/* Unix SMB/CIFS implementation. simple kerberos5/SPNEGO routines Copyright (C) Andrew Tridgell 2001 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 Copyright (C) Andrew Bartlett 2002-2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "libcli/auth/msrpc_parse.h" /* this is a tiny msrpc packet generator. I am only using this to avoid tying this code to a particular varient of our rpc code. This generator is not general enough for all our rpc needs, its just enough for the spnego/ntlmssp code format specifiers are: U = unicode string (input is unix string) a = address (input is char *unix_string) (1 byte type, 1 byte length, unicode/ASCII string, all inline) A = ASCII string (input is unix string) B = data blob (pointer + length) b = data blob in header (pointer + length) D d = word (4 bytes) C = constant ascii string */ bool msrpc_gen(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, const char *format, ...) { int i, j; bool ret; va_list ap; char *s; uint8_t *b; int head_size=0, data_size=0; int head_ofs, data_ofs; int *intargs; size_t n; DATA_BLOB *pointers; pointers = talloc_array(mem_ctx, DATA_BLOB, strlen(format)); intargs = talloc_array(pointers, int, strlen(format)); /* first scan the format to work out the header and body size */ va_start(ap, format); for (i=0; format[i]; i++) { switch (format[i]) { case 'U': s = va_arg(ap, char *); head_size += 8; ret = push_ucs2_talloc( pointers, (smb_ucs2_t **)(void *)&pointers[i].data, s, &n); if (!ret) { va_end(ap); return false; } pointers[i].length = n; pointers[i].length -= 2; data_size += pointers[i].length; break; case 'A': s = va_arg(ap, char *); head_size += 8; ret = push_ascii_talloc( pointers, (char **)(void *)&pointers[i].data, s, &n); if (!ret) { va_end(ap); return false; } pointers[i].length = n; pointers[i].length -= 1; data_size += pointers[i].length; break; case 'a': j = va_arg(ap, int); intargs[i] = j; s = va_arg(ap, char *); ret = push_ucs2_talloc( pointers, (smb_ucs2_t **)(void *)&pointers[i].data, s, &n); if (!ret) { va_end(ap); return false; } pointers[i].length = n; pointers[i].length -= 2; data_size += pointers[i].length + 4; break; case 'B': b = va_arg(ap, uint8_t *); head_size += 8; pointers[i].data = b; pointers[i].length = va_arg(ap, int); data_size += pointers[i].length; break; case 'b': b = va_arg(ap, uint8_t *); pointers[i].data = b; pointers[i].length = va_arg(ap, int); head_size += pointers[i].length; break; case 'd': j = va_arg(ap, int); intargs[i] = j; head_size += 4; break; case 'C': s = va_arg(ap, char *); pointers[i].data = (uint8_t *)s; pointers[i].length = strlen(s)+1; head_size += pointers[i].length; break; } } va_end(ap); /* allocate the space, then scan the format again to fill in the values */ *blob = data_blob_talloc(mem_ctx, NULL, head_size + data_size); head_ofs = 0; data_ofs = head_size; va_start(ap, format); for (i=0; format[i]; i++) { switch (format[i]) { case 'U': case 'A': case 'B': n = pointers[i].length; SSVAL(blob->data, head_ofs, n); head_ofs += 2; SSVAL(blob->data, head_ofs, n); head_ofs += 2; SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4; if (pointers[i].data && n) /* don't follow null pointers... */ memcpy(blob->data+data_ofs, pointers[i].data, n); data_ofs += n; break; case 'a': j = intargs[i]; SSVAL(blob->data, data_ofs, j); data_ofs += 2; n = pointers[i].length; SSVAL(blob->data, data_ofs, n); data_ofs += 2; if (n >= 0) { memcpy(blob->data+data_ofs, pointers[i].data, n); } data_ofs += n; break; case 'd': j = intargs[i]; SIVAL(blob->data, head_ofs, j); head_ofs += 4; break; case 'b': n = pointers[i].length; if (pointers[i].data && n) { /* don't follow null pointers... */ memcpy(blob->data + head_ofs, pointers[i].data, n); } head_ofs += n; break; case 'C': n = pointers[i].length; memcpy(blob->data + head_ofs, pointers[i].data, n); head_ofs += n; break; } } va_end(ap); talloc_free(pointers); return true; } /* a helpful macro to avoid running over the end of our blob */ #define NEED_DATA(amount) \ if ((head_ofs + amount) > blob->length) { \ va_end(ap); \ return false; \ } /** this is a tiny msrpc packet parser. This the the partner of msrpc_gen format specifiers are: U = unicode string (output is unix string) A = ascii string B = data blob b = data blob in header d = word (4 bytes) C = constant ascii string */ bool msrpc_parse(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, const char *format, ...) { int i; va_list ap; char **ps, *s; DATA_BLOB *b; size_t head_ofs = 0; uint16_t len1, len2; uint32_t ptr; uint32_t *v; size_t p_len = 1024; char *p = talloc_array(mem_ctx, char, p_len); bool ret = true; va_start(ap, format); for (i=0; format[i]; i++) { switch (format[i]) { case 'U': NEED_DATA(8); len1 = SVAL(blob->data, head_ofs); head_ofs += 2; len2 = SVAL(blob->data, head_ofs); head_ofs += 2; ptr = IVAL(blob->data, head_ofs); head_ofs += 4; ps = va_arg(ap, char **); if (len1 == 0 && len2 == 0) { *ps = (char *)discard_const(""); } else { /* make sure its in the right format - be strict */ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { ret = false; goto cleanup; } if (len1 & 1) { /* if odd length and unicode */ ret = false; goto cleanup; } if (blob->data + ptr < (uint8_t *)(uintptr_t)ptr || blob->data + ptr < blob->data) { ret = false; goto cleanup; } if (0 < len1) { size_t pull_len; if (!convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX, blob->data + ptr, len1, ps, &pull_len, false)) { ret = false; goto cleanup; } } else { (*ps) = (char *)discard_const(""); } } break; case 'A': NEED_DATA(8); len1 = SVAL(blob->data, head_ofs); head_ofs += 2; len2 = SVAL(blob->data, head_ofs); head_ofs += 2; ptr = IVAL(blob->data, head_ofs); head_ofs += 4; ps = (char **)va_arg(ap, char **); /* make sure its in the right format - be strict */ if (len1 == 0 && len2 == 0) { *ps = (char *)discard_const(""); } else { if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { ret = false; goto cleanup; } if (blob->data + ptr < (uint8_t *)(uintptr_t)ptr || blob->data + ptr < blob->data) { ret = false; goto cleanup; } if (0 < len1) { size_t pull_len; if (!convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, blob->data + ptr, len1, ps, &pull_len, false)) { ret = false; goto cleanup; } } else { (*ps) = (char *)discard_const(""); } } break; case 'B': NEED_DATA(8); len1 = SVAL(blob->data, head_ofs); head_ofs += 2; len2 = SVAL(blob->data, head_ofs); head_ofs += 2; ptr = IVAL(blob->data, head_ofs); head_ofs += 4; b = (DATA_BLOB *)va_arg(ap, void *); if (len1 == 0 && len2 == 0) { *b = data_blob_talloc(mem_ctx, NULL, 0); } else { /* make sure its in the right format - be strict */ if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { ret = false; goto cleanup; } if (blob->data + ptr < (uint8_t *)(uintptr_t)ptr || blob->data + ptr < blob->data) { ret = false; goto cleanup; } *b = data_blob_talloc(mem_ctx, blob->data + ptr, len1); } break; case 'b': b = (DATA_BLOB *)va_arg(ap, void *); len1 = va_arg(ap, unsigned int); /* make sure its in the right format - be strict */ NEED_DATA(len1); if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data) { ret = false; goto cleanup; } *b = data_blob_talloc(mem_ctx, blob->data + head_ofs, len1); head_ofs += len1; break; case 'd': v = va_arg(ap, uint32_t *); NEED_DATA(4); *v = IVAL(blob->data, head_ofs); head_ofs += 4; break; case 'C': s = va_arg(ap, char *); if (blob->data + head_ofs < (uint8_t *)head_ofs || blob->data + head_ofs < blob->data || (head_ofs + (strlen(s) + 1)) > blob->length) { ret = false; goto cleanup; } if (memcmp(blob->data + head_ofs, s, strlen(s)+1) != 0) { ret = false; goto cleanup; } head_ofs += (strlen(s) + 1); break; } } cleanup: va_end(ap); talloc_free(p); return ret; }