[PATCH] s4:dsdb/common: samdb_result_parameters: fix bug in ldb_val to lsa_BinaryString conversation

Stefan Gohmann gohmann at univention.de
Fri May 30 08:54:09 MDT 2014 

Am 30.05.2014 01:29, schrieb Andrew Bartlett:
> On Tue, 2014-05-27 at 06:37 +0200, Stefan Gohmann wrote:
>> Hi Karmen,
>>
>> Am 27.05.2014 03:24, schrieb Kamen Mazdrashki:
>>> Hi Stefan,
>>>
>>>
>>> On Mon, May 26, 2014 at 11:03 PM, Stefan Gohmann <gohmann at univention.de
>>> <mailto:gohmann at univention.de>> wrote:
>>>
>>>     Hi Matthias,
>>>
>>>     Am 26.05.2014 14 <tel:26.05.2014%2014>:09, schrieb Matthias Dieter
>>>     Wallnöfer:
>>>     > Hi Stefan,
>>>     >
>>>     > it seems that no other one responded. I think that this is rather a
>>>     > problem with the "userParameters" attribute which we still do not
>>>     parse
>>>     > correctly I think.
>>>
>>>     thanks. I've re-checked this issue.
>>>
>>>     In my case the userParameters attribute is 105 bytes long. I think the
>>>     problem is that the length is odd and so there is one byte missing.
>>>
>>>     I was able to reproduce this issue while setting userParameters for a
>>>     user to the following value:
>>>
>>>     userParameters::
>>>     Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUAIaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C5
>>>
>>>     and run
>>>       net user /domain username
>>>     from a Windows client.
>>>
>>>     Attached you'll find an updated patch which fixed the problem for me.
>>>
>>> IMHO, the correct fix should be:
>>> +s.array = talloc_array(mem_ctx, uint16_t, (val->length + 1) / 2);
>>> so we don't allocate  an extra bytes in 'normal' scenario when length is
>>> even.
>>
>> you are right. Please find a new patch attached.
> 
> This may correctly fill in the array without overwriting memory, but it
> just touches the tip of the iceburg here.  
> 
> For example, do we now leak 1 byte of uninitialised server memory?
> 
> How did an odd value get in here?  Probably via our DRS replication, but
> possibly via a SAMR call.  
> 
> I have to look up the full history, but until Samba 4.1, we really
> messed this up, because we treated the value as 'UTF8' in some places,
> particularly while replicating.  The values being sent are not valid
> UTF-16 sequences, so this would often fail. 
> 
> Then we added code to the schema to say that for this attribute, not to
> convert it to/from UTF-8.  This means that our LDAP interface now
> exposes the UTF-16 (or raw) formatted value.  This may or may not
> matter, Microsoft assures us LDAP should not be relied on for this
> attribute, but probably should change to a 'algorithmic UTF8' conversion
> of the raw bytes. 
> 
> The copying of the memory from  to the uint16_t array is also a problem,
> because this all assumes we never operate on a big-endian host.
> 
> Then there comes the issue of fixing up these 'utf8' formatted blobs in
> the database.  We have thoughts on how we could detect these, but we
> need to sit down and spend a day or two sorting it out in dbcheck,
> preferably with tests.  We need to expand these 'UTF8' sequences out
> into the raw bytes we now use as the native storage method.
> 
> We also need to sort out the classicupgrade codepath, and the script
> metze has been using to migrate customers to AD.
> 
> Finally we need to have our tests read and write a real (and not just
> short) value via the RPC-SAMR tests, and perhaps validate that with
> LDAP.
> 
> It is a lot of work, but you have sadly seen what happens when we leave
> this area as 'known broken' as we did for 4.1. 
> 
> I hope this clarifies this situation,
> 
> Andrew Bartlett
> 

Thanks for your explanation.

