[SCM] Samba Shared Repository - branch v3-6-stable updated
Karolin Seeger
kseeger at samba.org
Sun Dec 8 22:14:23 MST 2013
The branch, v3-6-stable has been updated
via e795800 WHATSNEW: Add release notes for Samba 3.0.22.
via 3b61be8 CVE-2012-6150: Fail authentication for single group name which cannot be converted to sid
via 50e3da9 CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
via b915d0b CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
via 4c2aa03 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
via 6434d49 CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply.
via f6d2b22 CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
via 9242121 CVE-2013-4408:s3:util_tsock: add some overflow detection to tstream_read_packet_done()
via 27a7516 CVE-2013-4408:async_sock: add some overflow detection to read_packet_handler()
via ba9728b CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
via fc294c4 CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
via c9d780c CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue()
via 17667fc CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull()
via 2883374 CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
via 4487b19 CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()
via b13b142 CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()
via d485eff CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done()
from 8317477 VERSION: Bump version up to 3.6.22.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable
- Log -----------------------------------------------------------------
commit e795800392ce1b5b5717ea0ad5334ebd6c9df7ed
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 6 20:19:23 2013 +0100
WHATSNEW: Add release notes for Samba 3.0.22.
Bug 10185 - CVE-2013-4408: DCERPC frag_len not checked
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10185
Bug 10306 - CVE-2012-6150: Fail authentication if user isn't member of *any*
require_membership_of specified groups
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10306
(BUG: https://bugzilla.samba.org/show_bug.cgi?id=10300)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 3b61be8a4b06f929c1bd52c1b8016f9a4fff9be1
Author: Noel Power <noel.power at suse.com>
Date: Wed Oct 16 16:30:55 2013 +0100
CVE-2012-6150: Fail authentication for single group name which cannot be converted to sid
furthermore if more than one name is supplied and no sid is converted
then also fail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10306
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
[ddiss at samba.org: fixed incorrect bugzilla tag I added to master commit]
commit 50e3da9992e4a43b888caa3aeadfbf5293e8281a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 19 14:10:15 2013 -0800
CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b915d0bd6d88f8fe725716b7654acfcb8303a2d4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 19 14:04:19 2013 -0800
CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 4c2aa03e447b0ac7a74aecdee37205740e43bea5
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 19 13:53:32 2013 -0800
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 6434d492578b37c7c97bd3f55d4fc14958bbd080
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 22 15:34:12 2013 -0700
CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f6d2b22ec51e025a309548224e8354bce52ea648
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9242121dcae43a736a9de5cf73c48a6dc95516f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:s3:util_tsock: add some overflow detection to tstream_read_packet_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 27a751632eb3bfc3f5610314b8254d16d027c0b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:async_sock: add some overflow detection to read_packet_handler()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ba9728b86c52ad2da4d80d80edb17c07bd09be2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fc294c4842cfaea19ddcec2a5be37322ab8b5b45
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c9d780c7d95dd8a5aaf0a87f48baed3bff046d59
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 17667fcf49609a67ce72b6be6f922003db9befdc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 288337429fe8f3a830e592a53b8b12e1a060d299
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4487b19619fa0fbfc64c33cd073e67ceae8563c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b13b1426f6c309b6ff3b2b5f9e335a62fd256969
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()
We should do this explicit instead of relying on
tstream_readv_pdu_ask_for_next_vector() to catch the overflow.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d485eff4c13ce3c0ab689cde56fe74ad3a0343f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 98 ++++++++++++++++++++++++++-
lib/async_req/async_sock.c | 5 ++
libcli/util/tstream.c | 5 ++
librpc/idl/dcerpc.idl | 1 +
librpc/rpc/dcerpc_util.c | 23 ++++++
librpc/rpc/rpc_common.h | 1 +
nsswitch/libwbclient/wbc_sid.c | 7 ++
nsswitch/pam_winbind.c | 6 ++
nsswitch/wbinfo.c | 23 ++++++-
source3/lib/netapi/group.c | 98 +++++++++++++++++++++++++++
source3/lib/netapi/localgroup.c | 8 ++-
source3/lib/netapi/user.c | 72 ++++++++++++++++++++
source3/lib/util_tsock.c | 5 ++
source3/libnet/libnet_join.c | 16 +++++
source3/librpc/rpc/dcerpc_helpers.c | 4 +
source3/rpc_client/cli_lsarpc.c | 35 +++++++++-
source3/rpc_client/cli_pipe.c | 42 ++++++++++--
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
source3/rpcclient/cmd_lsarpc.c | 13 +++-
source3/rpcclient/cmd_samr.c | 66 ++++++++++++++++++-
source3/smbd/lanman.c | 8 ++
source3/utils/net_rpc.c | 47 ++++++++++++-
source3/utils/net_rpc_join.c | 9 +++
source3/winbindd/wb_lookupsids.c | 3 +
source3/winbindd/winbindd_msrpc.c | 10 ++-
source3/winbindd/winbindd_rpc.c | 54 +++++++++++----
source4/libcli/util/clilsa.c | 22 ++++++-
source4/libnet/groupinfo.c | 10 ++-
source4/libnet/groupman.c | 10 ++--
source4/libnet/libnet_join.c | 12 +++-
source4/libnet/libnet_lookup.c | 5 ++
source4/libnet/libnet_passwd.c | 10 +++-
source4/libnet/userinfo.c | 9 ++-
source4/libnet/userman.c | 24 +++----
source4/librpc/rpc/dcerpc.c | 4 +
source4/librpc/rpc/dcerpc_smb.c | 6 ++
source4/librpc/rpc/dcerpc_smb2.c | 6 ++
source4/librpc/rpc/dcerpc_sock.c | 6 ++
source4/winbind/wb_async_helpers.c | 26 +++++++-
39 files changed, 745 insertions(+), 66 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d3c4661..652feab 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,97 @@
==============================
+ Release Notes for Samba 3.6.22
+ December 9, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and
+CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).
