[Samba] pad length mismatch error message
Andrew Bartlett
abartlet at samba.org
Thu Apr 23 23:21:14 UTC 2020
On Thu, 2020-04-23 at 12:28 +0200, von Obernitz, Daniel via samba
wrote:
> Hi Andrew,
>
> > Once you work out what client is changing this, then send me a
> > network
> > capture and matching Samba log (use "debug hires timestamp = Yes",
> > "log
> > level = 4") and I'll add it to my backlog to look into.
>
> I think I was able to identify and reproduce the occurrence of the
> error message:
>
> 1. You have a new Windows 10 client
> 2. The computer MUST NOT be in the computer list in the AC-DC
> 3. You join the Windows client to the domain and reboot
> 4. About when the login screen appears on the Windows client, the
> error message pops up.
>
> If the computer is already listed in the AD-DC, you can remove and
> rejoin the Windows Client as much as you want without the error.
> And if the computer object is new, it also only happens I would say 4
> out of 5 times.
>
> I was able to record the logs with your suggested loglevel and a
> corresponding tcpdump. I will send it to you separately, maybe it
> helps.
>
> Since everything else is working fine (join, login etc) this is
> definitely not a critical issue IMHO.
The code in question goes back to the 'BadLock' patches in 2016. I
think this is probably a strange codepath on the windows client.
I'm going to at least propose a patch to make the messages provide some
more info for the next person who needs to look at this.
The only thing that makes sense is that the difference - 44, is the
length of a single ctx_list in:
dcerpc_bind {
...
dcerpc_ctx_list ctx_list[num_contexts];
...
}
The client is sending 3 items in ctx_list, but only putting 2 in the
header, so we don't look for the last 44 bytes. Rather than just look
from the end for the authentication trailer, we assert that everything
must add up.
If we didn't fail here, we would fail trying to parse the SPNEGO. We
use the NDR_REMAINING flag for the authentication trailer so we just
dump everything left in the packet into that.
I've redacted the the sensitive parts (the actual SPNEGO exchange) and
included the ndrdump output to illustrate.
Finally, I have a patch that should at least make the calculations
clearer, see attached.
I've filed https://bugzilla.samba.org/show_bug.cgi?id=14356
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
pull returned Success
ncacn_packet: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x07 (7)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0852 (2130)
auth_length : 0x07aa (1962)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x16d0 (5840)
max_recv_frag : 0x16d0 (5840)
assoc_group_id : 0x00001b31 (6961)
num_contexts : 0x02 (2)
ctx_list: ARRAY(2)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : e3514235-4b06-11d1-ab04-00c04fc2dcd2
if_version : 0x00000004 (4)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0001 (1)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : e3514235-4b06-11d1-ab04-00c04fc2dcd2
if_version : 0x00000004 (4)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 71710533-beba-4937-8319-b5dbef9ccc36
if_version : 0x00000001 (1)
auth_info : DATA_BLOB length=2014
[0000] 02 00 01 00 35 42 51 E3 06 4B D1 11 AB 04 00 C0 ....5BQ. .K......
[0010] 4F C2 DC D2 04 00 00 00 2C 1C B7 6C 12 98 40 45 O....... ,..l.. at E
[0020] 03 00 00 00 00 00 00 00 01 00 00 00 09 06 00 00 ........ ........
[0030] 00 00 00 00
-------------- next part --------------
pull returned Success
ncacn_packet: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x07 (7)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0809 (2057)
auth_length : 0x0761 (1889)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x16d0 (5840)
max_recv_frag : 0x16d0 (5840)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x03 (3)
ctx_list: ARRAY(3)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : e3514235-4b06-11d1-ab04-00c04fc2dcd2
if_version : 0x00000004 (4)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0001 (1)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : e3514235-4b06-11d1-ab04-00c04fc2dcd2
if_version : 0x00000004 (4)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 71710533-beba-4937-8319-b5dbef9ccc36
if_version : 0x00000001 (1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0002 (2)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : e3514235-4b06-11d1-ab04-00c04fc2dcd2
if_version : 0x00000004 (4)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 6cb71c2c-9812-4540-0300-000000000000
if_version : 0x00000001 (1)
auth_info : DATA_BLOB length=1897
[0000] 09 06 00 00 00 00 00 00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-librpc-Provide-clearer-debug-messages-for-malformed-.patch
Type: text/x-patch
Size: 2658 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200424/b5e6ff15/0001-librpc-Provide-clearer-debug-messages-for-malformed-.bin>
More information about the samba-technical
mailing list