DCERPC Security Context Multiplexing (ready for review)
Jeremy Allison
jra at samba.org
Fri Dec 21 22:39:51 UTC 2018
On Fri, Dec 21, 2018 at 02:35:14PM -0800, Jeremy Allison via samba-technical wrote:
> On Thu, Dec 20, 2018 at 12:53:52AM +0100, Stefan Metzmacher wrote:
> >
> > I've fixed the missing settimeout in the pylibsmb bindings and fixed the
> > commit messages.
> >
> > This is ready for review now.
> >
> > I'm not attaching the patches here as they're over 500kb in size, which
> > is not allowed on the list.
> >
> > They can be downloaded here:
> > https://gitlab.com/samba-team/samba/merge_requests/173.patch
> >
> > >> Please review and comment:-)
> >
> > Please review and push:-)
>
> First comment - in [PATCH 033/134] librpc: add dcerpc_get_auth_length() helper function
> you have:
>
> +uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
> +{
> + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
> + return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> + } else {
> + return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> + }
> +}
>
> As DATA_BLOB has a length already included, for safety's sake
> can you check it's larger than DCERPC_AUTH_LEN_OFFSET (which
> is 10, DCERPC_DREP_OFFSET is 4) plus the reading size before indirecting.
>
> I'm sure you already check this elsewhere :-), but adding it
> inside this function makes it self-sufficient and obviously safe.
>
> Something like:
>
> NTSTATUS dcerpc_get_auth_length(const DATA_BLOB *blob, uint16_t *plen)
> {
> if (blob->length < DCERPC_DREP_OFFSET+1 ||
> blob->length < DCERPC_AUTH_LEN_OFFSET+2) {
> return NT_STATUS_INVALID_PARAMETER;
> }
> if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
> *plen = SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> } else {
> *plen = RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> }
> return NT_STATUS_OK;
> }
>
> Yeah I know it makes it more of a pain to use elsewhere, sorry :-(.
One more point, dcerpc_get_auth_length() isn't static, so fixing
it to be DATA_BLOB offset safe will protect it from accidently
getting called from elsewhere later on.
If you want, just make it return 0 on error rather than rippling
the NTSTATUS up through all the callers, which is what you're
doing in the later patches.
Although changing the following:
[PATCH 034/134] librpc: add dcerpc_get_auth_{type,level,context_id}() helper functions
patch to return NTSTATUS back up the stack rather than 0 on
length errors might be better ?
More information about the samba-technical
mailing list