1998-11-12 19:07:00 +03:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
1998-11-12 19:07:00 +03:00
* RPC Pipe client / server routines
2010-02-19 03:12:04 +03:00
* Almost completely rewritten by ( C ) Jeremy Allison 2005 - 2010
1998-11-12 19:07:00 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
1998-11-12 19:07:00 +03:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
1998-11-12 19:07:00 +03:00
*/
/* this module apparently provides an implementation of DCE/RPC over a
* named pipe ( IPC $ connection using SMBtrans ) . details of DCE / RPC
* documentation are available ( in on - line form ) from the X - Open group .
*
* this module should provide a level of abstraction between SMB
* and DCE / RPC , while minimising the amount of mallocs , unnecessary
* data copies , and network traffic .
*
*/
# include "includes.h"
2011-02-26 01:20:06 +03:00
# include "system/filesys.h"
2010-06-04 00:01:46 +04:00
# include "srv_pipe_internal.h"
2015-07-07 17:06:59 +03:00
# include "../librpc/gen_ndr/ndr_dcerpc.h"
2012-10-10 12:47:20 +04:00
# include "../librpc/rpc/rpc_common.h"
2011-12-21 08:09:29 +04:00
# include "dcesrv_auth_generic.h"
2010-07-17 23:22:26 +04:00
# include "rpc_server.h"
2010-08-18 20:26:17 +04:00
# include "rpc_dce.h"
2011-03-23 01:49:33 +03:00
# include "smbd/smbd.h"
2011-03-24 14:08:15 +03:00
# include "auth.h"
2011-03-25 00:33:07 +03:00
# include "ntdomain.h"
2011-05-02 15:27:45 +04:00
# include "rpc_server/srv_pipe.h"
2011-05-31 12:28:39 +04:00
# include "rpc_server/rpc_contexts.h"
2011-10-12 15:55:34 +04:00
# include "lib/param/param.h"
2013-09-18 12:58:16 +04:00
# include "librpc/ndr/ndr_table.h"
2014-01-04 01:56:03 +04:00
# include "auth/gensec/gensec.h"
2014-01-10 16:56:06 +04:00
# include "librpc/ndr/ndr_dcerpc.h"
2016-03-18 06:40:30 +03:00
# include "lib/tsocket/tsocket.h"
2015-08-07 10:50:30 +03:00
# include "../librpc/gen_ndr/ndr_samr.h"
# include "../librpc/gen_ndr/ndr_lsa.h"
# include "../librpc/gen_ndr/ndr_netlogon.h"
2016-03-26 10:47:42 +03:00
# include "../librpc/gen_ndr/ndr_epmapper.h"
# include "../librpc/gen_ndr/ndr_echo.h"
1998-11-12 19:07:00 +03:00
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2014-04-23 12:42:12 +04:00
static NTSTATUS pipe_auth_verify_final ( struct pipes_struct * p ) ;
2010-07-16 00:54:14 +04:00
/**
* Dump everything from the start of the end up of the provided data
* into a file , but only at debug level > = 50
* */
static void dump_pdu_region ( const char * name , int v ,
DATA_BLOB * data , size_t start , size_t end )
{
int fd , i ;
char * fname = NULL ;
ssize_t sz ;
if ( DEBUGLEVEL < 50 ) return ;
if ( start > data - > length | | end > data - > length | | start > end ) return ;
for ( i = 1 ; i < 100 ; i + + ) {
if ( v ! = - 1 ) {
fname = talloc_asprintf ( talloc_tos ( ) ,
" /tmp/%s_%d.%d.prs " ,
name , v , i ) ;
} else {
fname = talloc_asprintf ( talloc_tos ( ) ,
" /tmp/%s_%d.prs " ,
name , i ) ;
}
if ( ! fname ) {
return ;
}
fd = open ( fname , O_WRONLY | O_CREAT | O_EXCL , 0644 ) ;
if ( fd ! = - 1 | | errno ! = EEXIST ) break ;
}
if ( fd ! = - 1 ) {
sz = write ( fd , data - > data + start , end - start ) ;
i = close ( fd ) ;
if ( ( sz ! = end - start ) | | ( i ! = 0 ) ) {
DEBUG ( 0 , ( " Error writing/closing %s: %ld!=%ld %d \n " ,
fname , ( unsigned long ) sz ,
( unsigned long ) end - start , i ) ) ;
} else {
DEBUG ( 0 , ( " created %s \n " , fname ) ) ;
}
}
TALLOC_FREE ( fname ) ;
}
2006-06-06 00:38:21 +04:00
static DATA_BLOB generic_session_key ( void )
{
2011-02-10 13:37:51 +03:00
return data_blob_const ( " SystemLibraryDTC " , 16 ) ;
2006-06-06 00:38:21 +04:00
}
2000-03-10 00:45:16 +03:00
/*******************************************************************
2010-07-14 07:56:01 +04:00
Generate the next PDU to be returned from the data .
