ipc.c:

	debugging info.  found that data = NULL because of short packet length
	indicated from the ntlsaRPC pipe _royally_ stuffs NT's packet handling.
	maybe this should go down as a service denial bug to the ntbugtraq list.

pipes.c lsaparse.c smbparse.c :

	added more debug stuff.  added length of header to data_len in MSRPC
	fragment_length field (0x18 bytes short) which caused the above bug
	from NT 4.0.  oops.
(This used to be commit a6f8de6815e0b85bb23b302980730501ac0b87e5)

5 files changed, 62 insertions, 57 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index d9b6ca157b..1ac4132807 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -837,7 +837,7 @@ char* smb_io_id_info1(BOOL io, DOM_ID_INFO_1 *id, char *q, char *base, int align
 char* smb_io_sam_info(BOOL io, DOM_SAM_INFO *sam, char *q, char *base, int align);
 char* smb_io_gid(BOOL io, DOM_GID *gid, char *q, char *base, int align);
 char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align);
-char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align);
+char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth);
 char* smb_io_dom_query_3(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align);
 char* smb_io_dom_query_5(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align);
 char* smb_io_dom_query(BOOL io, DOM_QUERY *d_q, char *q, char *base, int align);
diff --git a/source3/lsaparse.c b/source3/lsaparse.c
index 462f621ece..ee73dd9a05 100644
--- a/source3/lsaparse.c
+++ b/source3/lsaparse.c
@@ -34,7 +34,7 @@ char* lsa_io_r_open_pol(BOOL io, LSA_R_OPEN_POL *r_p, char *q, char *base, int a
 	DEBUG(5,("%slsa_io_r_open_pol\n", tab_depth(depth)));
 	depth++;
 
-	q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align);
+	q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align, depth);
 
 	DBG_RW_IVAL("status", depth, base, io, q, r_p->status); q += 4;
 
@@ -51,7 +51,7 @@ char* lsa_io_q_query(BOOL io, LSA_Q_QUERY_INFO *q_q, char *q, char *base, int al
 	DEBUG(5,("%s%04x lsa_io_q_query\n", tab_depth(depth), PTR_DIFF(q, base)));
 	depth++;
 
-	q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align);
+	q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align, depth);
 
 	DBG_RW_SVAL("info_class", depth, base, io, q, q_q->info_class); q += 2;
 
@@ -113,7 +113,7 @@ char* lsa_io_q_lookup_sids(BOOL io, LSA_Q_LOOKUP_SIDS *q_s, char *q, char *base,
 
 	q = align_offset(q, base, align);
 	
-    q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align); /* policy handle */
+    q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align, depth); /* policy handle */
 
 	DBG_RW_IVAL("num_entries", depth, base, io, q, q_s->num_entries); q += 4;
 	DBG_RW_IVAL("buffer_dom_sid", depth, base, io, q, q_s->buffer_dom_sid); q += 4; /* undocumented domain SID buffer pointer */
@@ -182,7 +182,7 @@ char* lsa_io_q_lookup_rids(BOOL io, LSA_Q_LOOKUP_RIDS *q_r, char *q, char *base,
 
 	q = align_offset(q, base, align);
 	
-    q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align); /* policy handle */
+    q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align, depth); /* policy handle */
 
 	DBG_RW_IVAL("num_entries", depth, base, io, q, q_r->num_entries); q += 4;
 	DBG_RW_IVAL("num_entries2", depth, base, io, q, q_r->num_entries2); q += 4;
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 6b255dd405..b314d41679 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -2801,30 +2801,35 @@ static int api_fd_reply(int cnum,uint16 vuid,char *outbuf,
   subcommand = setup[0];
   
   DEBUG(3,("Got API command %d on pipe %s ",subcommand,Files[fd].name));
-  DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n",
-	   tdscnt,tpscnt,mdrcnt,mprcnt));
+  DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d,cnum=%d,vuid=%d)\n",
+	   tdscnt,tpscnt,mdrcnt,mprcnt,cnum,vuid));
   
   for (i=0;api_fd_commands[i].name;i++)
+  {
     if (strequal(api_fd_commands[i].pipename, Files[fd].name) &&
-	api_fd_commands[i].subcommand == subcommand &&
-	api_fd_commands[i].fn)
-      {
-	DEBUG(3,("Doing %s\n",api_fd_commands[i].name));
-	break;
-      }
+	    api_fd_commands[i].subcommand == subcommand &&
+	    api_fd_commands[i].fn)
+    {
+	  DEBUG(3,("Doing %s\n",api_fd_commands[i].name));
+	  break;
+    }
+  }
   
