diff options
author | Luke Leighton <lkcl@samba.org> | 1997-10-12 14:17:55 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1997-10-12 14:17:55 +0000 |
commit | 60575a888aebec898fdaf0f6c0c8269607b2571f (patch) | |
tree | b496d7a8986f5c1eb31395025d10ea4a91099219 /source3 | |
parent | a26037ac7c1ac218863f9d674dcf85293eb2f085 (diff) | |
download | samba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.gz samba-60575a888aebec898fdaf0f6c0c8269607b2571f.tar.bz2 samba-60575a888aebec898fdaf0f6c0c8269607b2571f.zip |
ipc.c:
debugging info. found that data = NULL because of short packet length
indicated from the ntlsaRPC pipe _royally_ stuffs NT's packet handling.
maybe this should go down as a service denial bug to the ntbugtraq list.
pipes.c lsaparse.c smbparse.c :
added more debug stuff. added length of header to data_len in MSRPC
fragment_length field (0x18 bytes short) which caused the above bug
from NT 4.0. oops.
(This used to be commit a6f8de6815e0b85bb23b302980730501ac0b87e5)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/proto.h | 2 | ||||
-rw-r--r-- | source3/lsaparse.c | 8 | ||||
-rw-r--r-- | source3/smbd/ipc.c | 33 | ||||
-rw-r--r-- | source3/smbd/pipes.c | 69 | ||||
-rw-r--r-- | source3/smbparse.c | 7 |
5 files changed, 62 insertions, 57 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index d9b6ca157b..1ac4132807 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -837,7 +837,7 @@ char* smb_io_id_info1(BOOL io, DOM_ID_INFO_1 *id, char *q, char *base, int align char* smb_io_sam_info(BOOL io, DOM_SAM_INFO *sam, char *q, char *base, int align); char* smb_io_gid(BOOL io, DOM_GID *gid, char *q, char *base, int align); char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align); -char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align); +char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth); char* smb_io_dom_query_3(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align); char* smb_io_dom_query_5(BOOL io, DOM_QUERY_3 *d_q, char *q, char *base, int align); char* smb_io_dom_query(BOOL io, DOM_QUERY *d_q, char *q, char *base, int align); diff --git a/source3/lsaparse.c b/source3/lsaparse.c index 462f621ece..ee73dd9a05 100644 --- a/source3/lsaparse.c +++ b/source3/lsaparse.c @@ -34,7 +34,7 @@ char* lsa_io_r_open_pol(BOOL io, LSA_R_OPEN_POL *r_p, char *q, char *base, int a DEBUG(5,("%slsa_io_r_open_pol\n", tab_depth(depth))); depth++; - q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align); + q = smb_io_pol_hnd(io, &(r_p->pol), q, base, align, depth); DBG_RW_IVAL("status", depth, base, io, q, r_p->status); q += 4; @@ -51,7 +51,7 @@ char* lsa_io_q_query(BOOL io, LSA_Q_QUERY_INFO *q_q, char *q, char *base, int al DEBUG(5,("%s%04x lsa_io_q_query\n", tab_depth(depth), PTR_DIFF(q, base))); depth++; - q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align); + q = smb_io_pol_hnd(io, &(q_q->pol), q, base, align, depth); DBG_RW_SVAL("info_class", depth, base, io, q, q_q->info_class); q += 2; @@ -113,7 +113,7 @@ char* lsa_io_q_lookup_sids(BOOL io, LSA_Q_LOOKUP_SIDS *q_s, char *q, char *base, q = align_offset(q, base, align); - q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align); /* policy handle */ + q = smb_io_pol_hnd(io, &(q_s->pol_hnd), q, base, align, depth); /* policy handle */ DBG_RW_IVAL("num_entries", depth, base, io, q, q_s->num_entries); q += 4; DBG_RW_IVAL("buffer_dom_sid", depth, base, io, q, q_s->buffer_dom_sid); q += 4; /* undocumented domain SID buffer pointer */ @@ -182,7 +182,7 @@ char* lsa_io_q_lookup_rids(BOOL io, LSA_Q_LOOKUP_RIDS *q_r, char *q, char *base, q = align_offset(q, base, align); - q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align); /* policy handle */ + q = smb_io_pol_hnd(io, &(q_r->pol_hnd), q, base, align, depth); /* policy handle */ DBG_RW_IVAL("num_entries", depth, base, io, q, q_r->num_entries); q += 4; DBG_RW_IVAL("num_entries2", depth, base, io, q, q_r->num_entries2); q += 4; diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index 6b255dd405..b314d41679 