2005-09-30 21:13:37 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-03-10 00:45:16 +03:00
2010-07-30 22:01:01 +04:00
static NTSTATUS create_next_packet ( TALLOC_CTX * mem_ctx ,
struct pipe_auth_data * auth ,
uint32_t call_id ,
DATA_BLOB * rdata ,
size_t data_sent_length ,
DATA_BLOB * frag ,
size_t * pdu_size )
2003-02-14 03:48:28 +03:00
{
2010-07-13 19:53:41 +04:00
union dcerpc_payload u ;
2010-07-14 07:56:01 +04:00
uint8_t pfc_flags ;
2010-07-30 22:01:01 +04:00
size_t data_left ;
size_t data_to_send ;
size_t frag_len ;
2010-07-14 07:56:01 +04:00
size_t pad_len = 0 ;
2010-07-30 20:19:20 +04:00
size_t auth_len = 0 ;
2010-07-14 07:56:01 +04:00
NTSTATUS status ;
2000-03-10 00:45:16 +03:00
2010-07-13 19:53:41 +04:00
ZERO_STRUCT ( u . response ) ;
2000-03-10 00:45:16 +03:00
2010-07-14 07:56:01 +04:00
/* Set up rpc packet pfc flags. */
2010-07-30 20:19:20 +04:00
if ( data_sent_length = = 0 ) {
2010-07-14 07:56:01 +04:00
pfc_flags = DCERPC_PFC_FLAG_FIRST ;
2005-09-30 21:13:37 +04:00
} else {
2010-07-14 07:56:01 +04:00
pfc_flags = 0 ;
2000-03-10 00:45:16 +03:00
}
2010-07-14 07:56:01 +04:00
/* Work out how much we can fit in a single PDU. */
2010-07-30 22:01:01 +04:00
data_left = rdata - > length - data_sent_length ;
2005-09-30 21:13:37 +04:00
2010-07-14 07:56:01 +04:00
/* Ensure there really is data left to send. */
2010-07-30 22:01:01 +04:00
if ( ! data_left ) {
2010-07-14 07:56:01 +04:00
DEBUG ( 0 , ( " No data left to send ! \n " ) ) ;
2010-07-30 22:01:01 +04:00
return NT_STATUS_BUFFER_TOO_SMALL ;
2010-07-14 07:56:01 +04:00
}
2005-09-30 21:13:37 +04:00
2010-07-30 22:01:01 +04:00
status = dcerpc_guess_sizes ( auth ,
DCERPC_RESPONSE_LENGTH ,
data_left ,
RPC_MAX_PDU_FRAG_LEN ,
& data_to_send , & frag_len ,
& auth_len , & pad_len ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2010-07-14 07:56:01 +04:00
}
2005-09-30 21:13:37 +04:00
2010-07-14 07:56:01 +04:00
/* Set up the alloc hint. This should be the data left to send. */
2010-07-30 22:01:01 +04:00
u . response . alloc_hint = data_left ;
2005-09-30 21:13:37 +04:00
2010-07-14 07:56:01 +04:00
/* Work out if this PDU will be the last. */
2010-07-30 22:01:01 +04:00
if ( data_sent_length + data_to_send > = rdata - > length ) {
2010-07-14 07:56:01 +04:00
pfc_flags | = DCERPC_PFC_FLAG_LAST ;
2005-09-30 21:13:37 +04:00
}
2010-07-14 07:56:01 +04:00
/* Prepare data to be NDR encoded. */
2010-07-13 19:53:41 +04:00
u . response . stub_and_verifier =
2010-07-30 22:01:01 +04:00
data_blob_const ( rdata - > data + data_sent_length , data_to_send ) ;
2010-07-13 19:53:41 +04:00
2010-07-14 02:01:16 +04:00
/* Store the packet in the data stream. */
2010-07-30 20:19:20 +04:00
status = dcerpc_push_ncacn_packet ( mem_ctx , DCERPC_PKT_RESPONSE ,
pfc_flags , auth_len , call_id ,
& u , frag ) ;
2010-07-09 23:46:43 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-07-14 07:56:01 +04:00
DEBUG ( 0 , ( " Failed to marshall RPC Packet. \n " ) ) ;
2010-07-30 22:01:01 +04:00
return status ;
2000-03-10 00:45:16 +03:00
}
2010-07-30 20:19:20 +04:00
if ( auth_len ) {
2010-07-14 07:56:01 +04:00
/* Set the proper length on the pdu, including padding.
* Only needed if an auth trailer will be appended . */
2010-07-30 20:19:20 +04:00
dcerpc_set_frag_length ( frag , frag - > length
2010-07-14 07:56:01 +04:00
+ pad_len
+ DCERPC_AUTH_TRAILER_LENGTH
2010-07-30 20:19:20 +04:00
+ auth_len ) ;
2010-07-14 07:56:01 +04:00
}
2000-03-10 00:45:16 +03:00
2010-07-30 20:19:20 +04:00
if ( auth_len ) {
status = dcerpc_add_auth_footer ( auth , pad_len , frag ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
data_blob_free ( frag ) ;
2010-07-30 22:01:01 +04:00
return status ;
2010-07-30 20:19:20 +04:00
}
}
2010-07-30 22:01:01 +04:00
* pdu_size = data_to_send ;
return NT_STATUS_OK ;
2005-09-30 21:13:37 +04:00
}
/*******************************************************************
Generate the next PDU to be returned from the data in p - > rdata .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
bool create_next_pdu ( struct pipes_struct * p )
2005-09-30 21:13:37 +04:00
{
2010-08-03 17:55:20 +04:00
size_t pdu_size = 0 ;
2010-07-30 22:01:01 +04:00
NTSTATUS status ;
2009-01-06 13:32:07 +03:00
2010-07-14 07:56:01 +04:00
/*
* If we ' re in the fault state , keep returning fault PDU ' s until
* the pipe gets closed . JRA .