-  rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024);
+  rdata  = (char *)malloc(1024); if (rdata ) bzero(rdata ,1024);
   rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024);
   
+  DEBUG(10,("calling api_fd_command\n"));
+
   reply = api_fd_commands[i].fn(cnum,vuid,params,data,mdrcnt,mprcnt,
 			        &rdata,&rparam,&rdata_len,&rparam_len);
   
-  if (rdata_len > mdrcnt ||
-      rparam_len > mprcnt)
-    {
-      reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt,
+  DEBUG(10,("called api_fd_command\n"));
+
+  if (rdata_len > mdrcnt || rparam_len > mprcnt)
+  {
+    reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt,
 			   &rdata,&rparam,&rdata_len,&rparam_len);
-    }
+  }
   
   
   /* if we get False back then it's actually unsupported */
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
index 3bfee3e3cf..820f596572 100644
--- a/source3/smbd/pipes.c
+++ b/source3/smbd/pipes.c
@@ -482,7 +482,7 @@ static void create_rpc_reply(RPC_HDR *hdr, uint32 call_id, int data_len)
 	hdr->minor        = 0;               /* minor version 0 */
 	hdr->pkt_type     = 2;               /* RPC response packet */
 	hdr->frag         = 3;               /* first frag + last frag */
-	hdr->pack_type    = 1;               /* packed data representation */
+	hdr->pack_type    = 0x10;            /* packed data representation */
 	hdr->frag_len     = data_len;        /* fragment length, fill in later */
 	hdr->auth_len     = 0;               /* authentication length */
 	hdr->call_id      = call_id;         /* call identifier - match incoming RPC */
@@ -507,11 +507,18 @@ static int lsa_reply_open_policy(char *q, char *base)
 	char *start = q;
 	LSA_R_OPEN_POL r_o;
 
+	static char handle[20] =
+	{ 0x00, 0x00, 0x00, 0x00,
+      0x2f, 0x79, 0x0a, 0x81,
+      0xd5, 0x17, 0xd1, 0x11,
+      0x80, 0xaf, 0x96, 0xcd,
+      0x50, 0xf8, 0xbc, 0x6c
+    };
 	/* set up the LSA QUERY INFO response */
 	/* bzero(&(r_o.pol.data), POL_HND_SIZE); */
 	for (i = 0; i < POL_HND_SIZE; i++)
 	{
-		r_o.pol.data[i] = i;
+		r_o.pol.data[i] = handle[i];
 	}
 	r_o.status = 0x0;
 
@@ -960,24 +967,16 @@ static int lsa_reply_sam_logoff(LSA_Q_SAM_LOGOFF *q_s, char *q, char *base,
 static void api_lsa_open_policy( char *param, char *data,
                              char **rdata, int *rdata_len )
 {
-	int reply_len;
-
 	/* we might actually want to decode the query, but it's not necessary */
 	/* lsa_io_q_open_policy(...); */
 
-	/* return a 20 byte policy handle */
-	reply_len = lsa_reply_open_policy(*rdata + 0x18, *rdata + 0x18);
-
-	/* construct header, now that we know the reply length */
-	make_rpc_reply(data, *rdata, reply_len);
-	*rdata_len = reply_len + 0x18;
+	/* construct a 20 byte policy handle. return length*/
+	*rdata_len = lsa_reply_open_policy(*rdata + 0x18, *rdata);
 }
 
-static void api_lsa_query_info( char *param, char *data,
+static int api_lsa_query_info( char *param, char *data,
                                 char **rdata, int *rdata_len )
 {
-	int reply_len;
-
 	LSA_Q_QUERY_INFO q_i;
 	pstring dom_name;
 	pstring dom_sid;
@@ -989,19 +988,13 @@ static void api_lsa_query_info( char *param, char *data,
 	pstrcpy(dom_sid , lp_domainsid());
 
 	/* construct reply.  return status is always 0x0 */
-	reply_len = lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata + 0x18, 
+	return lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata, 
 									 dom_name, dom_sid);
-
-	/* construct header, now that we know the reply length */
-	make_rpc_reply(data, *rdata, reply_len);
-	*rdata_len = reply_len + 0x18;
 }
 
 static void api_lsa_lookup_sids( char *param, char *data,
                                  char **rdata, int *rdata_len )
 {
-	int reply_len;
-
 	int i;
 	LSA_Q_LOOKUP_SIDS q_l;
 	pstring dom_name;
@@ -1021,21 +1014,15 @@ static void api_lsa_lookup_sids( char *param, char *data,
 	}
 
