I stumbled over the same old bug, debugged it and came up with this SVN diff:

$ svn diff src/contrib/smbfs/lib/smb/subr.c
Index: src/contrib/smbfs/lib/smb/subr.c
===================================================================
--- src/contrib/smbfs/lib/smb/subr.c	(revisión: 314251)
+++ src/contrib/smbfs/lib/smb/subr.c	(copia de trabajo)
@@ -232,6 +232,8 @@
 			  islower(ch) ? ('a' + (ch - 'a' + 13) % 26) : ch);
 		ch ^= pos;
 		pos += 13;
+		if (pos > 256)
+		    pos -= 256;
 		sprintf(dst, "%02x", ch);
 		dst += 2;
 	}
@@ -262,6 +264,8 @@
 			return EINVAL;
 		ch ^= pos;
 		pos += 13;
+		if (pos > 256)
+		    pos -= 256;
 		if (isascii(ch))
 		    ch = (isupper(ch) ? ('A' + (ch - 'A' + 13) % 26) :
 			  islower(ch) ? ('a' + (ch - 'a' + 13) % 26) : ch);

I wanted to file a PR, but found with search this older issue with nearly the same solution :-(

can someone please look into it, do a code rev and commit it; thanks

Comment 2 Kurt Jaeger 2017-06-07 17:38:00 UTC

See

https://lists.freebsd.org/pipermail/freebsd-current/2017-June/066208.html

for a similar analysis, with a very similar result.

Comment 3 Josh Paetzel 2017-06-08 00:49:15 UTC

Committed to HEAD.  We'll see if we can get this in to 11.1-RELEASE as well.

Comment 4 commit-hook 2017-06-08 00:49:27 UTC

A commit references this bug:

Author: jpaetzel
Date: Thu Jun  8 00:48:26 UTC 2017
New revision: 319670
URL: https://svnweb.freebsd.org/changeset/base/319670

Log:
  Fix SMBFS when saved passwords are greater than 18 characters

  PR:	132302
  Submitted by:	dhorn2000@gmail.com guru@unixarea.de
  MFC after:	1 week

Changes:
  head/contrib/smbfs/lib/smb/subr.c

(In reply to Josh Paetzel from comment #3)
I was thinking last night about the proposed patch and wanted to modify it, but now it's committed already before I could put hands on the keyboard;

the problem (bug) was that the value in 'pos' for the XOR operation:

	ch ^= pos;

at some point exceeds, when the to be crypted password is long enough, exceeds one byte, and so does the result in 'ch'; later the value from 'ch' is formated to a hex string with

       sprintf(dst, "%02x", ch);
       dst += 2;

which gives in 'dst' four new bytes, like 0136, but the pointer 'dst' is only moved two byte further; this damages the resulting string in 'dst' for the crypted pw and later decrypt goes wrong;

Said this, the test for 'pos' not exceeding one byte must be 

	if (pos >= 256) 
	    pos -=256;'

because a pw of 57 bytes lenth will hit the point where 'pos' is exactly 256 (0x100);

57++ bytes is a very unlikely password, but as it s stored into a file and not typed in from time to time it's not impossible thinking in such a beast;

sorry to come late with this comment;

Comment 6 Josh Paetzel 2017-06-08 16:27:05 UTC

Please feel free to iterate over this.  The first commit stopped the bleeding.  There's no harm with fixing corner cases.

Comment 7 commit-hook 2017-06-15 16:13:06 UTC

A commit references this bug:

Author: jpaetzel
Date: Thu Jun 15 16:12:45 UTC 2017
New revision: 319980
URL: https://svnweb.freebsd.org/changeset/base/319980

Log:
  MFC 319670

  Fix SMBFS when saved passwords are greater than 18 character

  PR:	132302
  Submitted by:	dhorn2000@gmail.com guru@unixarea.de
  Approved by:	re (gjb)

Changes:
_U  stable/11/
  stable/11/contrib/smbfs/lib/smb/subr.c

Comment 8 commit-hook 2017-06-15 23:14:39 UTC

A commit references this bug:

Author: jpaetzel
Date: Thu Jun 15 23:14:05 UTC 2017
New revision: 319992
URL: https://svnweb.freebsd.org/changeset/base/319992

Log:
  MFC 319670

  Fix SMBFS when saved passwords are greater than 18 characters

  PR:	132302
  Submitted by:	dhorn2000@gmail.com guru@unixarea.de

Changes:
_U  stable/10/
  stable/10/contrib/smbfs/lib/smb/subr.c

Comment 9 Eitan Adler 2018-05-20 23:50:39 UTC

For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"

Comment 10 Oleksandr Tymoshenko 2019-01-14 08:08:21 UTC

The patch has been committed, closing as Fixed