From 100d37fc4624690423f6a932709b3f9046d05c64 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 15 Jul 2010 10:28:59 -0400 Subject: s3-dcerpc: Use DATA_BLOB for pipes_struct input data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Günther Deschner --- source3/include/ntdomain.h | 3 +- source3/librpc/gen_ndr/README | 1 - source3/rpc_server/rpc_ncacn_np_internal.c | 26 ++----------- source3/rpc_server/srv_pipe.c | 19 ++++----- source3/rpc_server/srv_pipe_hnd.c | 62 +++++++----------------------- source3/winbindd/winbindd_dual_ndr.c | 4 +- 6 files changed, 29 insertions(+), 86 deletions(-) delete mode 100644 source3/librpc/gen_ndr/README (limited to 'source3') diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index f0a97ac24e..524c9ecc9b 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -105,7 +105,8 @@ typedef struct _input_data { * the rpc headers and auth footers removed. * The maximum length of this (1Mb) is strictly enforced. */ - prs_struct data; + DATA_BLOB data; + } input_data; struct handle_list; diff --git a/source3/librpc/gen_ndr/README b/source3/librpc/gen_ndr/README deleted file mode 100644 index 0c1fd160a5..0000000000 --- a/source3/librpc/gen_ndr/README +++ /dev/null @@ -1 +0,0 @@ -This contains the generated files from PIDL for the IDL files in ../idl/*.idl diff --git a/source3/rpc_server/rpc_ncacn_np_internal.c b/source3/rpc_server/rpc_ncacn_np_internal.c index ceda2c781c..b79b479a08 100644 --- a/source3/rpc_server/rpc_ncacn_np_internal.c +++ b/source3/rpc_server/rpc_ncacn_np_internal.c @@ -144,20 +144,6 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx, return NULL; } - /* - * Initialize the incoming RPC data buffer with one PDU worth of memory. - * We cheat here and say we're marshalling, as we intend to add incoming - * data directly into the prs_struct and we want it to auto grow. We will - * change the type to UNMARSALLING before processing the stream. - */ - - if(!prs_init(&p->in_data.data, 128, p->mem_ctx, MARSHALL)) { - DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n")); - close_policy_by_pipe(p); - TALLOC_FREE(p); - return NULL; - } - p->server_info = copy_serverinfo(p, server_info); if (p->server_info == NULL) { DEBUG(0, ("open_rpc_pipe_p: copy_serverinfo failed\n")); @@ -194,8 +180,6 @@ static NTSTATUS internal_ndr_push(TALLOC_CTX *mem_ctx, const struct ndr_interface_call *call; struct ndr_push *push; enum ndr_err_code ndr_err; - DATA_BLOB blob; - bool ret; if (!ndr_syntax_id_equal(&table->syntax_id, &cli->abstract_syntax) || (opnum >= table->num_calls)) { @@ -220,12 +204,10 @@ static NTSTATUS internal_ndr_push(TALLOC_CTX *mem_ctx, return ndr_map_error2ntstatus(ndr_err); } - blob = ndr_push_blob(push); - ret = prs_init_data_blob(&cli->pipes_struct->in_data.data, &blob, mem_ctx); + cli->pipes_struct->in_data.data = ndr_push_blob(push); + talloc_steal(cli->pipes_struct->mem_ctx, + cli->pipes_struct->in_data.data.data); TALLOC_FREE(push); - if (!ret) { - return NT_STATUS_NO_MEMORY; - } return NT_STATUS_OK; } @@ -317,7 +299,7 @@ static NTSTATUS rpc_pipe_internal_dispatch(struct rpc_pipe_client *cli, return status; } - prs_mem_free(&cli->pipes_struct->in_data.data); + data_blob_free(&cli->pipes_struct->in_data.data); data_blob_free(&cli->pipes_struct->out_data.rdata); return NT_STATUS_OK; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 29b6d8e261..eae8a7dbf2 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -1719,7 +1719,9 @@ static bool api_rpcTNP(pipes_struct *p, struct ncacn_packet *pkt, fstring name; slprintf(name, sizeof(name)-1, "in_%s", get_pipe_name_from_syntax(talloc_tos(), &p->syntax)); - prs_dump(name, pkt->u.request.opnum, &p->in_data.data); + prs_dump_region(name, pkt->u.request.opnum, + p->in_data.data.data, 0, + p->in_data.data.length); } for (fn_num = 0; fn_num < n_cmds; fn_num++) { @@ -1783,18 +1785,11 @@ static bool api_rpcTNP(pipes_struct *p, struct ncacn_packet *pkt, get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); /* Check for buffer underflow in rpc parsing */ - - if ((DEBUGLEVEL >= 10) && - (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) { - size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data); - char *data = (char *)SMB_MALLOC(data_len); - + if ((DEBUGLEVEL >= 10) && + (pkt->frag_length < p->in_data.data.length)) { DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n")); - if (data) { - prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len); - SAFE_FREE(data); - } - + dump_data(10, p->in_data.data.data + pkt->frag_length, + p->in_data.data.length - pkt->frag_length); } return True; diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index f2fb76ea49..3055e1a29c 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -56,7 +56,7 @@ static bool pipe_init_outgoing_data(pipes_struct *p) static void set_incoming_fault(pipes_struct *p) { - prs_mem_free(&p->in_data.data); + data_blob_free(&p->in_data.data); p->in_data.pdu_needed_len = 0; p->in_data.pdu.length = 0; p->fault_state = True; @@ -145,21 +145,12 @@ static void free_pipe_context(pipes_struct *p) { data_blob_free(&p->out_data.frag); data_blob_free(&p->out_data.rdata); - prs_mem_free(&p->in_data.data); + data_blob_free(&p->in_data.data); DEBUG(3, ("free_pipe_context: " "destroying talloc pool of size %lu\n", (unsigned long)talloc_total_size(p->mem_ctx))); talloc_free_children(p->mem_ctx); - /* - * Re-initialize to set back to marshalling and set the - * offset back to the start of the buffer. - */ - if(!prs_init(&p->in_data.data, 128, p->mem_ctx, MARSHALL)) { - DEBUG(0, ("free_pipe_context: " - "rps_init failed!\n")); - p->fault_state = True; - } } /**************************************************************************** @@ -348,10 +339,10 @@ static bool process_request_pdu(pipes_struct *p, struct ncacn_packet *pkt) * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 */ - if (prs_offset(&p->in_data.data) + data.length > MAX_RPC_DATA_SIZE) { + if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) { DEBUG(0, ("process_request_pdu: " "rpc data buffer too large (%u) + (%u)\n", - (unsigned int)prs_data_size(&p->in_data.data), + (unsigned int)p->in_data.data.length, (unsigned int)data.length)); set_incoming_fault(p); return False; @@ -361,14 +352,16 @@ static bool process_request_pdu(pipes_struct *p, struct ncacn_packet *pkt) * Append the data portion into the buffer and return. */ - if (!prs_copy_data_in(&p->in_data.data, - (char *)data.data, data.length)) { - DEBUG(0, ("process_request_pdu: Unable to append data size %u " - "to parse buffer of size %u.\n", - (unsigned int)data.length, - (unsigned int)prs_data_size(&p->in_data.data))); - set_incoming_fault(p); - return False; + if (data.length) { + if (!data_blob_append(p->mem_ctx, &p->in_data.data, + data.data, data.length)) { + DEBUG(0, ("Unable to append data size %u " + "to parse buffer of size %u.\n", + (unsigned int)data.length, + (unsigned int)p->in_data.data.length)); + set_incoming_fault(p); + return False; + } } if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) { @@ -378,31 +371,9 @@ static bool process_request_pdu(pipes_struct *p, struct ncacn_packet *pkt) * Call the rpc command to process it. */ - /* - * Ensure the internal prs buffer size is *exactly* the same - * size as the current offset. - */ - - if (!prs_set_buffer_size(&p->in_data.data, - prs_offset(&p->in_data.data))) { - DEBUG(0, ("process_request_pdu: " - "Call to prs_set_buffer_size failed!\n")); - set_incoming_fault(p); - return False; - } - - /* - * Set the parse offset to the start of the data and set the - * prs_struct to UNMARSHALL. - */ - - prs_set_offset(&p->in_data.data, 0); - prs_switch_type(&p->in_data.data, UNMARSHALL); - /* * Process the complete data stream here. */ - if (pipe_init_outgoing_data(p)) { ret = api_pipe_request(p, pkt); } @@ -454,7 +425,6 @@ static void process_complete_pdu(pipes_struct *p) } else { p->endian = RPC_BIG_ENDIAN; } - prs_set_endian_data(&p->in_data.data, p->endian); DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype)); @@ -591,10 +561,6 @@ static void process_complete_pdu(pipes_struct *p) } done: - /* Reset to little endian. - * Probably don't need this but it won't hurt. */ - prs_set_endian_data(&p->in_data.data, RPC_LITTLE_ENDIAN); - if (!reply) { DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on " "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(), diff --git a/source3/winbindd/winbindd_dual_ndr.c b/source3/winbindd/winbindd_dual_ndr.c index 08d92d45e6..f67a48dfeb 100644 --- a/source3/winbindd/winbindd_dual_ndr.c +++ b/source3/winbindd/winbindd_dual_ndr.c @@ -264,8 +264,8 @@ enum winbindd_result winbindd_dual_ndrcmd(struct winbindd_domain *domain, ZERO_STRUCT(p); p.mem_ctx = talloc_stackframe(); - p.in_data.data.buffer_size = state->request->extra_len; - p.in_data.data.data_p = state->request->extra_data.data; + p.in_data.data = data_blob_const(state->request->extra_data.data, + state->request->extra_len); ret = fns[state->request->data.ndrcmd].fn(&p); if (!ret) { -- cgit