*/
if ( p - > fault_state ) {
2012-06-27 17:21:11 +04:00
setup_fault_pdu ( p , NT_STATUS ( p - > fault_state ) ) ;
2010-07-14 07:56:01 +04:00
return true ;
}
2010-07-30 22:01:01 +04:00
status = create_next_packet ( p - > mem_ctx , & p - > auth ,
p - > call_id , & p - > out_data . rdata ,
p - > out_data . data_sent_length ,
& p - > out_data . frag , & pdu_size ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Failed to create packet with error %s, "
" (auth level %u / type %u) \n " ,
nt_errstr ( status ) ,
2010-07-30 20:19:20 +04:00
( unsigned int ) p - > auth . auth_level ,
( unsigned int ) p - > auth . auth_type ) ) ;
2010-07-20 00:16:40 +04:00
return false ;
}
2010-07-30 20:19:20 +04:00
/* Setup the counts for this PDU. */
p - > out_data . data_sent_length + = pdu_size ;
p - > out_data . current_pdu_sent = 0 ;
2010-07-20 00:16:40 +04:00
return true ;
2005-09-30 21:13:37 +04:00
}
1999-04-27 14:43:32 +04:00
2010-07-28 12:16:34 +04:00
static bool pipe_init_outgoing_data ( struct pipes_struct * p ) ;
2010-07-20 21:56:25 +04:00
2000-03-10 00:45:16 +03:00
/*******************************************************************
Marshall a bind_nak pdu .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
static bool setup_bind_nak ( struct pipes_struct * p , struct ncacn_packet * pkt )
1998-11-12 19:07:00 +03:00
{
2009-03-21 02:11:15 +03:00
NTSTATUS status ;
union dcerpc_payload u ;
2000-03-10 00:45:16 +03:00
/* Free any memory in the current return data buffer. */
2010-07-20 21:56:25 +04:00
pipe_init_outgoing_data ( p ) ;
2000-03-10 00:45:16 +03:00
/*
* Initialize a bind_nak header .
*/
2009-03-21 02:11:15 +03:00
ZERO_STRUCT ( u ) ;
2000-03-10 00:45:16 +03:00
2009-03-21 02:11:15 +03:00
u . bind_nak . reject_reason = 0 ;
2000-03-10 00:45:16 +03:00
2010-07-14 02:01:16 +04:00
/*
* Marshall directly into the outgoing PDU space . We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here .
*/
2009-03-21 02:11:15 +03:00
status = dcerpc_push_ncacn_packet ( p - > mem_ctx ,
DCERPC_PKT_BIND_NAK ,
2010-07-09 03:17:13 +04:00
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST ,
2009-03-21 02:11:15 +03:00
0 ,
2010-07-11 18:37:07 +04:00
pkt - > call_id ,
2010-07-11 20:18:13 +04:00
& u ,
2010-07-14 02:01:16 +04:00
& p - > out_data . frag ) ;
2009-03-21 02:11:15 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-08-05 04:25:52 +04:00
return False ;
2000-07-27 04:47:19 +04:00
}
1998-11-12 19:07:00 +03:00
2000-03-10 00:45:16 +03:00
p - > out_data . data_sent_length = 0 ;
p - > out_data . current_pdu_sent = 0 ;
1998-11-12 19:07:00 +03:00
2015-12-23 14:38:55 +03:00
set_incoming_fault ( p ) ;
2010-09-04 00:33:45 +04:00
TALLOC_FREE ( p - > auth . auth_ctx ) ;
2009-09-14 22:39:54 +04:00
p - > auth . auth_level = DCERPC_AUTH_LEVEL_NONE ;
2010-07-20 21:26:36 +04:00
p - > auth . auth_type = DCERPC_AUTH_TYPE_NONE ;
2000-03-10 00:45:16 +03:00
p - > pipe_bound = False ;
2015-07-07 10:15:39 +03:00
p - > allow_bind = false ;
p - > allow_alter = false ;
p - > allow_auth3 = false ;
2000-03-10 00:45:16 +03:00
return True ;
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
}
2000-03-10 00:45:16 +03:00
/*******************************************************************
Marshall a fault pdu .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
bool setup_fault_pdu ( struct pipes_struct * p , NTSTATUS fault_status )
2000-03-10 00:45:16 +03:00
{
2009-03-23 13:05:21 +03:00
NTSTATUS status ;
union dcerpc_payload u ;
2000-03-10 00:45:16 +03:00
/* Free any memory in the current return data buffer. */
2010-07-20 21:56:25 +04:00
pipe_init_outgoing_data ( p ) ;
2000-03-10 00:45:16 +03:00
/*
* Initialize a fault header .
