[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Oct 10 15:18:01 UTC 2024
The branch, master has been updated
via 9263ce57520 dcesrv_core: better fault codes dcesrv_auth_prepare_auth3()
via 8b8e4ff1b19 dcesrv_core: fix the auth3 for large ntlmssp messages
via 86808d66f30 gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state
via 55dd8bdb05b gensec:ntlmssp: only allow messages up to 2888 bytes
via 31a422b7e58 dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED
via 97545873ebc dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM
via 85b2dcd9384 dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3
via 7a6a1aae6fa dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason
via 890fff1ca0c dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned
via f7a3827010a tests/dcerpc/raw_protocol: test invalid schannel binds
via 0bc562eb26c tests/dcerpc/raw_protocol: add more tests for auth_pad alignment
via 0da9e4d7430 tests/dcerpc/raw_protocol: add tests for max auth_padding, auth_len or auth_offset
via 7b5c3f9b1f3 tests/dcerpc/raw_protocol: fix comment in test_spnego_change_auth_type1
via 57fb07f5a33 tests/dcerpc/raw_protocol: test_no_auth_ctx_request
via 09e8dd23ce0 dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag
via a2d894fd37a tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb
via ac5818f2dd3 dcesrv_core: add more verbose debugging for missing association groups
via bb8ad1f2292 RawDCERPCTest: add some more auth_length related asserts
via 444f9c6624f RawDCERPCTest: split prepare_pdu() and send_pdu_blob() out of send_pdu()
via 0acbbeab4db s4:librpc: provide py_schannel bindings
via be02d4077db dcerpc_util: don't allow auth_padding for BIND, ALTER_CONTEXT and AUTH3 pdus
via 9309283ddbc tests/dcerpc/raw_protocol: add more test for auth padding during ALTER_CONTEXT/AUTH3
via 8e6696b2ac6 dcesrv_core: return NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED for binds without contexts
via 31c2f35bba0 dcesrv_core: disconnect after a fault with non AUTH_LEVEL_CONNECT bind
via 93bd5ba609f s4:selftest: only run ad_member with AUTH_LEVEL_CONNECT_LSA=1
via 98d908bfd07 tests/dcerpc/raw_protocol: pass against Windows 2022 and require special env vars for legacy servers
via b51ab422842 RawDCERPCTest: ignore errors in smb_pipe_socket.close()
via 8c6b5b87434 s4:tortore/rpc: let rpc.backupkey without privacy pass against Windows 2022
from dd5b9e08c7a s3:smbd: avoid false positives for got_oplock and have_other_lease in delay_for_oplock_fn
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9263ce5752063235836d5f77220b0151df6c9408
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 02:47:51 2020 +0100
dcesrv_core: better fault codes dcesrv_auth_prepare_auth3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Oct 10 15:17:46 UTC 2024 on atb-devel-224
commit 8b8e4ff1b19ba06821d774d0e1a8b1cad7f06120
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 10:55:43 2020 +0100
dcesrv_core: fix the auth3 for large ntlmssp messages
I know finding any real logic in reading the patch,
doesn't really show what's going on. I tried hard
to simplify it, but this is the only way I found
that fixed the test_auth_pad_ntlm_2889_auth3 test
without breaking other tests...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 86808d66f30136850f857b749e768c88de3a079f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 17:03:29 2020 +0100
gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state
This matches Windows (at least Server 2012_R2).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 55dd8bdb05b4e814beb50d11a6f12c94e5f6e9d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 10:00:07 2020 +0100
gensec:ntlmssp: only allow messages up to 2888 bytes
This matches Windows (at least Server 2012_R2).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 31a422b7e58d7a670ebedb7c91f240a3134a9624
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 16:41:21 2020 +0100
dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED
We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 97545873ebc2daf9c3daee914a90687625a08225
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 16:41:05 2020 +0100
dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM
We already report that for gensec_start_mech_by_authtype() failures,
but we also need to do that for any invalid authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 85b2dcd93848a590727dac243e8eb3614be75fad
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 17:07:54 2020 +0100
dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3
Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.
Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.
Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7a6a1aae6fa74ab0f55c1160aedd2d79c9a44a90
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 17:59:45 2020 +0100
dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason
If dcerpc_pull_auth_trailer() returns NT_STATUS_RPC_PROTOCOL_ERROR
it will return the BIND reject code in auth->auth_context_id.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 890fff1ca0c4e1eb8ef26c4f88aa18aeda3afc4f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 17:05:21 2020 +0100
dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned
That what Windows also asserts.
It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f7a3827010a859839a3ae7d0cdf297a15610d286
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 11:10:46 2020 +0100
tests/dcerpc/raw_protocol: test invalid schannel binds
Note the ad_member will keep these as expected failures,
as it doesn't provide the netlogon service,
while the knownfail for the ADDC is only temporary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0bc562eb26cad3a5cb8da2da54db86932791f3de
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 17:22:19 2020 +0100
tests/dcerpc/raw_protocol: add more tests for auth_pad alignment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0da9e4d7430c7dbb37783e6152f7672bf29498e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 01:19:23 2020 +0100
tests/dcerpc/raw_protocol: add tests for max auth_padding, auth_len or auth_offset
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7b5c3f9b1f334eb9d7906338e2e64196a6530068
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 17:44:51 2020 +0100
tests/dcerpc/raw_protocol: fix comment in test_spnego_change_auth_type1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 57fb07f5a3369d679f8918f853303b56e58dfb3d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 10:05:41 2020 +0100
tests/dcerpc/raw_protocol: test_no_auth_ctx_request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 09e8dd23ce0c08c5c04bd74121f3664f420af877
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 16:38:32 2020 +0100
dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag
The max fragment size depends on the transport.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a2d894fd37aaa9bce64ad95e01412681a08790ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 16 15:01:49 2020 +0100
tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ac5818f2dd348e61b4be35505bee00b330ec4450
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 16 16:58:35 2020 +0100
dcesrv_core: add more verbose debugging for missing association groups
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bb8ad1f22924b581bfb66555713e98efa91372b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 16:49:25 2020 +0100
RawDCERPCTest: add some more auth_length related asserts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 444f9c6624f5c997dfdc4ae0bfb8823a56fbef70
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 9 14:00:43 2020 +0100
RawDCERPCTest: split prepare_pdu() and send_pdu_blob() out of send_pdu()
This will make it possible to alter pdus before sending them to the
server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0acbbeab4db0c8bc8ff655d652e249fecb3c4ef9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 12 10:34:38 2020 +0100
s4:librpc: provide py_schannel bindings
This will be used in the dcerpc.raw_protocol test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit be02d4077db1d6c35b2e480937a04b5e70545a6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 09:32:24 2024 +0200
dcerpc_util: don't allow auth_padding for BIND, ALTER_CONTEXT and AUTH3 pdus
This is how Windows 2022 (and 2025 preview) behaves...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9309283ddbcc60cb8dac8ecd3f4bcecfbf8ac732
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 09:56:05 2024 +0200
tests/dcerpc/raw_protocol: add more test for auth padding during ALTER_CONTEXT/AUTH3
The aim is to keep testing the code paths, which are no longer
testing because allow_bind_auth_pad is false now, which
means the existing tests fail directly at the BIND,
but we also want to test the error handling on
ALTER_CONTEXT (and AUTH3).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8e6696b2ac6990f3d6bac804c9a0f1a2b8f0ada0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 09:05:15 2024 +0200
dcesrv_core: return NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED for binds without contexts
This is the error Windows 2022 (and 2025 preview) return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 31c2f35bba003daee39756e83def0f3d45c19c6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 23 16:09:39 2024 +0200
dcesrv_core: disconnect after a fault with non AUTH_LEVEL_CONNECT bind
Without an auth context using DCERPC_AUTH_LEVEL_PACKET or higher
the fault to reject requests with an invalid auth level
should trigger a disconnect after sending the fault to
the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 93bd5ba609f93ce8298f12f2a7b0ad333e0f48bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 23 15:13:59 2024 +0200
s4:selftest: only run ad_member with AUTH_LEVEL_CONNECT_LSA=1
We only want to test against
'allow dcerpc auth level connect:lsarpc = yes' once
in order to have the related code tests.
