[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Thu Mar 20 11:31:04 MDT 2014


The branch, master has been updated
       via  5277fc4 s3-rpc_server: Fix handling of fragmented rpc requests.
       via  1351feb s4-torture: add some tests for pre-allocated buffers in enumprinterdrivers call.
       via  b905523 s4-torture: add test_EnumPrinterDrivers_buffers function.
      from  cf0934c s3: smbd: Fileserving share access checks.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Thu Mar 20 14:45:01 2014 +0100

    s3-rpc_server: Fix handling of fragmented rpc requests.
    
    We need to call pipe_init_outgoing_data() as the first thing in
    process_complete_pdu(). Otherwise the caller may use uninitialized
    memory and tries to write a response into the socket.
    
    The problem happens only if a real socket is used, which means
    in all cases for master and only with external rpc daemons in v4-0
    and v4-1.
    
    The problem looks like this in the logs.
    
        [2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
          Processing packet type 0
        [2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
          Checking request auth.
        [2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
          Sending 1 fragments in a total of 0 bytes
        [2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
          Sending PDU number: 0, PDU Length: 4294967228
        [2014/03/20 14:49:35.531801,  2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
          Writev failed!
        [2014/03/20 14:49:35.531845,  2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
          Fatal error(Message too long). Terminating client(127.0.0.1) connection!
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
    Reviewed-by: Guenther Deschner <gd at samba.org
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104

commit 1351febcc854a4e4a599fc4c73dec83256e588c7
Author: Günther Deschner <gd at samba.org>
Date:   Thu Mar 20 15:57:10 2014 +0100

    s4-torture: add some tests for pre-allocated buffers in enumprinterdrivers call.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b905523c3289ada6f03bf086f38a041c4cad265b
Author: Günther Deschner <gd at samba.org>
Date:   Thu Mar 20 15:56:13 2014 +0100

    s4-torture: add test_EnumPrinterDrivers_buffers function.
    
    This will allow to test the enumdriver call with pre-allocated buffer.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_pipe.c |   20 ++++++---------
 source4/torture/rpc/spoolss.c |   52 ++++++++++++++++++++++++++++++++--------
 2 files changed, 49 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 36864d2..67c9a68 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1547,9 +1547,6 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
 	 * Ok - we finally have a complete RPC stream.
 	 * Call the rpc command to process it.
 	 */
-	if (!pipe_init_outgoing_data(p)) {
-		return false;
-	}
 
 	return api_pipe_request(p, pkt);
 }
@@ -1563,6 +1560,10 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
 
 	DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
 
+	if (!pipe_init_outgoing_data(p)) {
+		goto done;
+	}
+
 	switch (pkt->ptype) {
 	case DCERPC_PKT_REQUEST:
 		reply = process_request_pdu(p, pkt);
@@ -1595,9 +1596,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
 		/*
 		 * We assume that a pipe bind is only in one pdu.
 		 */
-		if (pipe_init_outgoing_data(p)) {
-			reply = api_pipe_bind_req(p, pkt);
-		}
+		reply = api_pipe_bind_req(p, pkt);
 		break;
 
 	case DCERPC_PKT_BIND_ACK:
@@ -1612,9 +1611,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
 		/*
 		 * We assume that a pipe bind is only in one pdu.
 		 */
-		if (pipe_init_outgoing_data(p)) {
-			reply = api_pipe_alter_context(p, pkt);
-		}
+		reply = api_pipe_alter_context(p, pkt);
 		break;
 
 	case DCERPC_PKT_ALTER_RESP:
@@ -1626,9 +1623,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
 		/*
 		 * The third packet in an auth exchange.
 		 */
-		if (pipe_init_outgoing_data(p)) {
-			reply = api_pipe_bind_auth3(p, pkt);
-		}
+		reply = api_pipe_bind_auth3(p, pkt);
 		break;
 
 	case DCERPC_PKT_SHUTDOWN:
@@ -1676,6 +1671,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
 		break;
 	}
 