*/
2009-03-23 13:05:21 +03:00
ZERO_STRUCT ( u ) ;
2000-03-10 00:45:16 +03:00
2009-03-23 13:05:21 +03:00
u . fault . status = NT_STATUS_V ( fault_status ) ;
2000-03-10 00:45:16 +03:00
2010-07-14 02:01:16 +04:00
/*
* Marshall directly into the outgoing PDU space . We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here .
*/
2009-03-23 13:05:21 +03:00
status = dcerpc_push_ncacn_packet ( p - > mem_ctx ,
DCERPC_PKT_FAULT ,
2010-07-09 03:17:13 +04:00
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST |
DCERPC_PFC_FLAG_DID_NOT_EXECUTE ,
2009-03-23 13:05:21 +03:00
0 ,
2010-07-10 03:34:34 +04:00
p - > call_id ,
2010-07-11 20:18:13 +04:00
& u ,
2010-07-14 02:01:16 +04:00
& p - > out_data . frag ) ;
2009-03-23 13:05:21 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2000-03-10 00:45:16 +03:00
return False ;
}
p - > out_data . data_sent_length = 0 ;
p - > out_data . current_pdu_sent = 0 ;
return True ;
}
2000-05-16 00:08:26 +04:00
/*******************************************************************
Ensure a bind request has the correct abstract & transfer interface .
Used to reject unknown binds from Win2k .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-07-05 12:13:03 +04:00
static bool check_bind_req ( struct pipes_struct * p ,
struct ndr_syntax_id * abstract ,
struct ndr_syntax_id * transfer ,
2011-05-25 18:03:43 +04:00
uint32_t context_id )
2000-05-16 00:08:26 +04:00
{
2008-07-16 02:03:49 +04:00
struct pipe_rpc_fns * context_fns ;
2011-05-25 19:26:01 +04:00
bool ok ;
2016-03-18 06:40:30 +03:00
const char * interface_name = NULL ;
2000-05-16 00:08:26 +04:00
2015-07-07 14:05:01 +03:00
DEBUG ( 3 , ( " check_bind_req for %s context_id=%u \n " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & abstract - > uuid ,
2015-07-07 14:05:01 +03:00
abstract - > if_version ) ,
( unsigned ) context_id ) ) ;
ok = ndr_syntax_id_equal ( transfer , & ndr_transfer_syntax_ndr ) ;
if ( ! ok ) {
DEBUG ( 1 , ( " check_bind_req unknown transfer syntax for "
" %s context_id=%u \n " ,
ndr_interface_name ( & abstract - > uuid ,
abstract - > if_version ) ,
( unsigned ) context_id ) ) ;
return false ;
}
2002-10-04 08:10:23 +04:00
2015-07-07 14:05:01 +03:00
for ( context_fns = p - > contexts ;
context_fns ! = NULL ;
context_fns = context_fns - > next )
{
if ( context_fns - > context_id ! = context_id ) {
continue ;
}
ok = ndr_syntax_id_equal ( & context_fns - > syntax ,
abstract ) ;
if ( ok ) {
return true ;
}
DEBUG ( 1 , ( " check_bind_req: changing abstract syntax for "
" %s context_id=%u into %s not supported \n " ,
ndr_interface_name ( & context_fns - > syntax . uuid ,
context_fns - > syntax . if_version ) ,
( unsigned ) context_id ,
ndr_interface_name ( & abstract - > uuid ,
abstract - > if_version ) ) ) ;
return false ;
}
2002-10-04 08:10:23 +04:00
/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
2015-07-07 14:05:01 +03:00
if ( ! rpc_srv_pipe_exists_by_id ( abstract ) ) {
2008-07-16 02:03:49 +04:00
return false ;
}
2015-07-07 14:05:01 +03:00
DEBUG ( 3 , ( " check_bind_req: %s -> %s rpc service \n " ,
rpc_srv_get_pipe_cli_name ( abstract ) ,
rpc_srv_get_pipe_srv_name ( abstract ) ) ) ;
2011-05-25 19:26:01 +04:00
ok = init_pipe_handles ( p , abstract ) ;
if ( ! ok ) {
DEBUG ( 1 , ( " Failed to init pipe handles! \n " ) ) ;
return false ;
}
2016-03-18 06:40:30 +03:00
context_fns = talloc_zero ( p , struct pipe_rpc_fns ) ;
2008-07-16 02:03:49 +04:00
if ( context_fns = = NULL ) {
2011-07-28 00:40:21 +04:00
DEBUG ( 0 , ( " check_bind_req: talloc() failed! \n " ) ) ;
return false ;
2005-09-30 21:13:37 +04:00
}
2000-05-16 00:08:26 +04:00
2016-03-18 06:40:30 +03:00
interface_name = ndr_interface_name ( & abstract - > uuid ,
abstract - > if_version ) ;
SMB_ASSERT ( interface_name ! = NULL ) ;
2010-08-08 11:23:00 +04:00
context_fns - > next = context_fns - > prev = NULL ;
2010-06-04 00:01:46 +04:00
context_fns - > n_cmds = rpc_srv_get_pipe_num_cmds ( abstract ) ;
context_fns - > cmds = rpc_srv_get_pipe_cmds ( abstract ) ;
2008-07-16 02:03:49 +04:00
context_fns - > context_id = context_id ;
2011-05-25 18:03:43 +04:00
context_fns - > syntax = * abstract ;
2008-07-16 02:03:49 +04:00
2016-03-18 06:40:30 +03:00
context_fns - > allow_connect = lp_allow_dcerpc_auth_level_connect ( ) ;
2015-08-07 10:50:30 +03:00
/*
* for the samr , lsarpc and netlogon interfaces we don ' t allow " connect "
* auth_level by default .