I did some more tests. If I use a plain Active Directory (Windows 2008
Server R2) without any Samba 4 connection, create a test user and set
the Windows Terminal Server Profile Path to '\\testserver\path', I get
the following value for userParameters:


ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUAUaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C5EggBQ3R4U2hhZG9344Sw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44SwICQBQ3R4V0ZQcm9maWxlUGF0aOaMteaMteOQt+OUtuOMt+OQt+OMt+OUtuOIt+OYt+OUtuOIt+aMteOAt+OEtuOQt+OgtuOAsA==

Decoding via python shows the following:

>>>
len(base64.decodestring('ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUAUaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C5EggBQ3R4U2hhZG9344Sw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44SwICQBQ3R4V0ZQcm9maWxlUGF0aOaMteaMteOQt+OUtuOMt+OQt+OMt+OUtuOIt+OYt+OUtuOIt+aMteOAt+OEtuOQt+OgtuOAsA=='))
229
>>>
base64.decodestring('ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUAUaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C5EggBQ3R4U2hhZG9344Sw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44SwICQBQ3R4V0ZQcm9maWxlUGF0aOaMteaMteOQt+OUtuOMt+OQt+OMt+OUtuOIt+OYt+OUtuOIt+aMteOAt+OEtuOQt+OgtuOAsA==')
'
P\x05\x1a\x08\x01CtxCfgPresent\xe3\x94\xb5\xe6\x94\xb1\xe6\x88\xb0\xe3\x81\xa2\x18\x08\x01CtxCfgFlags1\xe3\x80\xb0\xe3\x81\xa6\xe3\x80\xb2\xe3\x80\xb9\x12\x08\x01CtxShadow\xe3\x84\xb0\xe3\x80\xb0\xe3\x80\xb0\xe3\x80\xb0*\x02\x01CtxMinEncryptionLevel\xe3\x84\xb0
$\x01CtxWFProfilePath\xe6\x8c\xb5\xe6\x8c\xb5\xe3\x90\xb7\xe3\x94\xb6\xe3\x8c\xb7\xe3\x90\xb7\xe3\x8c\xb7\xe3\x94\xb6\xe3\x88\xb7\xe3\x98\xb7\xe3\x94\xb6\xe3\x88\xb7\xe6\x8c\xb5\xe3\x80\xb7\xe3\x84\xb6\xe3\x90\xb7\xe3\xa0\xb6\xe3\x80\xb0'
>>>
base64.decodestring('ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUAUaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C5EggBQ3R4U2hhZG9344Sw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44SwICQBQ3R4V0ZQcm9maWxlUGF0aOaMteaMteOQt+OUtuOMt+OQt+OMt+OUtuOIt+OYt+OUtuOIt+aMteOAt+OEtuOQt+OgtuOAsA==').encode('hex')
'20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202050051a080143747843666750726573656e74e394b5e694b1e688b0e381a2180801437478436667466c61677331e380b0e381a6e380b2e380b9120801437478536861646f77e384b0e380b0e380b0e380b02a02014374784d696e456e6372797074696f6e4c6576656ce384b0202401437478574650726f66696c6550617468e68cb5e68cb5e390b7e394b6e38cb7e390b7e38cb7e394b6e388b7e398b7e394b6e388b7e68cb5e380b7e384b6e390b7e3a0b6e380b0'
>>>

Opening the user in MMC shows an unicode value for the attribute
userParameters in the attribute editor. And the substring
CtxWFProfilePath doesn't look like UTF-16.

I think if I join Samba 4 into this AD domain and try to login against
Samba 4, the rpc server will get stuck. The patch should fix this case.
Or am I missing something?

Thanks,
Stefan

-- 
Stefan Gohmann
Head of Software Engineering

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax :  +49 421 22232-99

gohmann at univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876

  * Englisch - erkannt
  * Englisch
  * Deutsch

  * Englisch
  * Deutsch

 <javascript:void(0);>

More information about the samba-technical mailing list