Changeset 989 for vendor/current/librpc/rpc

Timestamp:

Nov 25, 2016, 8:04:54 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.7

File:

• vendor/current/librpc/rpc/dcerpc_util.c (modified) (2 diffs)

vendor/current/librpc/rpc/dcerpc_util.c

@@ -96 +96 @@
         uint16_t auth_length;
         uint32_t tmp_length;
+        uint32_t max_pad_len = 0;
 
         ZERO_STRUCTP(auth);
         if (_auth_length != NULL) {
                 *_auth_length = 0;
+
+                if (auth_data_only) {
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+        } else {
+                if (!auth_data_only) {
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
         }
 
@@ -148 +157 @@
                 ZERO_STRUCTP(auth);
                 return ndr_map_error2ntstatus(ndr_err);
+        }
+
+        /*
+         * Make sure the padding would not exceed
+         * the frag_length.
+         *
+         * Here we assume at least 24 bytes for the
+         * payload specific header the value of
+         * DCERPC_{REQUEST,RESPONSE}_LENGTH.
+         *
+         * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
+         *
+         * We need this check before we ignore possible
+         * invalid values. See also bug #11982.
+         *
+         * This check is mainly used to generate the correct
+         * error for BIND_*, ALTER_* and AUTH3 pdus.
+         *
+         * We always have the 'if (data_and_pad < auth->auth_pad_length)'
+         * protection for REQUEST and RESPONSE pdus, where the
+         * auth_pad_length field is actually used by the caller.
+         */
+        tmp_length = DCERPC_REQUEST_LENGTH;
+        tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
+        tmp_length += pkt->auth_length;
+        if (tmp_length < pkt->frag_length) {
+                max_pad_len = pkt->frag_length - tmp_length;
+        }
+        if (max_pad_len < auth->auth_pad_length) {
+                DEBUG(1, (__location__ ": ERROR: pad length to large. "
+                          "max %u got %u\n",
+                          (unsigned)max_pad_len,
+                          (unsigned)auth->auth_pad_length));
+                talloc_free(ndr);
+                ZERO_STRUCTP(auth);
+                return NT_STATUS_RPC_PROTOCOL_ERROR;
+        }
+
+        /*
+         * This is a workarround for a bug in old
+         * Samba releases. For BIND_ACK <= 3.5.x
+         * and for ALTER_RESP <= 4.2.x (see bug #11061)
+         *
+         * See also bug #11982.
+         */
+        if (auth_data_only && data_and_pad == 0 &&
+            auth->auth_pad_length > 0) {
+                /*
+                 * we need to ignore invalid auth_pad_length
+                 * values for BIND_*, ALTER_* and AUTH3 pdus.
+                 */
+                auth->auth_pad_length = 0;
         }