+
+o CVE-2013-4408:
+ Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
+ 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
+ vulnerable to buffer overrun exploits in the client processing of
+ DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
+ fragment length in the client code.
+
+ This is a critical vulnerability as the DCE-RPC client code is part of
+ the winbindd authentication and identity mapping daemon, which is
+ commonly configured as part of many server installations (when joined
+ to an Active Directory Domain). A malicious Active Directory Domain
+ Controller or man-in-the-middle attacker impersonating an Active
+ Directory Domain Controller could achieve root-level access by
+ compromising the winbindd process.
+
+ Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
+ also vulnerable to a denial of service attack (server crash) due to a
+ similar error in the server code of those versions.
+
+ Samba server versions 3.6.0 and above (including all 3.6.x versions,
+ all 4.0.x versions and 4.1.x) are not vulnerable to this problem.
+
+ In addition range checks were missing on arguments returned from calls
+ to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
+ and LookupRids (samr) which could also cause similar problems.
+
+ As this was found during an internal audit of the Samba code there are
+ no currently known exploits for this problem (as of December 9th 2013).
+
+o CVE-2012-6150:
+ Winbind allows for the further restriction of authenticated PAM logins using
+ the require_membership_of parameter. System administrators may specify a list
+ of SIDs or groups for which an authenticated user must be a member of. If an
+ authenticated user does not belong to any of the entries, then login should
+ fail. Invalid group name entries are ignored.
+
+ Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+ authenticated users if the require_membership_of parameter specifies only
+ invalid group names.
+
+ This is a vulnerability with low impact. All require_membership_of group
+ names must be invalid for this bug to be encountered.
+
+
+Changes since 3.6.21:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
+
+
+o Noel Power <noel.power at suse.com>
+ * BUGs 10300, 10306: CVE-2012-6150: Fail authentication if user isn't
+ member of *any* require_membership_of specified groups.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 3.6.21
November 29, 2013
==============================
@@ -54,8 +147,9 @@ database (https://bugzilla.samba.org/).
== The Samba Team
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.6.20
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index bb8518f..03b0b33 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -635,6 +635,11 @@ static void read_packet_handler(struct tevent_context *ev,
return;
}
+ if (total + more < total) {
+ tevent_req_error(req, EMSGSIZE);
+ return;
+ }
+
tmp = talloc_realloc(state, state->buf, uint8_t, total+more);
if (tevent_req_nomem(tmp, req)) {
return;
diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c
index b287597..ff7f864 100644
--- a/libcli/util/tstream.c
+++ b/libcli/util/tstream.c
@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)
return;
}
+ if (new_buf_size <= old_buf_size) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);
+ return;
+ }
+
buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);
if (tevent_req_nomem(buf, req)) {
return;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 86f22a4..8949836 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -467,6 +467,7 @@ interface dcerpc
const uint8 DCERPC_DREP_OFFSET = 4;
const uint8 DCERPC_FRAG_LEN_OFFSET = 8;
const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
+ const uint8 DCERPC_CALL_ID_OFFSET = 12;
/* little-endian flag */
const uint8 DCERPC_DREP_LE = 0x10;
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index a405ca8..cb21312 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -48,6 +48,15 @@ uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
}
}
+uint32_t dcerpc_get_call_id(const DATA_BLOB *blob)
+{
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
+ return IVAL(blob->data, DCERPC_CALL_ID_OFFSET);
+ } else {
+ return RIVAL(blob->data, DCERPC_CALL_ID_OFFSET);
+ }
+}
+
void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
{
if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
@@ -223,6 +232,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
ofs = state->buffer.length;
+ if (frag_len < ofs) {
+ /*
+ * something is wrong, let the caller deal with it
+ */
+ *_vector = NULL;
+ *_count = 0;
+ return 0;
+ }
+
state->buffer.data = talloc_realloc(state,
state->buffer.data,
uint8_t, frag_len);
@@ -292,6 +310,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
return;
}
+ if (state->pkt->frag_length != state->buffer.length) {
+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+ return;
+ }
+
tevent_req_done(req);
}
