From 3c203ab927b0ec793ec431199526bb218cc6e2bc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 23 Oct 2006 06:08:25 +0000
Subject: r19465: Rather than use the non-standard API for determining the
 signature length, use the amount the wapped message expanded by.

This works, because GSSAPI doesn't do AEAD (signing of headers), and
so changing the signature length after the fact is valid.

Andrew Bartlett
(This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
---
 source4/librpc/rpc/dcerpc.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'source4/librpc/rpc/dcerpc.c')

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index bfdf93a0f3..53d0e1b65b 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -369,6 +369,9 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
 	switch (c->security_state.auth_info->auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		/* We hope this length is accruate.  If must be if the
+		 * GENSEC mech does AEAD signing of the packet
+		 * headers */
 		c->security_state.auth_info->credentials
 			= data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state, 
 									  payload_length));
@@ -405,6 +408,8 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
 	   in these earlier as we don't know the signature length (it
 	   could be variable length) */
 	dcerpc_set_frag_length(blob, blob->length);
+	/* We hope this value is accruate.  If must be if the GENSEC
+	 * mech does AEAD signing of the packet headers */
 	dcerpc_set_auth_length(blob, c->security_state.auth_info->credentials.length);
 
 	/* sign or seal the packet */
@@ -421,7 +426,20 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
-		memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
+		status = data_blob_realloc(mem_ctx, blob,
+					   blob->length - c->security_state.auth_info->credentials.length + 
+					   creds2.length);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+		memcpy(blob->data + blob->length - c->security_state.auth_info->credentials.length,
+		       creds2.data, creds2.length);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+		dcerpc_set_auth_length(blob, creds2.length);
 		break;
 
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -436,7 +454,20 @@ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
-		memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
+		status = data_blob_realloc(mem_ctx, blob,
+					   blob->length - c->security_state.auth_info->credentials.length + 
+					   creds2.length);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+		memcpy(blob->data + blob->length - c->security_state.auth_info->credentials.length,
+		       creds2.data, creds2.length);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+		dcerpc_set_auth_length(blob, creds2.length);
 		break;
 
 	case DCERPC_AUTH_LEVEL_CONNECT:
-- 
cgit