*/
ok = ndr_syntax_id_equal ( abstract , & ndr_table_samr . syntax_id ) ;
if ( ok ) {
context_fns - > allow_connect = false ;
}
ok = ndr_syntax_id_equal ( abstract , & ndr_table_lsarpc . syntax_id ) ;
if ( ok ) {
context_fns - > allow_connect = false ;
}
ok = ndr_syntax_id_equal ( abstract , & ndr_table_netlogon . syntax_id ) ;
if ( ok ) {
context_fns - > allow_connect = false ;
}
2016-03-26 10:47:42 +03:00
/*
* for the epmapper and echo interfaces we allow " connect "
* auth_level by default .
*/
ok = ndr_syntax_id_equal ( abstract , & ndr_table_epmapper . syntax_id ) ;
if ( ok ) {
context_fns - > allow_connect = true ;
}
ok = ndr_syntax_id_equal ( abstract , & ndr_table_rpcecho . syntax_id ) ;
if ( ok ) {
context_fns - > allow_connect = true ;
}
2016-03-18 06:40:30 +03:00
/*
* every interface can be modified to allow " connect " auth_level by
* using a parametric option like :
* allow dcerpc auth level connect : < interface >
* e . g .
* allow dcerpc auth level connect : samr = yes
*/
context_fns - > allow_connect = lp_parm_bool ( - 1 ,
" allow dcerpc auth level connect " ,
interface_name , context_fns - > allow_connect ) ;
2008-07-16 02:03:49 +04:00
/* add to the list of open contexts */
DLIST_ADD ( p - > contexts , context_fns ) ;
2000-05-16 00:08:26 +04:00
return True ;
}
2008-07-19 22:27:56 +04:00
/**
* Is a named pipe known ?
2012-05-28 18:49:23 +04:00
* @ param [ in ] pipename Just the filename
2008-07-19 22:27:56 +04:00
* @ result Do we want to serve this ?
*/
2012-05-28 18:49:23 +04:00
bool is_known_pipename ( const char * pipename , struct ndr_syntax_id * syntax )
2008-07-19 22:27:56 +04:00
{
2009-10-03 17:33:12 +04:00
NTSTATUS status ;
2008-07-19 22:27:56 +04:00
if ( lp_disable_spoolss ( ) & & strequal ( pipename , " spoolss " ) ) {
DEBUG ( 10 , ( " refusing spoolss access \n " ) ) ;
return false ;
}
2010-06-04 00:01:46 +04:00
if ( rpc_srv_get_pipe_interface_by_cli_name ( pipename , syntax ) ) {
return true ;
2008-07-19 22:27:56 +04:00
}
2009-10-03 17:33:12 +04:00
status = smb_probe_module ( " rpc " , pipename ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-05-28 18:49:23 +04:00
DEBUG ( 10 , ( " is_known_pipename: %s unknown \n " , pipename ) ) ;
2009-10-03 17:33:12 +04:00
return false ;
}
DEBUG ( 10 , ( " is_known_pipename: %s loaded dynamically \n " , pipename ) ) ;
/*
* Scan the list again for the interface id
*/
2010-06-04 00:01:46 +04:00
if ( rpc_srv_get_pipe_interface_by_cli_name ( pipename , syntax ) ) {
return true ;
2009-10-03 17:33:12 +04:00
}
DEBUG ( 10 , ( " is_known_pipename: pipe %s did not register itself! \n " ,
pipename ) ) ;
2008-07-19 22:27:56 +04:00
return false ;
}
2005-09-30 21:13:37 +04:00
/*******************************************************************
Handle an NTLMSSP bind auth .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2011-12-21 08:34:17 +04:00
static bool pipe_auth_generic_bind ( struct pipes_struct * p ,
2014-01-04 01:56:03 +04:00
struct ncacn_packet * pkt ,
2010-07-11 19:15:40 +04:00
struct dcerpc_auth * auth_info ,
DATA_BLOB * response )
2005-09-30 21:13:37 +04:00
{
2014-01-04 01:56:03 +04:00
TALLOC_CTX * mem_ctx = pkt ;
2011-10-19 11:39:27 +04:00
struct gensec_security * gensec_security = NULL ;
2005-09-30 21:13:37 +04:00
NTSTATUS status ;
2011-12-21 08:34:17 +04:00
status = auth_generic_server_authtype_start ( p ,
auth_info - > auth_type ,
auth_info - > auth_level ,
& auth_info - > credentials ,
response ,
p - > remote_address ,
& gensec_security ) ;
2014-04-23 12:40:27 +04:00
if ( ! NT_STATUS_IS_OK ( status ) & &
! NT_STATUS_EQUAL ( status , NT_STATUS_MORE_PROCESSING_REQUIRED ) )
{
DEBUG ( 0 , ( __location__ " : auth_generic_server_authtype_start[%u/%u] failed: %s \n " ,
