From 2544ba6a0a1b9c4bacc93262b8e776bf98456252 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 5 Mar 2009 22:20:55 +0100
Subject: Complete the fix for bug 6100

According to [MS-RPCE].pdf, section 2.2.2.11:

----
A client or a server that (during composing of a PDU) has allocated more space
for the authentication token than the security provider fills in SHOULD fill in
the rest of the allocated space with zero octets. These zero octets are still
considered to belong to the authentication token part of the PDU.<36>
----

RPC implementations are allowed to send padding bytes at the end of an auth
footer. Windows 7 makes use of this.

Thanks to Nick Meier <nmeier@microsoft.com>

Volker
---
 source3/rpc_server/srv_pipe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source3/rpc_server/srv_pipe.c')

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 09b1f66440..ac491b9e53 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2113,7 +2113,7 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}
-- 
cgit 


From 4e74d811aa9f85a4cb7896c0fcc21552d1910cf5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 5 Mar 2009 21:06:48 -0800
Subject: Now we're allowing a lower bound for auth_len, ensure we also check
 for an upper one (integer wrap). Jeremy.

---
 source3/rpc_server/srv_pipe.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'source3/rpc_server/srv_pipe.c')

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ac491b9e53..6becfa42e8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2113,7 +2113,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+			auth_len < RPC_HEADER_LEN +
+					RPC_HDR_REQ_LEN +
+					RPC_HDR_AUTH_LEN +
+					auth_len) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}
-- 
cgit 


From 67d12e9c6bc9e34ecc335ddfc85fc59ed9167b68 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 5 Mar 2009 22:00:22 -0800
Subject: Get the sense of the integer wrap test the right way around. Sorry.
 Jeremy.

---
 source3/rpc_server/srv_pipe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source3/rpc_server/srv_pipe.c')

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 6becfa42e8..f3ee18da5a 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2114,7 +2114,7 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 	auth_len = p->hdr.auth_len;
 
 	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
-			auth_len < RPC_HEADER_LEN +
+			auth_len > RPC_HEADER_LEN +
 					RPC_HDR_REQ_LEN +
 					RPC_HDR_AUTH_LEN +
 					auth_len) {
-- 
cgit