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index 44c3cfd..924645d 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -135,6 +135,7 @@ enum dcerpc_transport_t dcerpc_transport_by_tower(const struct epm_tower *tower)
void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
+uint32_t dcerpc_get_call_id(const DATA_BLOB *blob);
void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
index 6df8a3c..35319c5 100644
--- a/nsswitch/libwbclient/wbc_sid.c
+++ b/nsswitch/libwbclient/wbc_sid.c
@@ -421,6 +421,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids,
for (i=0; i<num_names; i++) {
names[i].domain_index = strtoul(p, &q, 10);
+ if (names[i].domain_index < 0) {
+ goto wbc_err_invalid;
+ }
+ if (names[i].domain_index >= num_domains) {
+ goto wbc_err_invalid;
+ }
+
if (*q != ' ') {
goto wbc_err_invalid;
}
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index d126494..8f5ad50 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1184,6 +1184,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
_make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
"to sid, please contact your administrator to see "
"if group %s is valid."), search_location, search_location);
+
+ /* If no valid groups were converted we should fail outright */
+ if (name_list != NULL && strlen(sid_list_buffer) == 0) {
+ result = false;
+ goto out;
+ }
/*
* The lookup of the last name failed..
* It results in require_member_of_sid ends with ','
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9d25f59..8b822d7 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1380,11 +1380,28 @@ static bool wbinfo_lookup_sids(const char *arg)
}
for (i=0; i<num_sids; i++) {
+ const char *domain = NULL;
+
wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr));
- d_printf("%s -> %s\\%s %d\n", sidstr,
- domains[names[i].domain_index].short_name,
- names[i].name, names[i].type);
+ if (names[i].domain_index >= num_domains) {
+ domain = "<none>";
+ } else if (names[i].domain_index < 0) {
+ domain = "<none>";
+ } else {
+ domain = domains[names[i].domain_index].short_name;
+ }
+
+ if (names[i].type == WBC_SID_NAME_DOMAIN) {
+ d_printf("%s -> %s %d\n", sidstr,
+ domain,
+ names[i].type);
+ } else {
+ d_printf("%s -> %s%c%s %d\n", sidstr,
+ domain,
+ winbind_separator(),
+ names[i].name, names[i].type);
+ }
}
return true;
}
diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
index 4295d9f..09a0f0b 100644
--- a/source3/lib/netapi/group.c
+++ b/source3/lib/netapi/group.c
@@ -309,6 +309,15 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
goto done;
@@ -386,6 +395,14 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
}
for (i=0; i < rid_array->count; i++) {
@@ -511,6 +528,14 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
@@ -781,6 +806,14 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
@@ -921,6 +954,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
werr = WERR_GROUPNOTFOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_GROUPNOTFOUND;
@@ -959,6 +1000,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
werr = WERR_USER_NOT_FOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_USER) {
werr = WERR_USER_NOT_FOUND;
@@ -1065,6 +1114,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
werr = WERR_GROUPNOTFOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_GROUPNOTFOUND;
@@ -1104,6 +1161,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
werr = WERR_USER_NOT_FOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_USER) {
werr = WERR_USER_NOT_FOUND;
@@ -1514,6 +1579,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (group_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenGroup(b, talloc_tos(),
&domain_handle,
@@ -1558,6 +1631,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
@@ -1689,6 +1770,14 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (group_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (group_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenGroup(b, talloc_tos(),
&domain_handle,
@@ -1767,6 +1856,15 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
goto done;
}
+ if (r->in.num_entries != user_rids.count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (r->in.num_entries != name_types.count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+
member_rids = user_rids.ids;
status = dcerpc_samr_QueryGroupMember(b, talloc_tos(),
diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
index 49ba74e..d9c3c8e 100644
--- a/source3/lib/netapi/localgroup.c
+++ b/source3/lib/netapi/localgroup.c
@@ -58,6 +58,12 @@ static NTSTATUS libnetapi_samr_lookup_and_open_alias(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
return result;
}
+ if (user_rids.count != 1) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (name_types.count != 1) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
switch (name_types.ids[0]) {
case SID_NAME_ALIAS:
@@ -1041,7 +1047,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
NT_STATUS_NOT_OK_RETURN(result);
if (count != 1 || sids.count != 1) {
- return NT_STATUS_NONE_MAPPED;
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list