svn commit: samba r10428 - in trunk/source/rpc_client: .

jra at samba.org jra at samba.org
Thu Sep 22 18:41:18 GMT 2005


Author: jra
Date: 2005-09-22 18:41:17 +0000 (Thu, 22 Sep 2005)
New Revision: 10428

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10428

Log:
It doesn't help in encrypted RPC streams if you forget to remove
the auth_footer from the stream... :-). Thanks to Volker for catching
this "Doh!" Homer Simpson bug :-).
Jeremy.

Modified:
   trunk/source/rpc_client/cli_pipe.c


Changeset:
Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c	2005-09-22 18:37:03 UTC (rev 10427)
+++ trunk/source/rpc_client/cli_pipe.c	2005-09-22 18:41:17 UTC (rev 10428)
@@ -440,6 +440,19 @@
 {
 	NTSTATUS ret = NT_STATUS_OK;
 
+	/* Paranioa checks for auth_len. */
+	if (prhdr->auth_len) {
+		if (prhdr->auth_len > prhdr->frag_len) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		if (prhdr->auth_len + RPC_HDR_AUTH_LEN < prhdr->auth_len ||
+				prhdr->auth_len + RPC_HDR_AUTH_LEN < RPC_HDR_AUTH_LEN) {
+			/* Integer wrap attempt. */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
 	/*
 	 * Now we have a complete RPC request PDU fragment, try and verify any auth data.
 	 */
@@ -543,11 +556,26 @@
 
 			/* Point the return values at the NDR data. Remember to remove any ss padding. */
 			*ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
+
 			if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
 				return NT_STATUS_BUFFER_TOO_SMALL;
 			}
+
 			*pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
 
+			/* Remember to remove the auth footer. */
+			if (prhdr->auth_len) {
+				/* We've already done integer wrap tests on auth_len in
+					cli_pipe_validate_rpc_response(). */
+				if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
+					return NT_STATUS_BUFFER_TOO_SMALL;
+				}
+				*pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
+			}
+
+			DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
+				current_pdu_len, *pdata_len, ss_padding_len ));
+
 			/*
 			 * If this is the first reply, and the allocation hint is reasonably, try and
 			 * set up the return_data parse_struct to the correct size.
@@ -809,6 +837,9 @@
 		ret = cli_pipe_validate_current_pdu(cli, &rhdr, &current_pdu, expected_pkt_type,
 				&ret_data, &ret_data_len, rbuf);
 
+		DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
+			prs_data_size(&current_pdu), current_rbuf_offset ));
+
 		if (!NT_STATUS_IS_OK(ret)) {
 			goto err;
 		}



More information about the samba-cvs mailing list