We use the ad_memeber for that special test and
use the default on the tested ADDC.
This reveals some knownfails, which will be fixed in
the next commit...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 98d908bfd07283878a7a6a630c2bfe5d27b5ffd8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 23 15:13:59 2024 +0200
tests/dcerpc/raw_protocol: pass against Windows 2022 and require special env vars for legacy servers
Test works against Windows 2022 and works like this:
SMB_CONF_PATH=/dev/null SERVER=172.31.9.118 \
TARGET_HOSTNAME=w2022-118.w2022-l7.base IGNORE_RANDOM_PAD=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
USERNAME=administrator PASSWORD=A1b2C3d4 \
python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND
Against a legacy Windows2012R2 server this still works:
SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 \
TARGET_HOSTNAME=w2012r2-188.w2012r2-l6.base ALLOW_BIND_AUTH_PAD=1 \
LEGACY_BIND_NACK_NO_REASON=1 AUTH_LEVEL_CONNECT_LSA=1 \
IGNORE_RANDOM_PAD=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \
USERNAME=administrator PASSWORD=A1b2C3d4 \
python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND
Currently Samba behaves like 2012R2, but the next commits
will change that...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b51ab42284211981a1ee6c8865845c7dfc985cb4
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Sep 21 12:32:55 2024 +0200
RawDCERPCTest: ignore errors in smb_pipe_socket.close()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8c6b5b87434e96d4cb695c0a5cf8aa0a0472c6a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:10:25 2024 +0200
s4:tortore/rpc: let rpc.backupkey without privacy pass against Windows 2022
The server disconnects after the first fault.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 24 +-
auth/ntlmssp/ntlmssp.c | 9 +
auth/ntlmssp/ntlmssp_client.c | 6 -
auth/ntlmssp/ntlmssp_server.c | 6 -
librpc/idl/wscript_build | 2 +-
librpc/rpc/dcerpc_util.c | 75 +-
librpc/rpc/dcesrv_auth.c | 71 +-
librpc/rpc/dcesrv_core.c | 107 +-
librpc/rpc/dcesrv_core.h | 2 +
python/samba/tests/dcerpc/raw_protocol.py | 1555 +++++++++++++++++++++++---
python/samba/tests/dcerpc/raw_testcase.py | 52 +-
selftest/expectedfail.d/ntlm-auth | 4 +
selftest/expectedfail.d/samba4.rpc.backupkey | 28 +
selftest/target/Samba4.pm | 1 -
source4/librpc/wscript_build | 7 +
source4/selftest/tests.py | 14 +-
source4/torture/rpc/backupkey.c | 80 +-
17 files changed, 1784 insertions(+), 259 deletions(-)
create mode 100644 selftest/expectedfail.d/samba4.rpc.backupkey
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 378ba3402c4..741d85b9a5e 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1758,6 +1758,7 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in)
{
+ DATA_BLOB consume = data_blob_null;
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
@@ -1824,17 +1825,26 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
+ consume = in;
expected = spnego_state->in_needed - spnego_state->in_frag.length;
- if (in.length > expected) {
+ if (consume.length > expected) {
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ /*
+ * we got more than expected
+ */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/*
- * we got more than expected
+ * In SPNEGO_SERVER_START we need to ignore unexpected
+ * bytes at the end.
*/
- return NT_STATUS_INVALID_PARAMETER;
+ consume.length = expected;
}
- if (in.length == spnego_state->in_needed) {
+ if (consume.length == spnego_state->in_needed) {
/*
- * if the in.length contains the full blob
+ * if the consume.length contains the full blob
* we are done.
*
* Note: this implies spnego_state->in_frag.length == 0,
@@ -1842,13 +1852,13 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
* because we already know that we did not get
* more than expected.
