get_value_pointer(pAvPair), pAvPair->AvLen);
+				  AV_PAIR_STRINGS[ntlm_av_pair_get_id(pAvPair)],
+				  ntlm_av_pair_get_id(pAvPair),
+				  ntlm_av_pair_get_len(pAvPair));
+		winpr_HexDump(TAG, WLOG_INFO, ntlm_av_pair_get_value_pointer(pAvPair),
+				      ntlm_av_pair_get_len(pAvPair));
 		pAvPair = ntlm_av_pair_get_next_pointer(pAvPair);
 	}
 }
@ -110,7 +112,7 @@ PBYTE ntlm_av_pair_get_value_pointer(NTLM_AV_PAIR* pAvPair)

 int ntlm_av_pair_get_next_offset(NTLM_AV_PAIR* pAvPair)
 {
-	return pAvPair->AvLen + sizeof(NTLM_AV_PAIR);
+	return ntlm_av_pair_get_len(pAvPair) + sizeof(NTLM_AV_PAIR);
 }

 NTLM_AV_PAIR* ntlm_av_pair_get_next_pointer(NTLM_AV_PAIR* pAvPair)
@ -127,10 +129,10 @@ NTLM_AV_PAIR* ntlm_av_pair_get(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId)

 	while (1)
 	{
-		if (pAvPair->AvId == AvId)
+		if (ntlm_av_pair_get_id(pAvPair) == AvId)
 			return pAvPair;

-		if (pAvPair->AvId == MsvAvEOL)
+		if (ntlm_av_pair_get_id(pAvPair) == MsvAvEOL)
 			return NULL;

 		pAvPair = ntlm_av_pair_get_next_pointer(pAvPair);
@ -148,8 +150,8 @@ NTLM_AV_PAIR* ntlm_av_pair_add(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId, PBYTE
 		return NULL;

 	assert(Value != NULL);
-	pAvPair->AvId = AvId;
-	pAvPair->AvLen = AvLen;
+	ntlm_av_pair_set_id(pAvPair, AvId);
+	ntlm_av_pair_set_len(pAvPair, AvLen);
 	CopyMemory(ntlm_av_pair_get_value_pointer(pAvPair), Value, AvLen);
 	return pAvPair;
 }
@ -162,10 +164,11 @@ NTLM_AV_PAIR* ntlm_av_pair_add_copy(NTLM_AV_PAIR* pAvPairList, NTLM_AV_PAIR* pAv
 	if (!pAvPairCopy)
 		return NULL;

-	pAvPairCopy->AvId = pAvPair->AvId;
-	pAvPairCopy->AvLen = pAvPair->AvLen;
+	CopyMemory(&pAvPairCopy->AvId, &pAvPair->AvId, 2);
+	CopyMemory(&pAvPairCopy->AvLen, &pAvPair->AvLen, 2);
 	CopyMemory(ntlm_av_pair_get_value_pointer(pAvPairCopy),
-			   ntlm_av_pair_get_value_pointer(pAvPair), pAvPair->AvLen);
+			   ntlm_av_pair_get_value_pointer(pAvPair),
+			   ntlm_av_pair_get_len (pAvPair));
 	return pAvPairCopy;
 }

@ -288,10 +291,10 @@ void ntlm_compute_single_host_data(NTLM_CONTEXT* context)
 	 * different or if they are on different hosts, then the information MUST be ignored.
 	 * Any fields after the MachineID field MUST be ignored on receipt.
 	 */
-	context->SingleHostData.Size = 48;
-	context->SingleHostData.Z4 = 0;
-	context->SingleHostData.DataPresent = 1;
-	context->SingleHostData.CustomData = SECURITY_MANDATORY_MEDIUM_RID;
+	Data_Write_UINT32(&context->SingleHostData.Size, 48);
+	Data_Write_UINT32(&context->SingleHostData.Z4, 0);
+	Data_Write_UINT32(&context->SingleHostData.DataPresent, 1);
+	Data_Write_UINT32(&context->SingleHostData.CustomData, SECURITY_MANDATORY_MEDIUM_RID);
 	FillMemory(context->SingleHostData.MachineID, 32, 0xAA);
 }

