summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1997-10-12 14:17:55 +0000
committerLuke Leighton <lkcl@samba.org>1997-10-12 14:17:55 +0000
commit60575a888aebec898fdaf0f6c0c8269607b2571f (patch)
treeb496d7a8986f5c1eb31395025d10ea4a91099219 /source3
parenta26037ac7c1ac218863f9d674dcf85293eb2f085 (diff)
downloadsamba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.gz
samba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.bz2
samba-60575a888aebec898fdaf0f6c0c8269607b2571f.zip
ipc.c:
debugging info. found that data = NULL because of short packet length indicated from the ntlsaRPC pipe _royally_ stuffs NT's packet handling. maybe this should go down as a service denial bug to the ntbugtraq list. pipes.c lsaparse.c smbparse.c : added more debug stuff. added length of header to data_len in MSRPC fragment_length field (0x18 bytes short) which caused the above bug from NT 4.0. oops. (This used to be commit a6f8de6815e0b85bb23b302980730501ac0b87e5)
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/lsaparse.c8
-rw-r--r--source3/smbd/ipc.c33
-rw-r--r--source3/smbd/pipes.c69
-rw-r--r--source3/smbparse.c7
5 files changed, 62 insertions, 57 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index d9b6ca157b..1ac4132807 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -837,7 +837,7 @@ char* smb_io_id_info1(BOOL io, DOM_ID_INFO_1 *id, char *q, char *base, int align
char* smb_io_sam_info(BOOL io, DOM_SAM_INFO *sam, char *q, char *base, int align);
char* smb_io_gid(BOOL io, DOM_GID *gid, char *q, char *base, int align);
char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align);
-char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align);
+char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth);
char* smb_io_dom_query_3(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align);
char* smb_io_dom_query_5(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align);
char* smb_io_dom_query(BOOL io, DOM_QUERY *d_q, char *q, char *base, int align);
diff --git a/source3/lsaparse.c b/source3/lsaparse.c
index 462f621ece..ee73dd9a05 100644
--- a/source3/lsaparse.c
+++ b/source3/lsaparse.c
@@ -34,7 +34,7 @@ char* lsa_io_r_open_pol(BOOL io, LSA_R_OPEN_POL *r_p, char *q, char *base, int a
DEBUG(5,("%slsa_io_r_open_pol\n", tab_depth(depth)));
depth++;
- q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align);
+ q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align, depth);
DBG_RW_IVAL("status", depth, base, io, q, r_p->status); q += 4;
@@ -51,7 +51,7 @@ char* lsa_io_q_query(BOOL io, LSA_Q_QUERY_INFO *q_q, char *q, char *base, int al
DEBUG(5,("%s%04x lsa_io_q_query\n", tab_depth(depth), PTR_DIFF(q, base)));
depth++;
- q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align);
+ q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align, depth);
DBG_RW_SVAL("info_class", depth, base, io, q, q_q->info_class); q += 2;
@@ -113,7 +113,7 @@ char* lsa_io_q_lookup_sids(BOOL io, LSA_Q_LOOKUP_SIDS *q_s, char *q, char *base,
q = align_offset(q, base, align);
- q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align); /* policy handle */
+ q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align, depth); /* policy handle */
DBG_RW_IVAL("num_entries", depth, base, io, q, q_s->num_entries); q += 4;
DBG_RW_IVAL("buffer_dom_sid", depth, base, io, q, q_s->buffer_dom_sid); q += 4; /* undocumented domain SID buffer pointer */
@@ -182,7 +182,7 @@ char* lsa_io_q_lookup_rids(BOOL io, LSA_Q_LOOKUP_RIDS *q_r, char *q, char *base,
q = align_offset(q, base, align);
- q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align); /* policy handle */
+ q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align, depth); /* policy handle */
DBG_RW_IVAL("num_entries", depth, base, io, q, q_r->num_entries); q += 4;
DBG_RW_IVAL("num_entries2", depth, base, io, q, q_r->num_entries2); q += 4;
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 6b255dd405..b314d41679 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -2801,30 +2801,35 @@ static int api_fd_reply(int cnum,uint16 vuid,char *outbuf,
