svn commit: samba r10428 - in trunk/source/rpc_client: .
jra at samba.org
jra at samba.org
Thu Sep 22 18:41:18 GMT 2005
Author: jra
Date: 2005-09-22 18:41:17 +0000 (Thu, 22 Sep 2005)
New Revision: 10428
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10428
Log:
It doesn't help in encrypted RPC streams if you forget to remove
the auth_footer from the stream... :-). Thanks to Volker for catching
this "Doh!" Homer Simpson bug :-).
Jeremy.
Modified:
trunk/source/rpc_client/cli_pipe.c
Changeset:
Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c 2005-09-22 18:37:03 UTC (rev 10427)
+++ trunk/source/rpc_client/cli_pipe.c 2005-09-22 18:41:17 UTC (rev 10428)
@@ -440,6 +440,19 @@
{
NTSTATUS ret = NT_STATUS_OK;
+ /* Paranioa checks for auth_len. */
+ if (prhdr->auth_len) {
+ if (prhdr->auth_len > prhdr->frag_len) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (prhdr->auth_len + RPC_HDR_AUTH_LEN < prhdr->auth_len ||
+ prhdr->auth_len + RPC_HDR_AUTH_LEN < RPC_HDR_AUTH_LEN) {
+ /* Integer wrap attempt. */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
/*
* Now we have a complete RPC request PDU fragment, try and verify any auth data.
*/
@@ -543,11 +556,26 @@
/* Point the return values at the NDR data. Remember to remove any ss padding. */
*ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
+
if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
return NT_STATUS_BUFFER_TOO_SMALL;
}
+
*pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
+ /* Remember to remove the auth footer. */
+ if (prhdr->auth_len) {
+ /* We've already done integer wrap tests on auth_len in
+ cli_pipe_validate_rpc_response(). */
+ if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+ *pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
+ }
+
+ DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
+ current_pdu_len, *pdata_len, ss_padding_len ));
+
/*
* If this is the first reply, and the allocation hint is reasonably, try and
* set up the return_data parse_struct to the correct size.
@@ -809,6 +837,9 @@
ret = cli_pipe_validate_current_pdu(cli, &rhdr, ¤t_pdu, expected_pkt_type,
&ret_data, &ret_data_len, rbuf);
+ DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
+ prs_data_size(¤t_pdu), current_rbuf_offset ));
+
if (!NT_STATUS_IS_OK(ret)) {
goto err;
}
More information about the samba-cvs
mailing list