*/
- *full_in = in;
+ *full_in = consume;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
ok = data_blob_append(spnego_state, &spnego_state->in_frag,
- in.data, in.length);
+ consume.data, consume.length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 745f2628d21..c9360a5fa2d 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -36,6 +36,8 @@ struct auth_session_info;
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
+#define NTLMSSP_MAX_UPDATE_SIZE 2888
+
/**
* Callbacks for NTLMSSP - for both client and server operating modes
*
@@ -136,6 +138,13 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
}
}
+ if (input.length > NTLMSSP_MAX_UPDATE_SIZE) {
+ DBG_WARNING("reject large command=%u message, length %zu > %u)\n",
+ ntlmssp_command, input.length,
+ NTLMSSP_MAX_UPDATE_SIZE);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
DEBUG(2, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command,
gensec_ntlmssp->ntlmssp_state->expected_state));
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index a50ff661f5f..8c2a1f9c0aa 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -142,12 +142,6 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
/* parse the NTLMSSP packet */
- if (in.length > UINT16_MAX) {
- DEBUG(1, ("%s: reject large request of length %u\n",
- __func__, (unsigned int)in.length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
"NTLMSSP",
&ntlmssp_command,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 1e49379a8ed..2e25c4efab5 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -124,12 +124,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
#endif
if (request.length) {
- if (request.length > UINT16_MAX) {
- DEBUG(1, ("ntlmssp_server_negotiate: reject large request of length %u\n",
- (unsigned int)request.length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd",
"NTLMSSP",
&ntlmssp_command,
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index f3781fa9fd8..c7d6413b47f 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -98,7 +98,6 @@ bld.SAMBA_PIDL_LIST('PIDL',
ODJ.idl
printcap.idl
rap.idl
- schannel.idl
smb2_lease_struct.idl
''',
options='--header --ndr-parser',
@@ -135,6 +134,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
idmap.idl
krb5pac.idl
krb5ccache.idl
+ schannel.idl
messaging.idl
misc.idl
nbt.idl
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 75a49323078..e01391e6dcd 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -240,8 +240,10 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
enum ndr_err_code ndr_err;
uint16_t data_and_pad;
uint16_t auth_length;
+ uint16_t auth_offset;
uint32_t tmp_length;
uint32_t max_pad_len = 0;
+ DATA_BLOB auth_blob;
ZERO_STRUCTP(auth);
if (_auth_length != NULL) {
@@ -277,12 +279,21 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
if (pkt_trailer->length < auth_length) {
- return NT_STATUS_RPC_PROTOCOL_ERROR;
+ return NT_STATUS_INTERNAL_ERROR;
}
data_and_pad = pkt_trailer->length - auth_length;
+ auth_offset = pkt->frag_length - auth_length;
+ if ((auth_offset % 4) != 0) {
+ DBG_WARNING("auth_offset[%u] not 4 byte aligned\n",
+ (unsigned)auth_offset);
+ auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
+ return NT_STATUS_RPC_PROTOCOL_ERROR;
+ }
- ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
+ auth_blob = data_blob_const(pkt_trailer->data + data_and_pad,
+ auth_length);
+ ndr = ndr_pull_init_blob(&auth_blob, mem_ctx);
if (!ndr) {
return NT_STATUS_NO_MEMORY;
}
@@ -291,12 +302,6 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
- ndr_err = ndr_pull_advance(ndr, data_and_pad);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- talloc_free(ndr);
- return ndr_map_error2ntstatus(ndr_err);
- }
-
ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(ndr);
@@ -324,11 +329,20 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
* protection for REQUEST and RESPONSE pdus, where the
* auth_pad_length field is actually used by the caller.