subcommand = setup[0];
DEBUG(3,("Got API command %d on pipe %s ",subcommand,Files[fd].name));
- DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n",
- tdscnt,tpscnt,mdrcnt,mprcnt));
+ DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d,cnum=%d,vuid=%d)\n",
+ tdscnt,tpscnt,mdrcnt,mprcnt,cnum,vuid));
for (i=0;api_fd_commands[i].name;i++)
+ {
if (strequal(api_fd_commands[i].pipename, Files[fd].name) &&
- api_fd_commands[i].subcommand == subcommand &&
- api_fd_commands[i].fn)
- {
- DEBUG(3,("Doing %s\n",api_fd_commands[i].name));
- break;
- }
+ api_fd_commands[i].subcommand == subcommand &&
+ api_fd_commands[i].fn)
+ {
+ DEBUG(3,("Doing %s\n",api_fd_commands[i].name));
+ break;
+ }
+ }
- rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024);
+ rdata = (char *)malloc(1024); if (rdata ) bzero(rdata ,1024);
rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024);
+ DEBUG(10,("calling api_fd_command\n"));
+
reply = api_fd_commands[i].fn(cnum,vuid,params,data,mdrcnt,mprcnt,
&rdata,&rparam,&rdata_len,&rparam_len);
- if (rdata_len > mdrcnt ||
- rparam_len > mprcnt)
- {
- reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt,
+ DEBUG(10,("called api_fd_command\n"));
+
+ if (rdata_len > mdrcnt || rparam_len > mprcnt)
+ {
+ reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt,
&rdata,&rparam,&rdata_len,&rparam_len);
- }
+ }
/* if we get False back then it's actually unsupported */
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
index 3bfee3e3cf..820f596572 100644
--- a/source3/smbd/pipes.c
+++ b/source3/smbd/pipes.c
@@ -482,7 +482,7 @@ static void create_rpc_reply(RPC_HDR *hdr, uint32 call_id, int data_len)
hdr->minor = 0; /* minor version 0 */
hdr->pkt_type = 2; /* RPC response packet */
hdr->frag = 3; /* first frag + last frag */
- hdr->pack_type = 1; /* packed data representation */
+ hdr->pack_type = 0x10; /* packed data representation */
hdr->frag_len = data_len; /* fragment length, fill in later */
hdr->auth_len = 0; /* authentication length */
hdr->call_id = call_id; /* call identifier - match incoming RPC */
@@ -507,11 +507,18 @@ static int lsa_reply_open_policy(char *q, char *base)
char *start = q;
LSA_R_OPEN_POL r_o;
+ static char handle[20] =
+ { 0x00, 0x00, 0x00, 0x00,
+ 0x2f, 0x79, 0x0a, 0x81,
+ 0xd5, 0x17, 0xd1, 0x11,
+ 0x80, 0xaf, 0x96, 0xcd,
+ 0x50, 0xf8, 0xbc, 0x6c
+ };
/* set up the LSA QUERY INFO response */
/* bzero(&(r_o.pol.data), POL_HND_SIZE); */
for (i = 0; i < POL_HND_SIZE; i++)
{
- r_o.pol.data[i] = i;
+ r_o.pol.data[i] = handle[i];
}
r_o.status = 0x0;
@@ -960,24 +967,16 @@ static int lsa_reply_sam_logoff(LSA_Q_SAM_LOGOFF *q_s, char *q, char *base,
static void api_lsa_open_policy( char *param, char *data,
char **rdata, int *rdata_len )
{
- int reply_len;
-
/* we might actually want to decode the query, but it's not necessary */
/* lsa_io_q_open_policy(...); */
- /* return a 20 byte policy handle */
- reply_len = lsa_reply_open_policy(*rdata + 0x18, *rdata + 0x18);
-
- /* construct header, now that we know the reply length */
- make_rpc_reply(data, *rdata, reply_len);
- *rdata_len = reply_len + 0x18;
+ /* construct a 20 byte policy handle. return length*/
+ *rdata_len = lsa_reply_open_policy(*rdata + 0x18, *rdata);
}
-static void api_lsa_query_info( char *param, char *data,
+static int api_lsa_query_info( char *param, char *data,
char **rdata, int *rdata_len )
{
- int reply_len;
-
LSA_Q_QUERY_INFO q_i;
pstring dom_name;
pstring dom_sid;
@@ -989,19 +988,13 @@ static void api_lsa_query_info( char *param, char *data,
pstrcpy(dom_sid , lp_domainsid());
/* construct reply. return status is always 0x0 */
- reply_len = lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata + 0x18,
+ return lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata,
dom_name, dom_sid);
-
- /* construct header, now that we know the reply length */
- make_rpc_reply(data, *rdata, reply_len);
