From 22ab15823fde3926f4fea5538632a2215d30d435 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Wed, 24 Mar 1999 12:18:28 +0000 Subject: Fixed LSA Lookup Names. There were a few too many NULL pointers in a negative response, which tended to crash lsass.exe. (This used to be commit 6d03f61d2536630968007958345cf44a42b03584) --- source3/include/rpc_lsa.h | 6 ++++-- source3/lsarpcd/srv_lsa.c | 43 ++++++++++++++++++++++++++++------------- source3/rpc_client/cli_lsarpc.c | 4 ++-- source3/rpc_parse/parse_lsa.c | 27 +++++++++++++++++++------- source3/rpc_server/srv_lsa.c | 43 ++++++++++++++++++++++++++++------------- 5 files changed, 86 insertions(+), 37 deletions(-) diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 1bd18bc7e8..02f8a63ab8 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -274,7 +274,6 @@ typedef struct dom_trust_info /* DOM_R_REF */ typedef struct dom_ref_info { - uint32 undoc_buffer; /* undocumented buffer pointer. */ uint32 num_ref_doms_1; /* num referenced domains */ uint32 ptr_ref_dom; /* pointer to referenced domains */ uint32 max_entries; /* 32 - max number of entries */ @@ -336,7 +335,9 @@ typedef struct lsa_q_lookup_sids /* LSA_R_LOOKUP_SIDS - response to LSA Lookup SIDs */ typedef struct lsa_r_lookup_sids { + uint32 ptr_dom_ref; DOM_R_REF *dom_ref; /* domain reference info */ + LSA_TRANS_NAME_ENUM *names; uint32 mapped_count; @@ -364,10 +365,11 @@ typedef struct lsa_q_lookup_names /* LSA_R_LOOKUP_NAMES - response to LSA Lookup NAMEs by name */ typedef struct lsa_r_lookup_names { + uint32 ptr_dom_ref; DOM_R_REF *dom_ref; /* domain reference info */ uint32 num_entries; - uint32 undoc_buffer; /* undocumented buffer pointer */ + uint32 ptr_entries; uint32 num_entries2; DOM_RID2 *dom_rid; /* domain RIDs being looked up */ diff --git a/source3/lsarpcd/srv_lsa.c b/source3/lsarpcd/srv_lsa.c index 45ddefe592..75512036b6 100644 --- a/source3/lsarpcd/srv_lsa.c +++ b/source3/lsarpcd/srv_lsa.c @@ -175,7 +175,6 @@ static int make_dom_ref(DOM_R_REF *ref, char *dom_name, DOM_SID *dom_sid) return -1; } - ref->undoc_buffer = 1; ref->num_ref_doms_1 = num+1; ref->ptr_ref_dom = 1; ref->max_entries = MAX_REF_DOMAINS; @@ -268,13 +267,27 @@ static void make_lsa_rid2s(DOM_R_REF *ref, make_reply_lookup_names ***************************************************************************/ static void make_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l, - DOM_R_REF *ref, DOM_RID2 *rid2, - uint32 mapped_count, uint32 status) + DOM_R_REF *ref, uint32 num_entries, + DOM_RID2 *rid2, uint32 mapped_count) { + r_l->ptr_dom_ref = 1; r_l->dom_ref = ref; + + r_l->num_entries = num_entries; + r_l->ptr_entries = 1; + r_l->num_entries2 = num_entries; r_l->dom_rid = rid2; + r_l->mapped_count = mapped_count; - r_l->status = status; + + if (mapped_count == 0) + { + r_l->status = 0xC0000000 | NT_STATUS_NONE_MAPPED; + } + else + { + r_l->status = 0x0; + } } /*************************************************************************** @@ -356,12 +369,21 @@ make_reply_lookup_sids ***************************************************************************/ static void make_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l, DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *names, - uint32 mapped_count, uint32 status) + uint32 mapped_count) { + r_l->ptr_dom_ref = 1; r_l->dom_ref = ref; r_l->names = names; r_l->mapped_count = mapped_count; - r_l->status = status; + + if (mapped_count == 0) + { + r_l->status = 0xC0000000 | NT_STATUS_NONE_MAPPED; + } + else + { + r_l->status = 0x0; + } } /*************************************************************************** @@ -381,7 +403,7 @@ static void lsa_reply_lookup_sids(prs_struct *rdata, /* set up the LSA Lookup SIDs response */ make_lsa_trans_names(&ref, &names, num_entries, sid, &mapped_count); - make_reply_lookup_sids(&r_l, &ref, &names, mapped_count, 0x0); + make_reply_lookup_sids(&r_l, &ref, &names, mapped_count); /* store the response in the SMB stream */ lsa_io_r_lookup_sids("", &r_l, rdata, 0); @@ -404,11 +426,7 @@ static void lsa_reply_lookup_names(prs_struct *rdata, /* set up the LSA Lookup RIDs response */ make_lsa_rid2s(&ref, rids, num_entries, names, &mapped_count); - make_reply_lookup_names(&r_l, &ref, rids, mapped_count, 0x0); - - r_l.num_entries = num_entries; - r_l.undoc_buffer = 1; - r_l.num_entries2 = num_entries; + make_reply_lookup_names(&r_l, &ref, num_entries, rids, mapped_count); /* store the response in the SMB stream */ lsa_io_r_lookup_names("", &r_l, rdata, 0); @@ -541,7 +559,6 @@ static void api_lsa_lookup_names( uint16 vuid, prs_struct *data, SMB_ASSERT_ARRAY(q_l.uni_name, q_l.num_entries); - /* construct reply. return status is always 0x0 */ lsa_reply_lookup_names(rdata, q_l.uni_name, q_l.num_entries); } diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index df45896629..1c764c8b98 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -270,7 +270,7 @@ BOOL lsa_lookup_names(struct cli_state *cli, uint16 fnum, if (p) { - if (r_l.undoc_buffer != 0 && ref.undoc_buffer != 0) + if (r_l.ptr_dom_ref != 0 && r_l.ptr_entries != 0) { valid_response = True; } @@ -399,7 +399,7 @@ BOOL lsa_lookup_sids(struct cli_state *cli, uint16 fnum, if (p) { - if (t_names.ptr_trans_names != 0 && ref.undoc_buffer != 0) + if (t_names.ptr_trans_names != 0 && r_l.ptr_dom_ref != 0) { valid_response = True; } diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index fc21546c61..c5767735b0 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -71,7 +71,6 @@ static void lsa_io_dom_r_ref(char *desc, DOM_R_REF *r_r, prs_struct *ps, int de prs_align(ps); - prs_uint32("undoc_buffer ", ps, depth, &(r_r->undoc_buffer )); /* undocumented buffer pointer. */ prs_uint32("num_ref_doms_1", ps, depth, &(r_r->num_ref_doms_1)); /* num referenced domains? */ prs_uint32("ptr_ref_dom ", ps, depth, &(r_r->ptr_ref_dom )); /* undocumented buffer pointer. */ prs_uint32("max_entries ", ps, depth, &(r_r->max_entries )); /* 32 - max number of entries */ @@ -915,15 +914,29 @@ void lsa_io_r_lookup_names(char *desc, LSA_R_LOOKUP_NAMES *r_r, prs_struct *ps, prs_align(ps); - lsa_io_dom_r_ref("", r_r->dom_ref, ps, depth); /* domain reference info */ + prs_uint32("ptr_dom_ref", ps, depth, &(r_r->ptr_dom_ref)); + if (r_r->ptr_dom_ref != 0) + { + lsa_io_dom_r_ref("", r_r->dom_ref, ps, depth); + } - prs_uint32("num_entries ", ps, depth, &(r_r->num_entries)); - prs_uint32("undoc_buffer", ps, depth, &(r_r->undoc_buffer)); - prs_uint32("num_entries2", ps, depth, &(r_r->num_entries2)); + prs_uint32("num_entries", ps, depth, &(r_r->num_entries)); + prs_uint32("ptr_entries", ps, depth, &(r_r->ptr_entries)); - for (i = 0; i < r_r->num_entries2; i++) + if (r_r->ptr_entries != 