 	/* construct reply.  return status is always 0x0 */
-	reply_len = lsa_reply_lookup_sids(*rdata + 0x18, *rdata + 0x18,
+	*rdata_len =  lsa_reply_lookup_sids(*rdata + 0x18, *rdata,
 	            q_l.num_entries, dom_sids, /* text-converted SIDs */
 				dom_name, dom_sid, /* domain name, domain SID */
 				"S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */
-
-	/* construct header, now that we know the reply length */
-	make_rpc_reply(data, *rdata, reply_len);
-	*rdata_len = reply_len + 0x18;
 }
 
 static void api_lsa_lookup_names( char *param, char *data,
                                   char **rdata, int *rdata_len )
 {
-	int reply_len;
-
 	int i;
 	LSA_Q_LOOKUP_RIDS q_l;
 	pstring dom_name;
@@ -1056,14 +1043,10 @@ static void api_lsa_lookup_names( char *param, char *data,
 	}
 
 	/* construct reply.  return status is always 0x0 */
-	reply_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata + 0x18,
+	*rdata_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata,
 	            q_l.num_entries, dom_rids, /* text-converted SIDs */
 				dom_name, dom_sid, /* domain name, domain SID */
 				"S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */
-
-	/* construct header, now that we know the reply length */
-	make_rpc_reply(data, *rdata, reply_len);
-	*rdata_len = reply_len + 0x18;
 }
 
 BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
@@ -1088,6 +1071,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
 		{
 			DEBUG(3,("LSA_OPENPOLICY\n"));
 			api_lsa_open_policy(param, data, rdata, rdata_len);
+			make_rpc_reply(data, *rdata, *rdata_len);
+
 			break;
 		}
 
@@ -1096,6 +1081,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
 			DEBUG(3,("LSA_QUERYINFOPOLICY\n"));
 
 			api_lsa_query_info(param, data, rdata, rdata_len);
+			make_rpc_reply(data, *rdata, *rdata_len);
+
 			break;
 		}
 
@@ -1157,6 +1144,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
 		{
 			DEBUG(3,("LSA_OPENSECRET\n"));
 			api_lsa_lookup_sids(param, data, rdata, rdata_len);
+			make_rpc_reply(data, *rdata, *rdata_len);
+
 			break;
 		}
 
@@ -1164,6 +1153,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
 		{
 			DEBUG(3,("LSA_LOOKUPNAMES\n"));
 			api_lsa_lookup_names(param, data, rdata, rdata_len);
+			make_rpc_reply(data, *rdata, *rdata_len);
+
 			break;
 		}
 
@@ -1657,11 +1648,17 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data,
 		     char **rdata,char **rparam,
 		     int *rdata_len,int *rparam_len)
 {
-	uint16 opnum = SVAL(data,22);
-	int pkttype  = CVAL(data, 2);
-
+	uint16 opnum;
+	char pkttype;
 	user_struct *vuser;
 
+	DEBUG(5,("api_netlogrpcTNP data:%x\n", data));
+
+	if (data == NULL) return False;
+
+	opnum = SVAL(data,22);
+	pkttype = CVAL(data, 2);
+
 	if (pkttype == 0x0b) /* RPC BIND */
 	{
 		DEBUG(4,("netlogon rpc bind %x\n",pkttype));
@@ -1669,7 +1666,7 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data,
 		return True;
 	}
 
-	DEBUG(4,("netlogon TransactNamedPipe op %x\n",opnum));
+	DEBUG(4,("netlogon TransactNamedPipe op %x\n", opnum));
 
 	if ((vuser = get_valid_user_struct(uid)) == NULL) return False;
 
diff --git a/source3/smbparse.c b/source3/smbparse.c
index 01438281ef..0c016c17d9 100644
--- a/source3/smbparse.c
+++ b/source3/smbparse.c
@@ -410,13 +410,16 @@ char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align)
 /*******************************************************************
 reads or writes an LSA_POL_HND structure.
 ********************************************************************/
-char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align)
+char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth)
 {
 	if (pol == NULL) return NULL;
 
+	DEBUG(5,("%ssmb_io_pol_hnd\n", tab_depth(depth)));
+	depth++;
+
 	q = align_offset(q, base, align);
 	
-	RW_PCVAL(io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE;
+	DBG_RW_PCVAL("data", depth, base, io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE;
 
 	return q;
 }