diff options
| author | Jeremy Allison <jra@samba.org> | 2010-02-17 15:27:59 -0800 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2010-02-17 15:27:59 -0800 |
| commit | 7b4387f765e34177000c8218f51e2c1d227504e6 (patch) | |
| tree | 8a180fa04ecf8c35e2c3977142c37e2173cee431 /source3/rpc_parse | |
| parent | 5564e7147fdbb136775b990d9a5d37d4d232d936 (diff) | |
| download | samba-7b4387f765e34177000c8218f51e2c1d227504e6.tar.gz samba-7b4387f765e34177000c8218f51e2c1d227504e6.tar.bz2 samba-7b4387f765e34177000c8218f51e2c1d227504e6.zip | |
Fix bug #7146 - Samba miss-parses authenticated RPC packets.
Parts of the Samba RPC client and server code misinterpret authenticated
packets.
DCE authenticated packets actually look like this :
+--------------------------+
|header |
| ... frag_len (packet len)|
| ... auth_len |
+--------------------------+
| |
| Data payload |
... ....
| |
+--------------------------+
| |
| auth_pad_len bytes |
+--------------------------+
| |
| Auth footer |
| auth_pad_len value |
+--------------------------+
| |
| Auth payload |
| (auth_len bytes long) |
+--------------------------+
That's right. The pad bytes come *before* the footer specifying how many pad
bytes there are. In order to read this you must seek to the end of the packet
and subtract the auth_len (in the packet header) and the auth footer length (a
known value).
The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long
as the pad alignment is on an 8 byte boundary (there are some special cases in
the code for this).
Tridge discovered there are some (DRS replication) cases where on 64-bit
machines where the pad alignment is on a 16-byte boundary. This breaks the
existing S3 hand-optimized rpc code.
This patch removes all the special cases in client and server code, and allows
the pad alignment for generated packets to be specified by changing a constant
in include/local.h (this doesn't affect received packets, the new code always
handles them correctly whatever pad alignment is used).
This patch also works correctly with rpcclient using sign+seal from
the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow)
so even as a server it should still work with older libsmbclient and
winbindd code.
Jeremy
Diffstat (limited to 'source3/rpc_parse')
| -rw-r--r-- | source3/rpc_parse/parse_rpc.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index f720de35a1..441a00b1ea 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -480,6 +480,8 @@ void init_rpc_hdr_auth(RPC_HDR_AUTH *rai, /******************************************************************* Reads or writes an RPC_HDR_AUTH structure. + NB This writes UNALIGNED. Ensure you're correctly aligned before + calling. ********************************************************************/ bool smb_io_rpc_hdr_auth(const char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth) @@ -490,9 +492,6 @@ bool smb_io_rpc_hdr_auth(const char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, in prs_debug(ps, depth, desc, "smb_io_rpc_hdr_auth"); depth++; - if(!prs_align(ps)) - return False; - if(!prs_uint8 ("auth_type ", ps, depth, &rai->auth_type)) return False; if(!prs_uint8 ("auth_level ", ps, depth, &rai->auth_level)) |