- *rdata_len = reply_len + 0x18;
}
static void api_lsa_lookup_sids( char *param, char *data,
char **rdata, int *rdata_len )
{
- int reply_len;
-
int i;
LSA_Q_LOOKUP_SIDS q_l;
pstring dom_name;
@@ -1021,21 +1014,15 @@ static void api_lsa_lookup_sids( char *param, char *data,
}
/* construct reply. return status is always 0x0 */
- reply_len = lsa_reply_lookup_sids(*rdata + 0x18, *rdata + 0x18,
+ *rdata_len = lsa_reply_lookup_sids(*rdata + 0x18, *rdata,
q_l.num_entries, dom_sids, /* text-converted SIDs */
dom_name, dom_sid, /* domain name, domain SID */
"S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */
-
- /* construct header, now that we know the reply length */
- make_rpc_reply(data, *rdata, reply_len);
- *rdata_len = reply_len + 0x18;
}
static void api_lsa_lookup_names( char *param, char *data,
char **rdata, int *rdata_len )
{
- int reply_len;
-
int i;
LSA_Q_LOOKUP_RIDS q_l;
pstring dom_name;
@@ -1056,14 +1043,10 @@ static void api_lsa_lookup_names( char *param, char *data,
}
/* construct reply. return status is always 0x0 */
- reply_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata + 0x18,
+ *rdata_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata,
q_l.num_entries, dom_rids, /* text-converted SIDs */
dom_name, dom_sid, /* domain name, domain SID */
"S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */
-
- /* construct header, now that we know the reply length */
- make_rpc_reply(data, *rdata, reply_len);
- *rdata_len = reply_len + 0x18;
}
BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
@@ -1088,6 +1071,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
{
DEBUG(3,("LSA_OPENPOLICY\n"));
api_lsa_open_policy(param, data, rdata, rdata_len);
+ make_rpc_reply(data, *rdata, *rdata_len);
+
break;
}
@@ -1096,6 +1081,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
DEBUG(3,("LSA_QUERYINFOPOLICY\n"));
api_lsa_query_info(param, data, rdata, rdata_len);
+ make_rpc_reply(data, *rdata, *rdata_len);
+
break;
}
@@ -1157,6 +1144,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
{
DEBUG(3,("LSA_OPENSECRET\n"));
api_lsa_lookup_sids(param, data, rdata, rdata_len);
+ make_rpc_reply(data, *rdata, *rdata_len);
+
break;
}
@@ -1164,6 +1153,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data,
{
DEBUG(3,("LSA_LOOKUPNAMES\n"));
api_lsa_lookup_names(param, data, rdata, rdata_len);
+ make_rpc_reply(data, *rdata, *rdata_len);
+
break;
}
@@ -1657,11 +1648,17 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data,
char **rdata,char **rparam,
int *rdata_len,int *rparam_len)
{
- uint16 opnum = SVAL(data,22);
- int pkttype = CVAL(data, 2);
-
+ uint16 opnum;
+ char pkttype;
user_struct *vuser;
+ DEBUG(5,("api_netlogrpcTNP data:%x\n", data));
+
+ if (data == NULL) return False;
+
+ opnum = SVAL(data,22);
+ pkttype = CVAL(data, 2);
+
if (pkttype == 0x0b) /* RPC BIND */
{
DEBUG(4,("netlogon rpc bind %x\n",pkttype));
@@ -1669,7 +1666,7 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data,
return True;
}
- DEBUG(4,("netlogon TransactNamedPipe op %x\n",opnum));
+ DEBUG(4,("netlogon TransactNamedPipe op %x\n", opnum));
if ((vuser = get_valid_user_struct(uid)) == NULL) return False;
diff --git a/source3/smbparse.c b/source3/smbparse.c
index 01438281ef..0c016c17d9 100644
--- a/source3/smbparse.c
+++ b/source3/smbparse.c
@@ -410,13 +410,16 @@ char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align)
/*******************************************************************
reads or writes an LSA_POL_HND structure.
********************************************************************/
-char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align)
+char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth)
{
if (pol == NULL) return NULL;
+ DEBUG(5,("%ssmb_io_pol_hnd\n", tab_depth(depth)));
+ depth++;
+
q = align_offset(q, base, align);
- RW_PCVAL(io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE;
+ DBG_RW_PCVAL("data", depth, base, io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE;
return q;
}