Total dcerpc response payload more than 0x400000

Jeremy Allison jra at samba.org
Fri Jun 17 20:32:33 UTC 2016 

On Fri, Jun 17, 2016 at 01:11:14PM +1200, Andrew Bartlett wrote:
> 
> I totally agree.  Thanks for filing the bug about this, as this is a
> serious regression in the DRS replication case.
> 
>  https://bugzilla.samba.org/show_bug.cgi?id=11948
> 
> What happens here is that we stop being able to replicate in any domain
> where an object is more than 4MB, or indeed any domains where each
> object is more than 10k on average, which will break on say a domain
> with a jpegPhoto.  Indeed, a jpegPhoto of 4MB is not unreasonable to
> expect, given the default from a camera these days.
> 
> We need to remove this limit, or change it to more like 240MB (talloc
> won't allocate larger the 256MB at the moment). 
> 
> The limit makes sense thought of from the context of simple
> administrative calls, but it is also used for bulk data transport,
> server->client.  I've not changed the client->server direction, but I
> have heard of spoolss calls where the windows client would send over
> 16MB of zeros in a in/out buffer, so we may need to fix that also. 
> 
> Also, at the point when we get this, if the connection is
> authenticated, then the authentication has been checked, and the packet
> is already in memory, so we can be generous here.
> 
> Metze: Can you please ACK this change?

Metze is away on vacation at the moment, but no one person's
absence should prevent bugs getting fixed :-).

Currently this patch checks:

 +     if (req->payload.length + length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {

then checks:

 +	if (length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {

I think that should be the other way around - the length check
can never be true if the first check isn't true.

Can you change the patch to check the following 3 things in order:

1). Current packet length check.

 +      if (length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {

2). Integer wrap check.

 +      if (req->payload.length + length < length) {

3). Combination check.

 +     if (req->payload.length + length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {

Then I'll re-review. If metze really hates this he can
fix it when he gets back :-) - plus I'll ask dochelp next
week when I'm up at Microsoft about the limits Windows
has on RPC packet reassembly.

Cheers,

	Jeremy.

> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
> 

> From 4409c098cba89bcf8dca74e4c6eb15d3fdaac728 Mon Sep 17 00:00:00 2001
> From: Andrew Bartlett <abartlet at samba.org>
> Date: Fri, 17 Jun 2016 12:14:11 +1200
> Subject: [PATCH] s4-librpc: Change the RPC client lib to permit larger RPC
>  replies
> 
> 4MB is too small and is an arbitary limit that prevents DRS replication
> in domains with either large objects, or simply a large number of
> reasonablly sized objects (eg 10kb per object in our default page
> size of 400).  This could be a jpegPhoto for example.
> 
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
> ---
>  librpc/idl/dcerpc.idl       |  1 +
>  source4/librpc/rpc/dcerpc.c | 12 ++++++++++--
>  2 files changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
> index 015eb3d..9b68040 100644
> --- a/librpc/idl/dcerpc.idl
> +++ b/librpc/idl/dcerpc.idl
> @@ -536,6 +536,7 @@ interface dcerpc
>  	const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
>  	const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
>  	const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
> +	const uint32 DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE = 0xf000000; /* 240 MByte */
>  
>  	/* little-endian flag */
>  	const uint8 DCERPC_DREP_LE  = 0x10;
> diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
> index 464ae95..bc8a580 100644
> --- a/source4/librpc/rpc/dcerpc.c
> +++ b/source4/librpc/rpc/dcerpc.c
> @@ -1577,10 +1577,18 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
>  
>  	length = pkt->u.response.stub_and_verifier.length;
>  
> -	if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
> +	if (req->payload.length + length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
>  		DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n",
>  			 (unsigned)req->payload.length + length,
> -			 DCERPC_NCACN_PAYLOAD_MAX_SIZE));
> +			 DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE));
> +		dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
> +		return;
> +	}
> +
> +	if (length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
> +		DEBUG(2,("Unexpected stub and verifier 0x%X > 0x%X dcerpc response\n",
> +			 (unsigned)length,
> +			 DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE));
>  		dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
>  		return;
>  	}
> -- 
> 2.8.0.rc3
>

More information about the samba-technical mailing list