cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error NT_STATUS_BUFFER_TOO_SMALL

Wed Oct 21 14:12:18 UTC 2015

Am 21.10.2015 um 15:27 schrieb Stefan Metzmacher:
> Hi,
> 
> here's a fix for https://bugzilla.samba.org/show_bug.cgi?id=11327
> 
> This is important when you have a Samba 4.2/4.3 member server
> in a Domain with Samba 4.0/4.1 DCs.
> 
> Please review and push :-)

After discussing with Volker, I've pushed the following
version of the patch with additional comments.

metze
-------------- next part --------------
From 6d2b3909953dde724af332d020c50a82b2e48c83 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 21 Oct 2015 12:01:26 +0200
Subject: [PATCH] dcerpc.idl: accept invalid dcerpc_bind_nak pdus

Older Samba versions (<= 4.1) had a bug in the dcerpc_bind_nak
idl, see commit f73ef3028c4f4583c81b611a9714608eae79360c.

Note: ndr_pull_dcerpc_bind_nak() was generated by pidl and
has been extended by the (_available == 0) check.
That's why we ignore the 80 char per line limit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11327

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
---
 librpc/idl/dcerpc.idl   |  6 +++---
 librpc/ndr/ndr_dcerpc.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 3668a51..359eb91 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -116,7 +116,7 @@ interface dcerpc
 		[flag(NDR_REMAINING)] DATA_BLOB auth_info;
 	} dcerpc_bind_ack;
 
-	typedef [enum16bit] enum {
+	typedef [public,enum16bit] enum {
 		DCERPC_BIND_NAK_REASON_NOT_SPECIFIED                  = 0,
 		DCERPC_BIND_NAK_REASON_TEMPORARY_CONGESTION           = 1,
 		DCERPC_BIND_NAK_REASON_LOCAL_LIMIT_EXCEEDED           = 2,
@@ -130,12 +130,12 @@ interface dcerpc
 	const int DCERPC_BIND_REASON_INVALID_AUTH_TYPE =
 		DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE;
 
-	typedef struct {
+	typedef [public] struct {
 		uint8 rpc_vers;         /* RPC version */
 		uint8 rpc_vers_minor;   /* Minor version */
 	} dcerpc_bind_nak_version;
 
-	typedef struct {
+	typedef [public,nopull] struct {
 		dcerpc_bind_nak_reason reject_reason;
 		uint8 num_versions;
 		dcerpc_bind_nak_version versions[num_versions];
diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
index ca09fb6..0224b2c 100644
--- a/librpc/ndr/ndr_dcerpc.c
+++ b/librpc/ndr/ndr_dcerpc.c
@@ -24,6 +24,55 @@
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "librpc/gen_ndr/ndr_misc.h"
 
+/*
+ * This function was generated by pidl and
+ * has been extended by the (_available == 0) check.
+ *
+ * That's why we ignore the 80 char per line limit.
+ */
+enum ndr_err_code ndr_pull_dcerpc_bind_nak(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_nak *r)
+{
+	uint32_t size_versions_0 = 0;
+	uint32_t cntr_versions_0;
+	TALLOC_CTX *_mem_save_versions_0 = NULL;
+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+	if (ndr_flags & NDR_SCALARS) {
+		uint32_t _available;
+		NDR_CHECK(ndr_pull_align(ndr, 4));
+		NDR_CHECK(ndr_pull_dcerpc_bind_nak_reason(ndr, NDR_SCALARS, &r->reject_reason));
+		_available = ndr->data_size - ndr->offset;
+		if (_available == 0) {
+			/*
+			 * This works around a bug in older
+			 * Samba (<= 4.1) releases.
+			 *
+			 * See bug #11327.
+			 */
+			r->num_versions = 0;
+		} else {
+			NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->num_versions));
+		}
+		size_versions_0 = r->num_versions;
+		NDR_PULL_ALLOC_N(ndr, r->versions, size_versions_0);
+		_mem_save_versions_0 = NDR_PULL_GET_MEM_CTX(ndr);
+		NDR_PULL_SET_MEM_CTX(ndr, r->versions, 0);
+		for (cntr_versions_0 = 0; cntr_versions_0 < (size_versions_0); cntr_versions_0++) {
+			NDR_CHECK(ndr_pull_dcerpc_bind_nak_version(ndr, NDR_SCALARS, &r->versions[cntr_versions_0]));
+		}
+		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_versions_0, 0);
+		{
+			uint32_t _flags_save_DATA_BLOB = ndr->flags;
+			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING);
+			NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->_pad));
+			ndr->flags = _flags_save_DATA_BLOB;
+		}
+		NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+	}
+	return NDR_ERR_SUCCESS;
+}
+
 const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
 
 _PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151021/a7290fd2/signature.sig>