auth_info - > auth_type , auth_info - > auth_level , nt_errstr ( status ) ) ) ;
2010-09-02 01:09:52 +04:00
return false ;
2005-09-30 21:13:37 +04:00
}
2010-07-11 19:15:40 +04:00
/* Make sure data is bound to the memctx, to be freed the caller */
talloc_steal ( mem_ctx , response - > data ) ;
2005-09-30 21:13:37 +04:00
2011-10-19 11:39:27 +04:00
p - > auth . auth_ctx = gensec_security ;
2011-12-21 08:34:17 +04:00
p - > auth . auth_type = auth_info - > auth_type ;
2015-07-07 14:05:01 +03:00
p - > auth . auth_level = auth_info - > auth_level ;
2015-07-08 01:01:37 +03:00
p - > auth . auth_context_id = auth_info - > auth_context_id ;
2005-09-30 21:13:37 +04:00
2014-01-04 01:56:03 +04:00
if ( pkt - > pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN ) {
p - > auth . client_hdr_signing = true ;
p - > auth . hdr_signing = gensec_have_feature ( gensec_security ,
GENSEC_FEATURE_SIGN_PKT_HEADER ) ;
}
if ( p - > auth . hdr_signing ) {
gensec_want_feature ( gensec_security ,
GENSEC_FEATURE_SIGN_PKT_HEADER ) ;
}
2014-04-23 12:42:12 +04:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
return true ;
}
status = pipe_auth_verify_final ( p ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " pipe_auth_verify_final failed: %s \n " ,
nt_errstr ( status ) ) ) ;
return false ;
}
2010-09-02 01:09:52 +04:00
return true ;
2005-09-30 21:13:37 +04:00
}
2010-09-03 23:09:34 +04:00
/*******************************************************************
Process an NTLMSSP authentication response .
If this function succeeds , the user has been authenticated
and their domain , name and calling workstation stored in
the pipe struct .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2011-12-21 08:17:45 +04:00
static bool pipe_auth_generic_verify_final ( TALLOC_CTX * mem_ctx ,
2011-10-19 11:39:27 +04:00
struct gensec_security * gensec_security ,
2010-09-03 23:09:34 +04:00
enum dcerpc_AuthLevel auth_level ,
2011-07-18 07:06:47 +04:00
struct auth_session_info * * session_info )
2010-09-03 23:09:34 +04:00
{
NTSTATUS status ;
bool ret ;
2011-05-30 13:27:07 +04:00
DEBUG ( 5 , ( __location__ " : checking user details \n " ) ) ;
2010-09-03 23:09:34 +04:00
/* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
ensure the underlying NTLMSSP flags are also set . If not we should
refuse the bind . */
2011-12-21 07:40:04 +04:00
status = auth_generic_server_check_flags ( gensec_security ,
2016-09-23 01:16:13 +03:00
( auth_level > =
DCERPC_AUTH_LEVEL_PACKET ) ,
2010-09-03 23:09:34 +04:00
( auth_level = =
DCERPC_AUTH_LEVEL_PRIVACY ) ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : Client failed to negotatie proper "
2011-05-30 13:27:07 +04:00
" security for rpc connection \n " ) ) ;
2010-09-03 23:09:34 +04:00
return false ;
}
2011-02-21 12:25:52 +03:00
TALLOC_FREE ( * session_info ) ;
2010-09-03 23:09:34 +04:00
2011-12-21 07:40:04 +04:00
status = auth_generic_server_get_user_info ( gensec_security ,
2011-02-21 12:25:52 +03:00
mem_ctx , session_info ) ;
2010-09-03 23:09:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : failed to obtain the server info "
" for authenticated user: %s \n " , nt_errstr ( status ) ) ) ;
return false ;
}
2011-02-21 12:25:52 +03:00
if ( ( * session_info ) - > security_token = = NULL ) {
2010-09-03 23:09:34 +04:00
DEBUG ( 1 , ( " Auth module failed to provide nt_user_token \n " ) ) ;
return false ;
}
2014-04-23 20:13:04 +04:00
if ( ( * session_info ) - > unix_token = = NULL ) {
DEBUG ( 1 , ( " Auth module failed to provide unix_token \n " ) ) ;
return false ;
}
2010-09-03 23:09:34 +04:00
/*
* We ' re an authenticated bind over smb , so the session key needs to
* be set to " SystemLibraryDTC " . Weird , but this is what Windows
* does . See the RPC - SAMBA3SESSIONKEY .
