Changeset 919 for vendor/current/source3/librpc

Timestamp:

Jun 9, 2016, 2:17:22 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: apply latest security patches to vendor

Location:

vendor/current/source3/librpc/rpc

Files:

• dcerpc.h (modified) (3 diffs)
• dcerpc_helpers.c (modified) (10 diffs)

vendor/current/source3/librpc/rpc/dcerpc.h

@@ -40 +40 @@
         enum dcerpc_AuthType auth_type;
         enum dcerpc_AuthLevel auth_level;
+        bool verified_bitmask1;
 
         void *auth_ctx;
+        uint32_t auth_context_id;
 
         /* Only the client code uses these 3 for now */
@@ -71 +73 @@
                                  const DATA_BLOB *credentials,
                                  DATA_BLOB *blob);
-NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
-                                 const DATA_BLOB *blob,
-                                 struct dcerpc_auth *r,
-                                 bool bigendian);
 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
                             size_t header_len, size_t data_left,
@@ -85 +83 @@
                            struct ncacn_packet *pkt,
                            DATA_BLOB *pkt_trailer,
-                           size_t header_size,
-                           DATA_BLOB *raw_pkt,
-                           size_t *pad_len);
+                           uint8_t header_size,
+                           DATA_BLOB *raw_pkt);
 
 /* The following definitions come from librpc/rpc/rpc_common.c  */

vendor/current/source3/librpc/rpc/dcerpc_helpers.c

@@ -211 +211 @@
 
 /**
-* @brief Decodes a dcerpc_auth blob
-*
-* @param mem_ctx        The memory context on which to allocate the packet
-*                       elements
-* @param blob           The blob of data to decode
-* @param r              An empty dcerpc_auth structure, must not be NULL
-*
-* @return a NTSTATUS error code
-*/
-NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
-                                 const DATA_BLOB *blob,
-                                 struct dcerpc_auth *r,
-                                 bool bigendian)
-{
-        enum ndr_err_code ndr_err;
-        struct ndr_pull *ndr;
-
-        ndr = ndr_pull_init_blob(blob, mem_ctx);
-        if (!ndr) {
-                return NT_STATUS_NO_MEMORY;
-        }
-        if (bigendian) {
-                ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
-        }
-
-        ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
-
-        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-                talloc_free(ndr);
-                return ndr_map_error2ntstatus(ndr_err);
-        }
-        talloc_free(ndr);
-
-        if (DEBUGLEVEL >= 10) {
-                NDR_PRINT_DEBUG(dcerpc_auth, r);
-        }
-
-        return NT_STATUS_OK;
-}
-
-/**
 * @brief Calculate how much data we can in a packet, including calculating
 *        auth token and pad lengths.
@@ -783 +742 @@
                                          auth->auth_level,
                                          pad_len,
-                                         1 /* context id. */,
+                                         auth->auth_context_id,
                                          &auth_blob,
                                          &auth_info);
@@ -845 +804 @@
 * @param auth           The auth data for the connection
 * @param pkt            The actual ncacn_packet
-* @param pkt_trailer    The stub_and_verifier part of the packet
+* @param pkt_trailer [in][out]  The stub_and_verifier part of the packet,
+*                       the auth_trailer and padding will be removed.
 * @param header_size    The header size
 * @param raw_pkt        The whole raw packet data blob
-* @param pad_len        [out] The padding length used in the packet
 *
 * @return A NTSTATUS error code
@@ -855 +814 @@
                            struct ncacn_packet *pkt,
                            DATA_BLOB *pkt_trailer,
-                           size_t header_size,
-                           DATA_BLOB *raw_pkt,
-                           size_t *pad_len)
+                           uint8_t header_size,
+                           DATA_BLOB *raw_pkt)
 {
         struct schannel_state *schannel_auth;
@@ -869 +827 @@
         DATA_BLOB data;
 
+        /*
+         * These check should be done in the caller.
+         */
+        SMB_ASSERT(raw_pkt->length == pkt->frag_length);
+        SMB_ASSERT(header_size <= pkt->frag_length);
+        SMB_ASSERT(pkt_trailer->length < pkt->frag_length);
+        SMB_ASSERT((pkt_trailer->length + header_size) <= pkt->frag_length);
+
         switch (auth->auth_level) {
         case DCERPC_AUTH_LEVEL_PRIVACY:
@@ -882 +848 @@
                         break;
                 }
-                *pad_len = 0;
                 return NT_STATUS_OK;
 
@@ -891 +856 @@
                         return NT_STATUS_INVALID_PARAMETER;
                 }
-                *pad_len = 0;
                 return NT_STATUS_OK;
 
@@ -900 +864 @@
         }
 
-        /* Paranioa checks for auth_length. */
-        if (pkt->auth_length > pkt->frag_length) {
-                return NT_STATUS_INFO_LENGTH_MISMATCH;
-        }
-        if (((unsigned int)pkt->auth_length
-             + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
-            ((unsigned int)pkt->auth_length
-             + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
-                /* Integer wrap attempt. */
-                return NT_STATUS_INFO_LENGTH_MISMATCH;
+        if (pkt->auth_length == 0) {
+                return NT_STATUS_INVALID_PARAMETER;
         }
 
@@ -918 +874 @@
         }
 
+        if (auth_info.auth_type != auth->auth_type) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        if (auth_info.auth_level != auth->auth_level) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        if (auth_info.auth_context_id != auth->auth_context_id) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+
+        pkt_trailer->length -= auth_length;
         data = data_blob_const(raw_pkt->data + header_size,
-                                pkt_trailer->length - auth_length);
-        full_pkt = data_blob_const(raw_pkt->data,
-                                raw_pkt->length - auth_info.credentials.length);
+                               pkt_trailer->length);
+        full_pkt = data_blob_const(raw_pkt->data, raw_pkt->length);
+        full_pkt.length -= auth_info.credentials.length;
 
         switch (auth->auth_type) {
@@ -997 +966 @@
          * are still both used in later calls */
         if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+                if (pkt_trailer->length != data.length) {
+                        return NT_STATUS_INVALID_PARAMETER;
+                }
                 memcpy(pkt_trailer->data, data.data, data.length);
         }
 
-        *pad_len = auth_info.auth_pad_length;
+        pkt_trailer->length -= auth_info.auth_pad_length;
         data_blob_free(&auth_info.credentials);
         return NT_STATUS_OK;