*/
- tmp_length = DCERPC_REQUEST_LENGTH;
- tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
- tmp_length += pkt->auth_length;
- if (tmp_length < pkt->frag_length) {
- max_pad_len = pkt->frag_length - tmp_length;
+ switch (pkt->ptype) {
+ case DCERPC_PKT_BIND:
+ case DCERPC_PKT_ALTER:
+ case DCERPC_PKT_AUTH3:
+ max_pad_len = 0;
+ break;
+ default:
+ tmp_length = DCERPC_REQUEST_LENGTH;
+ tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
+ tmp_length += pkt->auth_length;
+ if (tmp_length < pkt->frag_length) {
+ max_pad_len = pkt->frag_length - tmp_length;
+ }
+ break;
}
if (max_pad_len < auth->auth_pad_length) {
DEBUG(1, (__location__ ": ERROR: pad length too large. "
@@ -337,6 +351,7 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
auth->auth_pad_length));
talloc_free(ndr);
ZERO_STRUCTP(auth);
+ auth->auth_context_id = DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
@@ -347,10 +362,9 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
*
* See also bug #11982.
*/
- if (auth_data_only && data_and_pad == 0 &&
- auth->auth_pad_length > 0) {
+ if (auth_data_only) {
/*
- * we need to ignore invalid auth_pad_length
+ * We need to ignore auth_pad_length
* values for BIND_*, ALTER_* and AUTH3 pdus.
*/
auth->auth_pad_length = 0;
@@ -366,34 +380,7 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
auth->auth_pad_length);
talloc_free(ndr);
ZERO_STRUCTP(auth);
- return NT_STATUS_RPC_PROTOCOL_ERROR;
- }
-
- if (auth_data_only && data_and_pad > auth->auth_pad_length) {
- DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
- "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
- "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
- "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
- data_and_pad - auth->auth_pad_length,
- pkt_trailer->length,
- auth_length,
- data_and_pad,
- auth->auth_pad_length);
- talloc_free(ndr);
- ZERO_STRUCTP(auth);
- return NT_STATUS_RPC_PROTOCOL_ERROR;
- }
-
- if (auth_data_only && data_and_pad != auth->auth_pad_length) {
- DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
- "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
- "but auth_pad_length=%"PRIu8"\n",
- data_and_pad,
- pkt_trailer->length,
- auth_length,
- auth->auth_pad_length);
- talloc_free(ndr);
- ZERO_STRUCTP(auth);
+ auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index 1fc6255892d..b2f6e607a24 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,6 +130,12 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
auth->auth_level = call->in_auth_info.auth_level;
auth->auth_context_id = call->in_auth_info.auth_context_id;
+ if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
+ !call->conn->got_explicit_auth_level_connect)
+ {
+ call->conn->default_auth_level_connect = auth;
+ }
+
cb->auth.become_root();
status = cb->auth.gensec_prepare(
auth,
@@ -320,8 +326,13 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
*/
auth->auth_type = DCERPC_AUTH_TYPE_NONE;
auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
- auth->auth_context_id =
- DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
+ auth->auth_context_id =
+ call->in_auth_info.auth_context_id;
+ } else {
+ auth->auth_context_id =
+ DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
+ }
return false;
}
@@ -374,12 +385,6 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
}
auth->auth_finished = true;
- if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
- !call->conn->got_explicit_auth_level_connect)
- {
- call->conn->default_auth_level_connect = auth;
- }
-
if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
return NT_STATUS_OK;
}
@@ -440,11 +445,38 @@ bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
struct dcesrv_auth *auth = call->auth_state;
NTSTATUS status;
- if (pkt->auth_length == 0) {
+ if (pkt->frag_length > call->conn->transport_max_recv_frag) {
+ /*
+ * Note that we don't check against the negotiated
+ * max_recv_frag, but a hard coded value from
+ * the transport.
+ */
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ return false;
+ }
+
+ if (pkt->auth_length > 4096) {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
return false;
}
if (auth->auth_finished) {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ return false;
+ }
+
+ if (!auth->auth_started) {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ return false;
+ }
+
+ if (auth->auth_invalid) {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ return false;
+ }
+
+ if (pkt->auth_length == 0) {
+ call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
return false;
}
@@ -460,23 +492,36 @@ bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
&call->in_auth_info, NULL, true);
if (!NT_STATUS_IS_OK(status)) {
+ struct dcerpc_auth *auth_info = &call->in_auth_info;
+ uint32_t nr = auth_info->auth_context_id;
+
/*
* Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
- * instead of DCERPC_NCA_S_PROTO_ERROR.