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -2801,30 +2801,35 @@ static int api_fd_reply(int cnum,uint16 vuid,char *outbuf, subcommand = setup[0]; DEBUG(3,("Got API command %d on pipe %s ",subcommand,Files[fd].name)); - DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d)\n", - tdscnt,tpscnt,mdrcnt,mprcnt)); + DEBUG(3,("(tdscnt=%d,tpscnt=%d,mdrcnt=%d,mprcnt=%d,cnum=%d,vuid=%d)\n", + tdscnt,tpscnt,mdrcnt,mprcnt,cnum,vuid)); for (i=0;api_fd_commands[i].name;i++) + { if (strequal(api_fd_commands[i].pipename, Files[fd].name) && - api_fd_commands[i].subcommand == subcommand && - api_fd_commands[i].fn) - { - DEBUG(3,("Doing %s\n",api_fd_commands[i].name)); - break; - } + api_fd_commands[i].subcommand == subcommand && + api_fd_commands[i].fn) + { + DEBUG(3,("Doing %s\n",api_fd_commands[i].name)); + break; + } + } - rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024); + rdata = (char *)malloc(1024); if (rdata ) bzero(rdata ,1024); rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024); + DEBUG(10,("calling api_fd_command\n")); + reply = api_fd_commands[i].fn(cnum,vuid,params,data,mdrcnt,mprcnt, &rdata,&rparam,&rdata_len,&rparam_len); - if (rdata_len > mdrcnt || - rparam_len > mprcnt) - { - reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt, + DEBUG(10,("called api_fd_command\n")); + + if (rdata_len > mdrcnt || rparam_len > mprcnt) + { + reply = api_TooSmall(cnum,vuid,params,data,mdrcnt,mprcnt, &rdata,&rparam,&rdata_len,&rparam_len); - } + } /* if we get False back then it's actually unsupported */ diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index 3bfee3e3cf..820f596572 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -482,7 +482,7 @@ static void create_rpc_reply(RPC_HDR *hdr, uint32 call_id, int data_len) hdr->minor = 0; /* minor version 0 */ hdr->pkt_type = 2; /* RPC response packet */ hdr->frag = 3; /* first frag + last frag */ - hdr->pack_type = 1; /* packed data representation */ + hdr->pack_type = 0x10; /* packed data representation */ hdr->frag_len = data_len; /* fragment length, fill in later */ hdr->auth_len = 0; /* authentication length */ hdr->call_id = call_id; /* call identifier - match incoming RPC */ @@ -507,11 +507,18 @@ static int lsa_reply_open_policy(char *q, char *base) char *start = q; LSA_R_OPEN_POL r_o; + static char handle[20] = + { 0x00, 0x00, 0x00, 0x00, + 0x2f, 0x79, 0x0a, 0x81, + 0xd5, 0x17, 0xd1, 0x11, + 0x80, 0xaf, 0x96, 0xcd, + 0x50, 0xf8, 0xbc, 0x6c + }; /* set up the LSA QUERY INFO response */ /* bzero(&(r_o.pol.data), POL_HND_SIZE); */ for (i = 0; i < POL_HND_SIZE; i++) { - r_o.pol.data[i] = i; + r_o.pol.data[i] = handle[i]; } r_o.status = 0x0; @@ -960,24 +967,16 @@ static int lsa_reply_sam_logoff(LSA_Q_SAM_LOGOFF *q_s, char *q, char *base, static void api_lsa_open_policy( char *param, char *data, char **rdata, int *rdata_len ) { - int reply_len; - /* we might actually want to decode the query, but it's not necessary */ /* lsa_io_q_open_policy(...); */ - /* return a 20 byte policy handle */ - reply_len = lsa_reply_open_policy(*rdata + 0x18, *rdata + 0x18); - - /* construct header, now that we know the reply length */ - make_rpc_reply(data, *rdata, reply_len); - *rdata_len = reply_len + 0x18; + /* construct a 20 byte policy handle. return length*/ + *rdata_len = lsa_reply_open_policy(*rdata + 0x18, *rdata); } -static void api_lsa_query_info( char *param, char *data, +static int api_lsa_query_info( char *param, char *data, char **rdata, int *rdata_len ) { - int reply_len; - LSA_Q_QUERY_INFO q_i; pstring dom_name; pstring dom_sid; @@ -989,19 +988,13 @@ static void api_lsa_query_info( char *param, char *data, pstrcpy(dom_sid , lp_domainsid()); /* construct reply. return status is always 0x0 */ - reply_len = lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata + 0x18, + return lsa_reply_query_info(&q_i, *rdata + 0x18, *rdata, dom_name, dom_sid); - - /* construct header, now that we know the reply length */ - make_rpc_reply(data, *rdata, reply_len); - *rdata_len = reply_len + 