Changeset 989 for vendor/current/librpc

Timestamp:

Nov 25, 2016, 8:04:54 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.7

Location:

vendor/current/librpc

Files:

• idl/dcerpc.idl (modified) (1 diff)
• idl/dns.idl (modified) (4 diffs)
• idl/idl_types.h (modified) (1 diff)
• ndr/libndr.h (modified) (1 diff)
• ndr/ndr_dns.c (modified) (3 diffs)
• rpc/dcerpc_util.c (modified) (2 diffs)

vendor/current/librpc/idl/dcerpc.idl

@@ -536 +536 @@
         const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
         const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
-        const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
+
+        /*
+         * See [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size
+         * 4 MByte is the default limit of reassembled request payload
+         */
+        const uint32 DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE = 0x400000;
+
+        /*
+         * See [MS-RPCE] 3.3.2.5.2 Handling Responses
+         *
+         * Indicates that Windows accepts up to 0x7FFFFFFF ~2 GByte
+         *
+         * talloc has a limit of 256 MByte, so we need to use something smaller.
+         *
+         * For now we try our luck with 240 MByte.
+         */
+        const uint32 DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE = 0xf000000; /* 240 MByte */
 
         /* little-endian flag */

vendor/current/librpc/idl/dns.idl

@@ -180 +180 @@
         } dns_opt_record;
 
-        typedef [public] struct {
+        typedef [flag(NDR_NO_COMP),public] struct {
                 dns_string     algorithm;
                 uint32         inception;
@@ -192 +192 @@
         } dns_tkey_record;
 
-        typedef [public] struct {
+        typedef [flag(NDR_NO_COMP),public] struct {
                 dns_string algorithm_name;
                 uint16     time_prefix; /* 0 until February 2106*/
@@ -205 +205 @@
         } dns_tsig_record;
 
-        typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+        typedef [flag(NDR_NO_COMP|NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
                 dns_string      name;
                 dns_qclass      rr_class;
@@ -213 +213 @@
                 uint32          time;
                 uint16          fudge;
-                uint16          original_id;
                 uint16          error;
                 uint16          other_size;

vendor/current/librpc/idl/idl_types.h

@@ -41 +41 @@
 #define NDR_ALIGN4        LIBNDR_FLAG_ALIGN4
 #define NDR_ALIGN8        LIBNDR_FLAG_ALIGN8
+#define NDR_NO_COMP       LIBNDR_FLAG_NO_COMPRESSION
 
 /* this flag is used to force a section of IDL as little endian. It is

vendor/current/librpc/ndr/libndr.h

@@ -125 +125 @@
 #define LIBNDR_FLAG_STR_RAW8            (1<<13)
 #define LIBNDR_STRING_FLAGS             (0x7FFC)
+
+/* Disable string token compression  */
+#define LIBNDR_FLAG_NO_COMPRESSION      (1<<15)
 
 /*

vendor/current/librpc/ndr/ndr_dns.c

@@ -170 +170 @@
                 uint32_t offset;
 
-                /* see if we have pushed the remaining string already,
-                 * if so we use a label pointer to this string
-                 */
-                ndr_err = ndr_token_retrieve_cmp_fn(&ndr->dns_string_list, s,
-                                                    &offset,
-                                                    (comparison_fn_t)strcmp,
-                                                    false);
-                if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-                        uint8_t b[2];
-
-                        if (offset > 0x3FFF) {
-                                return ndr_push_error(ndr, NDR_ERR_STRING,
-                                                      "offset for dns string " \
-                                                      "label pointer " \
-                                                      "%u[%08X] > 0x00003FFF",
-                                                      offset, offset);
+                if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
+                        /* see if we have pushed the remaining string already,
+                         * if so we use a label pointer to this string
+                         */
+                        ndr_err = ndr_token_retrieve_cmp_fn(&ndr->dns_string_list, s,
+                                                            &offset,
+                                                            (comparison_fn_t)strcmp,
+                                                            false);
+                        if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+                                uint8_t b[2];
+
+                                if (offset > 0x3FFF) {
+                                        return ndr_push_error(ndr, NDR_ERR_STRING,
+                                                              "offset for dns string " \
+                                                              "label pointer " \
+                                                              "%u[%08X] > 0x00003FFF",
+                                                              offset, offset);
+                                }
+
+                                b[0] = 0xC0 | (offset>>8);
+                                b[1] = (offset & 0xFF);
+
+                                return ndr_push_bytes(ndr, b, 2);
                         }
-
-                        b[0] = 0xC0 | (offset>>8);
-                        b[1] = (offset & 0xFF);
-
-                        return ndr_push_bytes(ndr, b, 2);
                 }
 