+ * instead of DCERPC_NCA_S_PROTO_ERROR in most cases.
*/
call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR) &&
+ nr != DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED)
+ {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ }
+
return false;
}
if (call->in_auth_info.auth_type != auth->auth_type) {
+ call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
return false;
}
if (call->in_auth_info.auth_level != auth->auth_level) {
+ call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
return false;
}
if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
+ call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
return false;
}
@@ -615,12 +660,12 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
return false;
}
- if (!auth->auth_finished) {
- call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+ if (auth->auth_invalid) {
return false;
}
- if (auth->auth_invalid) {
+ if (!auth->auth_finished) {
+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
return false;
}
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index c0a4150e3b3..66478001640 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -36,6 +36,7 @@
#include "system/network.h"
#include "lib/util/idtree_random.h"
#include "nsswitch/winbind_client.h"
+#include "libcli/smb/tstream_smbXcli_np.h"
/**
* @file
@@ -676,6 +677,8 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
{
struct dcesrv_auth *auth = NULL;
struct dcesrv_connection *p = NULL;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(ep->ep_description);
if (!session_info) {
return NT_STATUS_ACCESS_DENIED;
@@ -695,9 +698,21 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
p->event_ctx = event_ctx;
p->state_flags = state_flags;
p->allow_bind = true;
- p->max_recv_frag = 5840;
- p->max_xmit_frag = 5840;
p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
+ /*
+ * SMB uses 4280, while all others use 5480
+ * note that p->transport_max_recv_frag is fixed
+ * for the lifetime of the connection, it's not
+ * negotiated by bind.
+ */
+ if (transport == NCACN_NP) {
+ p->transport_max_recv_frag = TSTREAM_SMBXCLI_NP_MAX_BUF_SIZE;
+ } else {
+ p->transport_max_recv_frag = DCERPC_FRAG_MAX_SIZE;
+ }
+ /* these might be overwritten by BIND */
+ p->max_recv_frag = p->transport_max_recv_frag;
+ p->max_xmit_frag = p->transport_max_recv_frag;
p->support_hdr_signing = lpcfg_parm_bool(dce_ctx->lp_ctx,
NULL,
@@ -1116,12 +1131,20 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
}
+ /*
+ * Note that BIND and ALTER allow frag_len up to UINT16_MAX,
+ * so we don't check again frag_len against
+ * call->conn->transport_max_recv_frag
+ */
+
/* max_recv_frag and max_xmit_frag result always in the same value! */
max_req = MIN(call->pkt.u.bind.max_xmit_frag,
call->pkt.u.bind.max_recv_frag);
/*
* The values are between 2048 and 5840 tested against Windows 2012R2
* via ncacn_ip_tcp on port 135.
+ *
+ * call->conn->transport_max_recv_frag stays fixed at 5840 (4280 for SMB)
*/
max_req = MAX(2048, max_req);
max_rep = MIN(max_req, conn->max_recv_frag);
@@ -1135,13 +1158,23 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
status = dce_ctx->callbacks->assoc_group.find(
call, dce_ctx->callbacks->assoc_group.private_data);
if (!NT_STATUS_IS_OK(status)) {
- DBG_NOTICE("Failed to find assoc_group 0x%08x: %s\n",
- call->pkt.u.bind.assoc_group_id, nt_errstr(status));
+ char *raddr = NULL;
+
+ raddr = tsocket_address_string(call->conn->remote_address, call);
+
+ endpoint = dcerpc_binding_get_string_option(
+ call->conn->endpoint->ep_description,
+ "endpoint");
+
+ DBG_WARNING("Failed to find assoc_group 0x%08x on ep[%s] raddr[%s]: %s\n",
+ call->pkt.u.bind.assoc_group_id,
+ endpoint, raddr, nt_errstr(status));
return dcesrv_bind_nak(call, 0);
--
Samba Shared Repository
More information about the samba-cvs
mailing list