*/
2011-02-10 13:37:51 +03:00
ret = session_info_set_session_key ( ( * session_info ) , generic_session_key ( ) ) ;
2010-09-03 23:09:34 +04:00
if ( ! ret ) {
DEBUG ( 0 , ( " Failed to set session key! \n " ) ) ;
return false ;
}
return true ;
}
static NTSTATUS pipe_auth_verify_final ( struct pipes_struct * p )
{
2011-10-19 11:39:27 +04:00
struct gensec_security * gensec_security ;
2014-04-23 15:01:00 +04:00
bool ok ;
2010-09-03 23:09:34 +04:00
2014-04-23 15:01:00 +04:00
if ( p - > auth . auth_type = = DCERPC_AUTH_TYPE_NONE ) {
p - > pipe_bound = true ;
return NT_STATUS_OK ;
}
2014-09-23 07:45:55 +04:00
gensec_security = p - > auth . auth_ctx ;
2014-04-23 15:01:00 +04:00
ok = pipe_auth_generic_verify_final ( p , gensec_security ,
p - > auth . auth_level ,
& p - > session_info ) ;
if ( ! ok ) {
2010-09-03 23:09:34 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
p - > pipe_bound = true ;
return NT_STATUS_OK ;
}
2000-03-10 00:45:16 +03:00
/*******************************************************************
Respond to a pipe bind request .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-02 18:28:10 +04:00
static bool api_pipe_bind_req ( struct pipes_struct * p ,
struct ncacn_packet * pkt )
2000-03-10 00:45:16 +03:00
{
2015-03-04 12:47:03 +03:00
struct dcerpc_auth auth_info = { 0 } ;
2015-05-09 20:02:05 +03:00
uint16_t assoc_gid ;
2010-06-04 00:01:46 +04:00
NTSTATUS status ;
struct ndr_syntax_id id ;
2014-01-04 01:56:03 +04:00
uint8_t pfc_flags = 0 ;
2010-07-11 19:48:22 +04:00
union dcerpc_payload u ;
struct dcerpc_ack_ctx bind_ack_ctx ;
2010-07-11 19:15:40 +04:00
DATA_BLOB auth_resp = data_blob_null ;
DATA_BLOB auth_blob = data_blob_null ;
2013-09-18 12:59:14 +04:00
const struct ndr_interface_table * table ;
2005-09-30 21:13:37 +04:00
2015-07-07 10:15:39 +03:00
if ( ! p - > allow_bind ) {
DEBUG ( 2 , ( " Pipe not in allow bind state \n " ) ) ;
2010-07-11 18:37:07 +04:00
return setup_bind_nak ( p , pkt ) ;
2005-09-30 21:13:37 +04:00
}
2015-07-07 10:15:39 +03:00
p - > allow_bind = false ;
2000-03-10 00:45:16 +03:00
2015-07-07 17:06:59 +03:00
status = dcerpc_verify_ncacn_packet_header ( pkt ,
DCERPC_PKT_BIND ,
pkt - > u . bind . auth_info . length ,
0 , /* required flags */
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST |
DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
0x08 | /* this is not defined, but should be ignored */
DCERPC_PFC_FLAG_CONC_MPX |
DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
DCERPC_PFC_FLAG_MAYBE |
DCERPC_PFC_FLAG_OBJECT_UUID ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " api_pipe_bind_req: invalid pdu: %s \n " ,
nt_errstr ( status ) ) ) ;
NDR_PRINT_DEBUG ( ncacn_packet , pkt ) ;
goto err_exit ;
}
2010-07-10 03:34:34 +04:00
if ( pkt - > u . bind . num_contexts = = 0 ) {
2015-07-07 17:06:59 +03:00
DEBUG ( 1 , ( " api_pipe_bind_req: no rpc contexts around \n " ) ) ;
goto err_exit ;
}
if ( pkt - > u . bind . ctx_list [ 0 ] . num_transfer_syntaxes = = 0 ) {
DEBUG ( 1 , ( " api_pipe_bind_req: no transfer syntaxes around \n " ) ) ;
2008-07-13 01:17:23 +04:00
goto err_exit ;
}
2000-03-10 00:45:16 +03:00
/*
2005-09-30 21:13:37 +04:00
* Try and find the correct pipe name to ensure
* that this is a pipe name we support .
