svn commit: samba r19502 - in branches/SAMBA_4_0/source: librpc/rpc
rpc_server
tridge at samba.org
tridge at samba.org
Sat Oct 28 04:17:44 GMT 2006
Author: tridge
Date: 2006-10-28 04:17:43 +0000 (Sat, 28 Oct 2006)
New Revision: 19502
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19502
Log:
fixed the RPC-SECRETS test with kerberos. Andrew, can you look at this
as well?
The server side change is needed to fix a valgrind error, which was
possibly exploitable if the client sent deliberately bad data
Modified:
branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c
branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
Changeset:
Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c
===================================================================
--- branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2006-10-27 01:10:49 UTC (rev 19501)
+++ branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2006-10-28 04:17:43 UTC (rev 19502)
@@ -272,7 +272,6 @@
return status;
}
-
/* check signature or unseal the packet */
switch (c->security_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
@@ -433,6 +432,13 @@
return status;
}
dcerpc_set_auth_length(blob, creds2.length);
+ if (c->security_state.auth_info->credentials.length == 0) {
+ /* this is needed for krb5 only, to correct the total packet
+ length */
+ dcerpc_set_frag_length(blob,
+ dcerpc_get_frag_length(blob)
+ +creds2.length);
+ }
break;
case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -454,6 +460,13 @@
return status;
}
dcerpc_set_auth_length(blob, creds2.length);
+ if (c->security_state.auth_info->credentials.length == 0) {
+ /* this is needed for krb5 only, to correct the total packet
+ length */
+ dcerpc_set_frag_length(blob,
+ dcerpc_get_frag_length(blob)
+ +creds2.length);
+ }
break;
case DCERPC_AUTH_LEVEL_CONNECT:
Modified: branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c 2006-10-27 01:10:49 UTC (rev 19501)
+++ branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c 2006-10-28 04:17:43 UTC (rev 19502)
@@ -470,19 +470,14 @@
&creds2);
if (NT_STATUS_IS_OK(status)) {
- status = data_blob_realloc(call, blob,
- blob->length - dce_conn->auth_state.auth_info->credentials.length +
- creds2.length);
+ blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+ status = data_blob_append(call, blob, creds2.data, creds2.length);
}
- if (NT_STATUS_IS_OK(status)) {
- memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
- creds2.data, creds2.length);
- }
-
/* If we did AEAD signing of the packet headers, then we hope
* this value didn't change... */
dcerpc_set_auth_length(blob, creds2.length);
+ dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
data_blob_free(&creds2);
break;
@@ -495,20 +490,14 @@
blob->length - dce_conn->auth_state.auth_info->credentials.length,
&creds2);
if (NT_STATUS_IS_OK(status)) {
- status = data_blob_realloc(call, blob,
- blob->length - dce_conn->auth_state.auth_info->credentials.length +
- creds2.length);
+ blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+ status = data_blob_append(call, blob, creds2.data, creds2.length);
}
- if (NT_STATUS_IS_OK(status)) {
- memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
- creds2.data, creds2.length);
- }
-
/* If we did AEAD signing of the packet headers, then we hope
* this value didn't change... */
dcerpc_set_auth_length(blob, creds2.length);
-
+ dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
data_blob_free(&creds2);
break;
More information about the samba-cvs
mailing list