@ -375,31 +378,31 @@ int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context)
 	if (AvNbDomainName)
 	{
 		AvPairsCount++; /* MsvAvNbDomainName */
-		AvPairsValueLength += AvNbDomainName->AvLen;
+		AvPairsValueLength += ntlm_av_pair_get_len(AvNbDomainName);
 	}

 	if (AvNbComputerName)
 	{
 		AvPairsCount++; /* MsvAvNbComputerName */
-		AvPairsValueLength += AvNbComputerName->AvLen;
+		AvPairsValueLength += ntlm_av_pair_get_len(AvNbComputerName);
 	}

 	if (AvDnsDomainName)
 	{
 		AvPairsCount++; /* MsvAvDnsDomainName */
-		AvPairsValueLength += AvDnsDomainName->AvLen;
+		AvPairsValueLength += ntlm_av_pair_get_len(AvDnsDomainName);
 	}

 	if (AvDnsComputerName)
 	{
 		AvPairsCount++; /* MsvAvDnsComputerName */
-		AvPairsValueLength += AvDnsComputerName->AvLen;
+		AvPairsValueLength += ntlm_av_pair_get_len(AvDnsComputerName);
 	}

 	if (AvDnsTreeName)
 	{
 		AvPairsCount++; /* MsvAvDnsTreeName */
-		AvPairsValueLength += AvDnsTreeName->AvLen;
+		AvPairsValueLength += ntlm_av_pair_get_len(AvDnsTreeName);
 	}

 	AvPairsCount++; /* MsvAvTimestamp */
@ -470,7 +473,8 @@ int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context)

 	if (context->UseMIC)
 	{
-		UINT32 flags = MSV_AV_FLAGS_MESSAGE_INTEGRITY_CHECK;
+		UINT32 flags;
+		Data_Write_UINT32(&flags, MSV_AV_FLAGS_MESSAGE_INTEGRITY_CHECK);
 		ntlm_av_pair_add(AuthenticateTargetInfo, MsvAvFlags, (PBYTE) &flags, 4);
 	}

--- a/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.h
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_av_pairs.h
@ -35,6 +35,23 @@ NTLM_AV_PAIR* ntlm_av_pair_get(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId);
 NTLM_AV_PAIR* ntlm_av_pair_add(NTLM_AV_PAIR* pAvPairList, NTLM_AV_ID AvId, PBYTE Value, UINT16 AvLen);
 NTLM_AV_PAIR* ntlm_av_pair_add_copy(NTLM_AV_PAIR* pAvPairList, NTLM_AV_PAIR* pAvPair);

+static INLINE UINT16 ntlm_av_pair_get_id(NTLM_AV_PAIR* pAvPair)
+{
+	UINT16 AvId;
+	Data_Read_UINT16(&pAvPair->AvId, AvId);
+	return AvId;
+}
+
+static INLINE UINT16 ntlm_av_pair_get_len(NTLM_AV_PAIR* pAvPair)
+{
+	UINT16 AvLen;
+	Data_Read_UINT16(&pAvPair->AvLen, AvLen);
+	return AvLen;
+}
+
+#define ntlm_av_pair_set_id(pAvPair, id) Data_Write_UINT16(&pAvPair->AvId, id)
+#define ntlm_av_pair_set_len(pAvPair, len) Data_Write_UINT16(&pAvPair->AvLen, len)
+
 int ntlm_construct_challenge_target_info(NTLM_CONTEXT* context);
 int ntlm_construct_authenticate_target_info(NTLM_CONTEXT* context);

--- a/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_message.c
@ -679,7 +679,7 @@ SECURITY_STATUS ntlm_read_AuthenticateMessage(NTLM_CONTEXT* context, PSecBuffer
 		AvFlags = ntlm_av_pair_get(context->NTLMv2Response.Challenge.AvPairs, MsvAvFlags);

 		if (AvFlags)
-			flags = *((UINT32*) ntlm_av_pair_get_value_pointer(AvFlags));
+			Data_Read_UINT32(ntlm_av_pair_get_value_pointer(AvFlags), flags);
 	}

 	if (ntlm_read_message_fields_buffer(s, &(message->EncryptedRandomSessionKey)) < 0) /* EncryptedRandomSessionKey */
@ -952,7 +952,7 @@ SECURITY_STATUS ntlm_server_AuthenticateComplete(NTLM_CONTEXT* context)
 	AvFlags = ntlm_av_pair_get(context->NTLMv2Response.Challenge.AvPairs, MsvAvFlags);

 	if (AvFlags)
-		flags = *((UINT32*) ntlm_av_pair_get_value_pointer(AvFlags));
+		Data_Read_UINT32(ntlm_av_pair_get_value_pointer(AvFlags), flags);

 	if (ntlm_compute_lm_v2_response(context) < 0) /* LmChallengeResponse */
 		return SEC_E_INTERNAL_ERROR;