0) { - smb_io_dom_rid2("", &(r_r->dom_rid[i]), ps, depth); /* domain RIDs being looked up */ + prs_uint32("num_entries2", ps, depth, &(r_r->num_entries2)); + + if (r_r->num_entries2 != r_r->num_entries) + { + /* RPC fault */ + return; + } + + for (i = 0; i < r_r->num_entries2; i++) + { + smb_io_dom_rid2("", &(r_r->dom_rid[i]), ps, depth); /* domain RIDs being looked up */ + } } prs_uint32("mapped_count", ps, depth, &(r_r->mapped_count)); diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index 45ddefe592..75512036b6 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -175,7 +175,6 @@ static int make_dom_ref(DOM_R_REF *ref, char *dom_name, DOM_SID *dom_sid) return -1; } - ref->undoc_buffer = 1; ref->num_ref_doms_1 = num+1; ref->ptr_ref_dom = 1; ref->max_entries = MAX_REF_DOMAINS; @@ -268,13 +267,27 @@ static void make_lsa_rid2s(DOM_R_REF *ref, make_reply_lookup_names ***************************************************************************/ static void make_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l, - DOM_R_REF *ref, DOM_RID2 *rid2, - uint32 mapped_count, uint32 status) + DOM_R_REF *ref, uint32 num_entries, + DOM_RID2 *rid2, uint32 mapped_count) { + r_l->ptr_dom_ref = 1; r_l->dom_ref = ref; + + r_l->num_entries = num_entries; + r_l->ptr_entries = 1; + r_l->num_entries2 = num_entries; r_l->dom_rid = rid2; + r_l->mapped_count = mapped_count; - r_l->status = status; + + if (mapped_count == 0) + { + r_l->status = 0xC0000000 | NT_STATUS_NONE_MAPPED; + } + else + { + r_l->status = 0x0; + } } /*************************************************************************** @@ -356,12 +369,21 @@ make_reply_lookup_sids ***************************************************************************/ static void make_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l, DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *names, - uint32 mapped_count, uint32 status) + uint32 mapped_count) { + r_l->ptr_dom_ref = 1; r_l->dom_ref = ref; r_l->names = names; r_l->mapped_count = mapped_count; - r_l->status = status; + + if (mapped_count == 0) + { + r_l->status = 0xC0000000 | NT_STATUS_NONE_MAPPED; + } + else + { + r_l->status = 0x0; + } } /*************************************************************************** @@ -381,7 +403,7 @@ static void lsa_reply_lookup_sids(prs_struct *rdata, /* set up the LSA Lookup SIDs response */ make_lsa_trans_names(&ref, &names, num_entries, sid, &mapped_count); - make_reply_lookup_sids(&r_l, &ref, &names, mapped_count, 0x0); + make_reply_lookup_sids(&r_l, &ref, &names, mapped_count); /* store the response in the SMB stream */ lsa_io_r_lookup_sids("", &r_l, rdata, 0); @@ -404,11 +426,7 @@ static void lsa_reply_lookup_names(prs_struct *rdata, /* set up the LSA Lookup RIDs response */ make_lsa_rid2s(&ref, rids, num_entries, names, &mapped_count); - make_reply_lookup_names(&r_l, &ref, rids, mapped_count, 0x0); - - r_l.num_entries = num_entries; - r_l.undoc_buffer = 1; - r_l.num_entries2 = num_entries; + make_reply_lookup_names(&r_l, &ref, num_entries, rids, mapped_count); /* store the response in the SMB stream */ lsa_io_r_lookup_names("", &r_l, rdata, 0); @@ -541,7 +559,6 @@ static void api_lsa_lookup_names( uint16 vuid, prs_struct *data, SMB_ASSERT_ARRAY(q_l.uni_name, q_l.num_entries); - /* construct reply. return status is always 0x0 */ lsa_reply_lookup_names(rdata, q_l.uni_name, q_l.num_entries); } -- cgit