Total dcerpc response payload more than 0x400000

Andrew Bartlett abartlet at samba.org
Tue Jun 21 22:49:47 UTC 2016 

On Mon, 2016-06-20 at 22:15 +0200, Stefan Metzmacher wrote:
> Am 17.06.2016 um 23:32 schrieb Andrew Bartlett:
> > On Fri, 2016-06-17 at 13:32 -0700, Jeremy Allison wrote:
> > > On Fri, Jun 17, 2016 at 01:11:14PM +1200, Andrew Bartlett wrote:
> > > > 
> > > > I totally agree.  Thanks for filing the bug about this, as this
> > > > is
> > > > a
> > > > serious regression in the DRS replication case.
> > > > 
> > > >  https://bugzilla.samba.org/show_bug.cgi?id=11948
> > > > 
> > > > What happens here is that we stop being able to replicate in
> > > > any
> > > > domain
> > > > where an object is more than 4MB, or indeed any domains where
> > > > each
> > > > object is more than 10k on average, which will break on say a
> > > > domain
> > > > with a jpegPhoto.  Indeed, a jpegPhoto of 4MB is not
> > > > unreasonable
> > > > to
> > > > expect, given the default from a camera these days.
> > > > 
> > > > We need to remove this limit, or change it to more like 240MB
> > > > (talloc
> > > > won't allocate larger the 256MB at the moment). 
> > > > 
> > > > The limit makes sense thought of from the context of simple
> > > > administrative calls, but it is also used for bulk data
> > > > transport,
> > > > server->client.  I've not changed the client->server direction,
> > > > but
> > > > I
> > > > have heard of spoolss calls where the windows client would send
> > > > over
> > > > 16MB of zeros in a in/out buffer, so we may need to fix that
> > > > also. 
> > > > 
> > > > Also, at the point when we get this, if the connection is
> > > > authenticated, then the authentication has been checked, and
> > > > the
> > > > packet
> > > > is already in memory, so we can be generous here.
> > > > 
> > > > Metze: Can you please ACK this change?
> > > 
> > > Metze is away on vacation at the moment, but no one person's
> > > absence should prevent bugs getting fixed :-).
> > > 
> > > Currently this patch checks:
> > > 
> > >  +     if (req->payload.length + length >
> > > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
> > > 
> > > then checks:
> > > 
> > >  +	if (length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
> > > 
> > > I think that should be the other way around - the length check
> > > can never be true if the first check isn't true.
> > > 
> > > Can you change the patch to check the following 3 things in
> > > order:
> > > 
> > > 1). Current packet length check.
> > > 
> > >  +      if (length > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
> > > 
> > > 2). Integer wrap check.
> > > 
> > >  +      if (req->payload.length + length < length) {
> > > 
> > > 3). Combination check.
> > > 
> > >  +     if (req->payload.length + length >
> > > DCERPC_NCACN_CLIENT_PAYLOAD_MAX_SIZE) {
> > > 
> > > Then I'll re-review. If metze really hates this he can
> > > fix it when he gets back :-) - plus I'll ask dochelp next
> > > week when I'm up at Microsoft about the limits Windows
> > > has on RPC packet reassembly.
> > 
> > Thanks.  There are some more clues and details from metze in the
> > bug,
> > which I was finally able to access late yesterday, including where
> > he
> > got the 4MB number from.
> 
> I think using 16 MB should be a good enough fix for now.
> 
> > I'll tidy this up and get it back to you however, as 'clearly' it
> > could
> > cause nasty regressions for some, and we and re-instant the clamp
> > once
> > we figure out how to do safely.  
> > If we have to, then 16MB may be a compromise later on, once we add
> > code
> > to retry DRS replication in this case.  I expect we will need to
> > add a
> > large-object replication test.
> 
> https://msdn.microsoft.com/en-us/library/ms954378.aspx
> indicates the following:
> 
>   5. Attribute Values Must Not Exceed 500KB in Length,
>      and the Total Object Size Must Not Exceed 1MB
> 
>   Active Directory does not support streaming of attribute values
>   and is not appropriate for very large data. For this reason,
>   the maximum length of an attribute value stored in
>   Active Directory must not exceed 500KB in size, and the
>   total object size must not exceed 1MB.

Except that Samba has never honoured such a restriction, nor has any
code to prevent the server-side sending large responses, nor the client
side to retry asking for smaller responses. 

A 4MB and even a 16MB limit is still small enough to break networks in
frustrating, incredibly difficult to debug ways that *will* only happen
at large, complex installations, when it breaks replication.  

Given all that, and that even if we fix all the above we will have old
versions as replication partners, I strongly request we remove the
restriction for DRS replication. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list