+done:
 	if (!reply) {
 		DEBUG(3,("DCE/RPC fault sent!"));
 		set_incoming_fault(p);
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 3d99470..ccc842a 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -513,30 +513,36 @@ static bool test_GetPrinterDriverDirectory(struct torture_context *tctx,
 	return true;
 }
 
-static bool test_EnumPrinterDrivers_args(struct torture_context *tctx,
-					 struct dcerpc_binding_handle *b,
-					 const char *server_name,
-					 const char *environment,
-					 uint32_t level,
-					 uint32_t *count_p,
-					 union spoolss_DriverInfo **info_p)
+static bool test_EnumPrinterDrivers_buffers(struct torture_context *tctx,
+					    struct dcerpc_binding_handle *b,
+					    const char *server_name,
+					    const char *environment,
+					    uint32_t level,
+					    uint32_t offered,
+					    uint32_t *count_p,
+					    union spoolss_DriverInfo **info_p)
 {
 	struct spoolss_EnumPrinterDrivers r;
 	uint32_t needed;
 	uint32_t count;
 	union spoolss_DriverInfo *info;
+	DATA_BLOB buffer;
+
+	if (offered > 0) {
+		buffer = data_blob_talloc_zero(tctx, offered);
+	}
 
 	r.in.server		= server_name;
 	r.in.environment	= environment;
 	r.in.level		= level;
-	r.in.buffer		= NULL;
-	r.in.offered		= 0;
+	r.in.buffer		= offered ? &buffer : NULL;
+	r.in.offered		= offered;
 	r.out.needed		= &needed;
 	r.out.count		= &count;
 	r.out.info		= &info;
 
-	torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u\n",
-		r.in.environment, r.in.level);
+	torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u, offered: %u\n",
+		r.in.environment, r.in.level, r.in.offered);
 
 	torture_assert_ntstatus_ok(tctx,
 		dcerpc_spoolss_EnumPrinterDrivers_r(b, tctx, &r),
@@ -567,6 +573,20 @@ static bool test_EnumPrinterDrivers_args(struct torture_context *tctx,
 
 }
 
+
+static bool test_EnumPrinterDrivers_args(struct torture_context *tctx,
+					 struct dcerpc_binding_handle *b,
+					 const char *server_name,
+					 const char *environment,
+					 uint32_t level,
+					 uint32_t *count_p,
+					 union spoolss_DriverInfo **info_p)
+{
+	return test_EnumPrinterDrivers_buffers(tctx, b, server_name,
+					       environment, level, 0,
+					       count_p, info_p);
+}
+
 static bool test_EnumPrinterDrivers_findone(struct torture_context *tctx,
 					    struct dcerpc_binding_handle *b,
 					    const char *server_name,
@@ -642,6 +662,7 @@ static bool test_EnumPrinterDrivers(struct torture_context *tctx,
 	struct dcerpc_pipe *p = ctx->spoolss_pipe;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 	uint16_t levels[] = { 1, 2, 3, 4, 5, 6, 8 };
+	uint16_t buffer_sizes[] = { 0, 1024, 6040, 0xffff };
 	int i, j, a;
 
 	/* FIXME: gd, come back and fix "" as server, and handle
@@ -655,6 +676,15 @@ static bool test_EnumPrinterDrivers(struct torture_context *tctx,
 
 	for (a=0;a<ARRAY_SIZE(environments);a++) {
 
+	for (i=0;i<ARRAY_SIZE(buffer_sizes);i++) {
+		torture_assert(tctx,
+			test_EnumPrinterDrivers_buffers(tctx, b, server_name,
+							environments[a], 3,
+							buffer_sizes[i],
+							NULL, NULL),
+			"failed to enumerate drivers");
+	}
+
 	for (i=0;i<ARRAY_SIZE(levels);i++) {
 		int level = levels[i];
 		uint32_t count;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list