NTLMSSP: fix AUTHENTICATE_MESSAGE without NTLMSSP_NEGOTIATE_VERSION

If we have data remaining before the start of the variable data,
we should assume the space for the version field even without
the NTLMSSP_NEGOTIATE_VERSION flag. In that case we should
mark the 8 bytes as zero bytes.

This fixes https://gitlab.com/wireshark/wireshark/-/issues/17958

Signed-off-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 3f097ad60b..bd4218748e 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -2048,8 +2048,12 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
   /* If there are more bytes before the data block dissect a version field
      if NTLMSSP_NEGOTIATE_VERSION is set in the flags (see MS-NLMP) */
   if (offset < data_start) {
-    if (negotiate_flags & NTLMSSP_NEGOTIATE_VERSION)
+    if (negotiate_flags & NTLMSSP_NEGOTIATE_VERSION) {
       offset = dissect_ntlmssp_version(tvb, offset, ntlmssp_tree);
+    } else {
+      proto_tree_add_item(ntlmssp_tree, hf_ntlmssp_ntlmv2_response_z, tvb, offset, 8, ENC_NA);
+      offset += 8;
+    }
   }
 
   /* If there are still more bytes before the data block dissect an MIC (message integrity_code) field */