DCERPC Security Context Multiplexing (ready for review)
Stefan Metzmacher
metze at samba.org
Sun Dec 23 13:19:11 UTC 2018
Hi Jeremy,
thanks for starting the review!
>> They can be downloaded here:
>> https://gitlab.com/samba-team/samba/merge_requests/173.patch
>>
>>>> Please review and comment:-)
>>
>> Please review and push:-)
>
> First comment - in [PATCH 033/134] librpc: add dcerpc_get_auth_length() helper function
> you have:
>
> +uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
> +{
> + if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
> + return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> + } else {
> + return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> + }
> +}
>
> As DATA_BLOB has a length already included, for safety's sake
> can you check it's larger than DCERPC_AUTH_LEN_OFFSET (which
> is 10, DCERPC_DREP_OFFSET is 4) plus the reading size before indirecting.
>
> I'm sure you already check this elsewhere :-), but adding it
> inside this function makes it self-sufficient and obviously safe.
This is more or less a copy from dcerpc_get_frag_length()
and as all functions in librpc/rpc/dcerpc_util.c they rely
on the blob having at least DCERPC_NCACN_PAYLOAD_OFFSET (16)
bytes. We always go (directly or indirectly) through
dcerpc_pull_ncacn_packet() or explicitly check for
DCERPC_NCACN_PAYLOAD_OFFSET (or RPC_HEADER_LEN which is the same).
If you want we can add
SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
at the beginning of each function (as a follow up patch),
> Something like:
>
> NTSTATUS dcerpc_get_auth_length(const DATA_BLOB *blob, uint16_t *plen)
> {
> if (blob->length < DCERPC_DREP_OFFSET+1 ||
> blob->length < DCERPC_AUTH_LEN_OFFSET+2) {
> return NT_STATUS_INVALID_PARAMETER;
> }
> if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
> *plen = SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> } else {
> *plen = RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
> }
> return NT_STATUS_OK;
> }
>
> Yeah I know it makes it more of a pain to use elsewhere, sorry :-(.
I'd keep the changes minimal and don't change them to return NTSTATUS.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181223/1c850bb2/signature.sig>
More information about the samba-technical
mailing list