@@ -214 +216 @@
                  * so it can be reused later
                  */
-                NDR_CHECK(ndr_token_store(ndr, &ndr->dns_string_list, s,
-                                          ndr->offset));
+                if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
+                        NDR_CHECK(ndr_token_store(ndr, &ndr->dns_string_list, s,
+                                                  ndr->offset));
+                }
 
                 /* push just this component into the blob */
@@ -265 +269 @@
                                    LIBNDR_FLAG_NOALIGN);
         if (ndr_flags & NDR_SCALARS) {
+                uint32_t _flags_save_name = ndr->flags;
+
                 NDR_CHECK(ndr_push_align(ndr, 4));
+
+                switch (r->rr_type) {
+                case DNS_QTYPE_TKEY:
+                case DNS_QTYPE_TSIG:
+                        ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NO_COMPRESSION);
+                        break;
+                default:
+                        break;
+                }
                 NDR_CHECK(ndr_push_dns_string(ndr, NDR_SCALARS, r->name));
+                ndr->flags = _flags_save_name;
+
                 NDR_CHECK(ndr_push_dns_qtype(ndr, NDR_SCALARS, r->rr_type));
                 NDR_CHECK(ndr_push_dns_qclass(ndr, NDR_SCALARS, r->rr_class));

vendor/current/librpc/rpc/dcerpc_util.c

@@ -96 +96 @@
         uint16_t auth_length;
         uint32_t tmp_length;
+        uint32_t max_pad_len = 0;
 
         ZERO_STRUCTP(auth);
         if (_auth_length != NULL) {
                 *_auth_length = 0;
+
+                if (auth_data_only) {
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+        } else {
+                if (!auth_data_only) {
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
         }
 
@@ -148 +157 @@
                 ZERO_STRUCTP(auth);
                 return ndr_map_error2ntstatus(ndr_err);
+        }
+
+        /*
+         * Make sure the padding would not exceed
+         * the frag_length.
+         *
+         * Here we assume at least 24 bytes for the
+         * payload specific header the value of
+         * DCERPC_{REQUEST,RESPONSE}_LENGTH.
+         *
+         * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
+         *
+         * We need this check before we ignore possible
+         * invalid values. See also bug #11982.
+         *
+         * This check is mainly used to generate the correct
+         * error for BIND_*, ALTER_* and AUTH3 pdus.
+         *
+         * We always have the 'if (data_and_pad < auth->auth_pad_length)'
+         * protection for REQUEST and RESPONSE pdus, where the
+         * auth_pad_length field is actually used by the caller.
+         */
+        tmp_length = DCERPC_REQUEST_LENGTH;
+        tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
+        tmp_length += pkt->auth_length;
+        if (tmp_length < pkt->frag_length) {
+                max_pad_len = pkt->frag_length - tmp_length;
+        }
+        if (max_pad_len < auth->auth_pad_length) {
+                DEBUG(1, (__location__ ": ERROR: pad length to large. "
+                          "max %u got %u\n",
+                          (unsigned)max_pad_len,
+                          (unsigned)auth->auth_pad_length));
+                talloc_free(ndr);
+                ZERO_STRUCTP(auth);
+                return NT_STATUS_RPC_PROTOCOL_ERROR;
+        }
+
+        /*
+         * This is a workarround for a bug in old
+         * Samba releases. For BIND_ACK <= 3.5.x
+         * and for ALTER_RESP <= 4.2.x (see bug #11061)
+         *
+         * See also bug #11982.
+         */
+        if (auth_data_only && data_and_pad == 0 &&
+            auth->auth_pad_length > 0) {
+                /*
+                 * we need to ignore invalid auth_pad_length
+                 * values for BIND_*, ALTER_* and AUTH3 pdus.
+                 */
+                auth->auth_pad_length = 0;
         }