[SCM] Samba Shared Repository - branch v4-2-test updated
Karolin Seeger
kseeger at samba.org
Thu Jul 7 09:23:58 UTC 2016
The branch, v4-2-test has been updated
via e3be923 Merge tag 'samba-4.2.14' into v4-2-test
via c7c5fe1 VERSION: Disable git snapshots for the 4.2.14 release.
via eb480ea WHATSNEW: Add release notes for Samba 4.2.14.
via 13437f9 CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing
via db256b6 CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing
via b9200a6 CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
via 7e73588 ctdb-common: For AF_PACKET socket types, protocol is in network order
via 8368f6f ctdb-common: Use documented names for protocol family in socket()
via ea9ddb4 ctdb-common: Protocol argument must be in host order for socket() call
via 434aaaf dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
via f772649 s4:rpc_server: use a variable for the max total reassembled request payload
via d069b66 s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
via 6509689 dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
via 9c6e913 VERSION: Bump version up to 4.2.14...
from c32d2de VERSION: Bump version up to 4.2.14...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit e3be923b52ce63d64a292b483f5cddcfbb8a90c7
Merge: c32d2de c7c5fe1
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jul 7 11:23:50 2016 +0200
Merge tag 'samba-4.2.14' into v4-2-test
samba: tag samba-4.2.14
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 83 ++++++++++++++++++++++++++++-
ctdb/common/system_aix.c | 4 +-
ctdb/common/system_common.c | 2 +-
ctdb/common/system_freebsd.c | 4 +-
ctdb/common/system_gnu.c | 4 +-
ctdb/common/system_kfreebsd.c | 4 +-
ctdb/common/system_linux.c | 10 ++--
ctdb/tools/ctdb.c | 4 +-
ctdb/utils/smnotify/smnotify.c | 6 +--
libcli/smb/smbXcli_base.c | 19 ++++++-
librpc/idl/dcerpc.idl | 18 ++++++-
source3/libsmb/cliconnect.c | 3 ++
source3/script/tests/test_smbclient_ntlm.sh | 4 ++
source4/librpc/rpc/dcerpc.c | 5 +-
source4/librpc/rpc/dcerpc.h | 3 ++
source4/rpc_server/dcerpc_server.c | 5 +-
source4/rpc_server/dcerpc_server.h | 3 ++
17 files changed, 153 insertions(+), 28 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d061b6c..5ecf9e3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,83 @@
==============================
+ Release Notes for Samba 4.2.14
+ July 07, 2016
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the default
+ is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota, smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.2.13:
+---------------------
+
+o Amitay Isaacs <amitay at gmail.com>
+ * BUG 11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel).
+ * BUG 11770: ctdb-common: For AF_PACKET socket types, protocol is in network
+ order.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.2.13
June 17, 2016
==============================
@@ -50,8 +129,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.2.12
diff --git a/ctdb/common/system_aix.c b/ctdb/common/system_aix.c
index 41f61ae..2637442 100644
--- a/ctdb/common/system_aix.c
+++ b/ctdb/common/system_aix.c
@@ -44,7 +44,7 @@ int ctdb_sys_open_sending_socket(void)
int s, ret;
uint32_t one = 1;
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n",
strerror(errno)));
@@ -121,7 +121,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n",
strerror(errno)));
diff --git a/ctdb/common/system_common.c b/ctdb/common/system_common.c
index 899f3b5..3e30a6c 100644
--- a/ctdb/common/system_common.c
+++ b/ctdb/common/system_common.c
@@ -85,7 +85,7 @@ char *ctdb_sys_find_ifname(ctdb_sock_addr *addr)
struct ifconf ifc;
char *ptr;
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
diff --git a/ctdb/common/system_freebsd.c b/ctdb/common/system_freebsd.c
index 9597a7a..02f7cce 100644
--- a/ctdb/common/system_freebsd.c
+++ b/ctdb/common/system_freebsd.c
@@ -158,7 +158,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.th_sum = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
@@ -208,7 +208,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.th_win = htons(1234);
ip6pkt.tcp.th_sum = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n"));
return -1;
diff --git a/ctdb/common/system_gnu.c b/ctdb/common/system_gnu.c
index 2ab1399..1e0ae4c 100644
--- a/ctdb/common/system_gnu.c
+++ b/ctdb/common/system_gnu.c
@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
@@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n"));
return -1;
diff --git a/ctdb/common/system_kfreebsd.c b/ctdb/common/system_kfreebsd.c
index 41aa4d6..7cb6d92 100644
--- a/ctdb/common/system_kfreebsd.c
+++ b/ctdb/common/system_kfreebsd.c
@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
@@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n"));
return -1;
diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c
index fdb8d12..9872070 100644
--- a/ctdb/common/system_linux.c
+++ b/ctdb/common/system_linux.c
@@ -93,7 +93,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface)
switch (addr->ip.sin_family) {
case AF_INET:
- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP));
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
return -1;
@@ -187,7 +187,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface)
close(s);
break;
case AF_INET6:
- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP));
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
return -1;
@@ -357,7 +357,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
strerror(errno)));
@@ -406,7 +406,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n"));
return -1;
@@ -568,7 +568,7 @@ bool ctdb_sys_check_iface_exists(const char *iface)
int s;
struct ifreq ifr;
- s = socket(PF_PACKET, SOCK_RAW, 0);
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
/* We dont know if the interface exists, so assume yes */
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index c4490ac..6700119 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -4537,7 +4537,7 @@ static int control_chktcpport(struct ctdb_context *ctdb, int argc, const char **
port = atoi(argv[0]);
- s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == -1) {
printf("Failed to open local socket\n");
return errno;
@@ -4549,7 +4549,7 @@ static int control_chktcpport(struct ctdb_context *ctdb, int argc, const char **
}
