diff options
author | Andrew Tridgell <tridge@samba.org> | 2006-10-28 04:17:43 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:24:40 -0500 |
commit | bb435cbd0313ec0ec6889181223929578603d73d (patch) | |
tree | 9391ad673efd745e208f96537688eccfa05ddb8e | |
parent | b4a5794e0983d41beec38ddc8430e04833af5915 (diff) | |
download | samba-bb435cbd0313ec0ec6889181223929578603d73d.tar.gz samba-bb435cbd0313ec0ec6889181223929578603d73d.tar.bz2 samba-bb435cbd0313ec0ec6889181223929578603d73d.zip |
r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you look at this
as well?
The server side change is needed to fix a valgrind error, which was
possibly exploitable if the client sent deliberately bad data
(This used to be commit e3c04cf165fe15739197b2713e78046399aa7653)
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 15 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 23 |
2 files changed, 20 insertions, 18 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 28e48c4a5a..bda07066ff 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -272,7 +272,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcerpc_connection *c, TALLOC_CTX return status; } - /* check signature or unseal the packet */ switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: @@ -433,6 +432,13 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, return status; } dcerpc_set_auth_length(blob, creds2.length); + if (c->security_state.auth_info->credentials.length == 0) { + /* this is needed for krb5 only, to correct the total packet + length */ + dcerpc_set_frag_length(blob, + dcerpc_get_frag_length(blob) + +creds2.length); + } break; case DCERPC_AUTH_LEVEL_INTEGRITY: @@ -454,6 +460,13 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, return status; } dcerpc_set_auth_length(blob, creds2.length); + if (c->security_state.auth_info->credentials.length == 0) { + /* this is needed for krb5 only, to correct the total packet + length */ + dcerpc_set_frag_length(blob, + dcerpc_get_frag_length(blob) + +creds2.length); + } break; case DCERPC_AUTH_LEVEL_CONNECT: diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index e6e9bb7fc5..b73143ce34 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -470,19 +470,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, &creds2); if (NT_STATUS_IS_OK(status)) { - status = data_blob_realloc(call, blob, - blob->length - dce_conn->auth_state.auth_info->credentials.length + - creds2.length); - } - - if (NT_STATUS_IS_OK(status)) { - memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, - creds2.data, creds2.length); + blob->length -= dce_conn->auth_state.auth_info->credentials.length; + status = data_blob_append(call, blob, creds2.data, creds2.length); } /* If we did AEAD signing of the packet headers, then we hope * this value didn't change... */ dcerpc_set_auth_length(blob, creds2.length); + dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); data_blob_free(&creds2); break; @@ -495,20 +490,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call, blob->length - dce_conn->auth_state.auth_info->credentials.length, &creds2); if (NT_STATUS_IS_OK(status)) { - status = data_blob_realloc(call, blob, - blob->length - dce_conn->auth_state.auth_info->credentials.length + - creds2.length); - } - - if (NT_STATUS_IS_OK(status)) { - memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, - creds2.data, creds2.length); + blob->length -= dce_conn->auth_state.auth_info->credentials.length; + status = data_blob_append(call, blob, creds2.data, creds2.length); } /* If we did AEAD signing of the packet headers, then we hope * this value didn't change... */ dcerpc_set_auth_length(blob, creds2.length); - + dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length); data_blob_free(&creds2); break; |