0x18; } static void api_lsa_lookup_sids( char *param, char *data, char **rdata, int *rdata_len ) { - int reply_len; - int i; LSA_Q_LOOKUP_SIDS q_l; pstring dom_name; @@ -1021,21 +1014,15 @@ static void api_lsa_lookup_sids( char *param, char *data, } /* construct reply. return status is always 0x0 */ - reply_len = lsa_reply_lookup_sids(*rdata + 0x18, *rdata + 0x18, + *rdata_len = lsa_reply_lookup_sids(*rdata + 0x18, *rdata, q_l.num_entries, dom_sids, /* text-converted SIDs */ dom_name, dom_sid, /* domain name, domain SID */ "S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */ - - /* construct header, now that we know the reply length */ - make_rpc_reply(data, *rdata, reply_len); - *rdata_len = reply_len + 0x18; } static void api_lsa_lookup_names( char *param, char *data, char **rdata, int *rdata_len ) { - int reply_len; - int i; LSA_Q_LOOKUP_RIDS q_l; pstring dom_name; @@ -1056,14 +1043,10 @@ static void api_lsa_lookup_names( char *param, char *data, } /* construct reply. return status is always 0x0 */ - reply_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata + 0x18, + *rdata_len = lsa_reply_lookup_rids(*rdata + 0x18, *rdata, q_l.num_entries, dom_rids, /* text-converted SIDs */ dom_name, dom_sid, /* domain name, domain SID */ "S-1-1", "S-1-3", "S-1-5"); /* the three other SIDs */ - - /* construct header, now that we know the reply length */ - make_rpc_reply(data, *rdata, reply_len); - *rdata_len = reply_len + 0x18; } BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data, @@ -1088,6 +1071,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data, { DEBUG(3,("LSA_OPENPOLICY\n")); api_lsa_open_policy(param, data, rdata, rdata_len); + make_rpc_reply(data, *rdata, *rdata_len); + break; } @@ -1096,6 +1081,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data, DEBUG(3,("LSA_QUERYINFOPOLICY\n")); api_lsa_query_info(param, data, rdata, rdata_len); + make_rpc_reply(data, *rdata, *rdata_len); + break; } @@ -1157,6 +1144,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data, { DEBUG(3,("LSA_OPENSECRET\n")); api_lsa_lookup_sids(param, data, rdata, rdata_len); + make_rpc_reply(data, *rdata, *rdata_len); + break; } @@ -1164,6 +1153,8 @@ BOOL api_ntLsarpcTNP(int cnum,int uid, char *param,char *data, { DEBUG(3,("LSA_LOOKUPNAMES\n")); api_lsa_lookup_names(param, data, rdata, rdata_len); + make_rpc_reply(data, *rdata, *rdata_len); + break; } @@ -1657,11 +1648,17 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data, char **rdata,char **rparam, int *rdata_len,int *rparam_len) { - uint16 opnum = SVAL(data,22); - int pkttype = CVAL(data, 2); - + uint16 opnum; + char pkttype; user_struct *vuser; + DEBUG(5,("api_netlogrpcTNP data:%x\n", data)); + + if (data == NULL) return False; + + opnum = SVAL(data,22); + pkttype = CVAL(data, 2); + if (pkttype == 0x0b) /* RPC BIND */ { DEBUG(4,("netlogon rpc bind %x\n",pkttype)); @@ -1669,7 +1666,7 @@ BOOL api_netlogrpcTNP(int cnum,int uid, char *param,char *data, return True; } - DEBUG(4,("netlogon TransactNamedPipe op %x\n",opnum)); + DEBUG(4,("netlogon TransactNamedPipe op %x\n", opnum)); if ((vuser = get_valid_user_struct(uid)) == NULL) return False; diff --git a/source3/smbparse.c b/source3/smbparse.c index 01438281ef..0c016c17d9 100644 --- a/source3/smbparse.c +++ b/source3/smbparse.c @@ -410,13 +410,16 @@ char* smb_io_rpc_hdr(BOOL io, RPC_HDR *rpc, char *q, char *base, int align) /******************************************************************* reads or writes an LSA_POL_HND structure. ********************************************************************/ -char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align) +char* smb_io_pol_hnd(BOOL io, LSA_POL_HND *pol, char *q, char *base, int align, int depth) { if (pol == NULL) return NULL; + DEBUG(5,("%ssmb_io_pol_hnd\n", tab_depth(depth))); + depth++; + q = align_offset(q, base, align); - RW_PCVAL(io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE; + DBG_RW_PCVAL("data", depth, base, io, q, pol->data, POL_HND_SIZE); q += POL_HND_SIZE; return q; } |