bzero(&sin, sizeof(sin));
- sin.sin_family = PF_INET;
+ sin.sin_family = AF_INET;
sin.sin_port = htons(port);
ret = bind(s, (struct sockaddr *)&sin, sizeof(sin));
close(s);
diff --git a/ctdb/utils/smnotify/smnotify.c b/ctdb/utils/smnotify/smnotify.c
index d7fd546..d5c5a4c 100644
--- a/ctdb/utils/smnotify/smnotify.c
+++ b/ctdb/utils/smnotify/smnotify.c
@@ -43,14 +43,14 @@ static int create_socket(const char *addr, int port)
int s;
struct sockaddr_in sock_in;
- s = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s == -1) {
printf("Failed to open local socket\n");
exit(10);
}
bzero(&sock_in, sizeof(sock_in));
- sock_in.sin_family = PF_INET;
+ sock_in.sin_family = AF_INET;
sock_in.sin_port = htons(port);
inet_aton(addr, &sock_in.sin_addr);
if (bind(s, (struct sockaddr *)&sock_in, sizeof(sock_in)) == -1) {
@@ -124,7 +124,7 @@ int main(int argc, const char *argv[])
/* Setup a sockaddr_in for the client we want to notify */
bzero(&sock_cl, sizeof(sock_cl));
- sock_cl.sin_family = PF_INET;
+ sock_cl.sin_family = AF_INET;
sock_cl.sin_port = htons(clientport);
inet_aton(client, &sock_cl.sin_addr);
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b07fdad..6797207 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
return false;
}
+ if (session->conn->mandatory_signing) {
+ return false;
+ }
+
if (session->conn->protocol >= PROTOCOL_SMB2_02) {
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
return true;
@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
- uint16_t no_sign_flags;
+ uint16_t no_sign_flags = 0;
uint8_t session_key[16];
bool check_signature = true;
uint32_t hdr_flags;
@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
+ if (!conn->mandatory_signing) {
+ /*
+ * only allow guest sessions without
+ * mandatory signing.
+ *
+ * If we try an authentication with username != ""
+ * and the server let us in without verifying the
+ * password we don't have a negotiated session key
+ * for signing.
+ */
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
+ }
if (session->smb2->session_flags & no_sign_flags) {
session->smb2->should_sign = false;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 015eb3d..527804d 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -535,7 +535,23 @@ interface dcerpc
const uint32 DCERPC_FRAG_MAX_SIZE = 5840;
const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
- const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
+
+ /*
+ * See [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size
+ * 4 MByte is the default limit of reassembled request payload
+ */
+ const uint32 DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE = 0x400000;
+
+ /*
+ * See [MS-RPCE] 3.3.2.5.2 Handling Responses
+ *
+ * Indicates that Windows accepts up to 0x7FFFFFFF ~2 GByte
+ *
+ * talloc has a limit of 256 MByte, so we need to use something smaller.
+ *
+ * For now we try our luck with 240 MByte.
+ */
+ const uint32 DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE = 0xf000000; /* 240 MByte */
/* little-endian flag */
const uint8 DCERPC_DREP_LE = 0x10;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 420fe3c..3de3796 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
* have a negotiated session key.
*
* So just pretend we are completely done.
+ *
+ * Note that smbXcli_session_is_guest()
+ * always returns false if we require signing.
*/
state->blob_in = data_blob_null;
state->local_ready = true;
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
index b8fc564..33a927f 100755
--- a/source3/script/tests/test_smbclient_ntlm.sh
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -37,4 +37,8 @@ else
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
fi
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 8274991..4225e1d 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -155,6 +155,7 @@ static struct dcecli_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx,
*/
c->srv_max_xmit_frag = 5840;
c->srv_max_recv_frag = 5840;
+ c->max_total_response_size = DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE;
c->pending = NULL;
c->io_trigger = tevent_create_immediate(c);
@@ -1575,10 +1576,10 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
length = pkt->u.response.stub_and_verifier.length;
- if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (req->payload.length + length > c->max_total_response_size) {
DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n",
(unsigned)req->payload.length + length,
- DCERPC_NCACN_PAYLOAD_MAX_SIZE));
+ (unsigned)c->max_total_response_size));
dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
return;
}
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 1b0eb7d..0c5a819 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -107,6 +107,9 @@ struct dcecli_connection {
/* the next context_id to be assigned */
uint32_t next_context_id;
+
+ /* The maximum total payload of reassembled response pdus */
+ size_t max_total_response_size;
};
/*
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 278e1af..8439d84 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -408,6 +408,7 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
p->allow_bind = true;
p->max_recv_frag = 5840;
p->max_xmit_frag = 5840;
+ p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
*_p = p;
return NT_STATUS_OK;
@@ -1532,7 +1533,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- available = DCERPC_NCACN_PAYLOAD_MAX_SIZE;
+ available = dce_conn->max_total_request_size;
if (er->stub_and_verifier.length > available) {
dcesrv_call_disconnect_after(existing,
"dcesrv_auth_request - existing payload too large");
@@ -1585,7 +1586,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- if (call->pkt.u.request.alloc_hint > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
dcesrv_call_disconnect_after(call,
"dcesrv_auth_request - initial alloc hint too large");
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 15b25ea..72cb1bb 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -273,6 +273,9 @@ struct dcesrv_connection {
/* the association group the connection belongs to */
struct dcesrv_assoc_group *assoc_group;
+
+ /* The maximum total payload of reassembled request pdus */
+ size_t max_total_request_size;
};
--
Samba Shared Repository
More information about the samba-cvs
mailing list