*/
2010-07-10 03:34:34 +04:00
id = pkt - > u . bind . ctx_list [ 0 ] . abstract_syntax ;
2013-09-18 12:59:14 +04:00
table = ndr_table_by_uuid ( & id . uuid ) ;
if ( table = = NULL ) {
DEBUG ( 0 , ( " unknown interface \n " ) ) ;
return false ;
}
2010-06-04 00:01:46 +04:00
if ( rpc_srv_pipe_exists_by_id ( & id ) ) {
2011-05-25 18:58:18 +04:00
DEBUG ( 3 , ( " api_pipe_bind_req: %s -> %s rpc service \n " ,
rpc_srv_get_pipe_cli_name ( & id ) ,
rpc_srv_get_pipe_srv_name ( & id ) ) ) ;
2010-06-04 00:01:46 +04:00
} else {
2009-02-01 14:03:31 +03:00
status = smb_probe_module (
2013-09-18 12:59:14 +04:00
" rpc " , dcerpc_default_transport_endpoint ( pkt ,
NCACN_NP , table ) ) ;
2009-02-01 14:03:31 +03:00
if ( NT_STATUS_IS_ERR ( status ) ) {
2011-05-25 18:58:18 +04:00
DEBUG ( 3 , ( " api_pipe_bind_req: Unknown rpc service name "
" %s in bind request. \n " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & id . uuid ,
id . if_version ) ) ) ;
2005-09-30 21:13:37 +04:00
2010-07-11 18:37:07 +04:00
return setup_bind_nak ( p , pkt ) ;
2010-06-04 00:01:46 +04:00
}
if ( rpc_srv_get_pipe_interface_by_cli_name (
2013-09-18 12:59:14 +04:00
dcerpc_default_transport_endpoint ( pkt ,
NCACN_NP , table ) ,
2010-06-04 00:01:46 +04:00
& id ) ) {
2011-05-25 18:58:18 +04:00
DEBUG ( 3 , ( " api_pipe_bind_req: %s -> %s rpc service \n " ,
rpc_srv_get_pipe_cli_name ( & id ) ,
rpc_srv_get_pipe_srv_name ( & id ) ) ) ;
2010-06-04 00:01:46 +04:00
} else {
2009-02-01 14:03:31 +03:00
DEBUG ( 0 , ( " module %s doesn't provide functions for "
2009-11-08 21:37:53 +03:00
" pipe %s! \n " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & id . uuid ,
id . if_version ) ,
ndr_interface_name ( & id . uuid ,
id . if_version ) ) ) ;
2010-07-11 18:47:32 +04:00
return setup_bind_nak ( p , pkt ) ;
2005-09-30 21:13:37 +04:00
}
}
DEBUG ( 5 , ( " api_pipe_bind_req: make response. %d \n " , __LINE__ ) ) ;
2010-07-10 03:34:34 +04:00
if ( pkt - > u . bind . assoc_group_id ! = 0 ) {
assoc_gid = pkt - > u . bind . assoc_group_id ;
2010-07-08 09:14:16 +04:00
} else {
assoc_gid = 0x53f0 ;
}
2010-02-18 02:27:59 +03:00
/*
* Create the bind response struct .
*/
/* If the requested abstract synt uuid doesn't match our client pipe,
reject the bind_ack & set the transfer interface synt to all 0 ' s ,
ver 0 ( observed when NT5 attempts to bind to abstract interfaces
unknown to NT4 )
Needed when adding entries to a DACL from NT5 - SK */
2010-07-08 01:14:27 +04:00
if ( check_bind_req ( p ,
2010-07-10 03:34:34 +04:00
& pkt - > u . bind . ctx_list [ 0 ] . abstract_syntax ,
& pkt - > u . bind . ctx_list [ 0 ] . transfer_syntaxes [ 0 ] ,
pkt - > u . bind . ctx_list [ 0 ] . context_id ) ) {
2010-07-11 19:48:22 +04:00
bind_ack_ctx . result = 0 ;
2014-01-09 19:00:23 +04:00
bind_ack_ctx . reason . value = 0 ;
2010-07-11 19:48:22 +04:00
bind_ack_ctx . syntax = pkt - > u . bind . ctx_list [ 0 ] . transfer_syntaxes [ 0 ] ;
2010-02-18 02:27:59 +03:00
} else {
2010-07-11 19:48:22 +04:00
/* Rejection reason: abstract syntax not supported */
bind_ack_ctx . result = DCERPC_BIND_PROVIDER_REJECT ;
2014-01-09 19:00:23 +04:00
bind_ack_ctx . reason . value = DCERPC_BIND_REASON_ASYNTAX ;
2012-03-18 19:46:57 +04:00
bind_ack_ctx . syntax = ndr_syntax_id_null ;
2010-02-18 02:27:59 +03:00
}
2005-09-30 21:13:37 +04:00
/*
* Check if this is an authenticated bind request .
*/
2010-07-10 03:34:34 +04:00
if ( pkt - > auth_length ) {
2010-07-11 19:48:22 +04:00
/*
* Decode the authentication verifier .
*/
2015-07-07 14:05:01 +03:00
status = dcerpc_pull_auth_trailer ( pkt , pkt ,
& pkt - > u . bind . auth_info ,
& auth_info , NULL , true ) ;
2010-07-09 00:02:08 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Unable to unmarshall dcerpc_auth. \n " ) ) ;
2005-09-30 21:13:37 +04:00
goto err_exit ;
}
2015-07-07 14:05:01 +03:00
if ( ! pipe_auth_generic_bind ( p , pkt ,
& auth_info , & auth_resp ) ) {
2010-07-09 00:02:08 +04:00
goto err_exit ;
2005-09-30 21:13:37 +04:00
}
2015-07-07 14:05:01 +03:00
} else {
2010-07-20 21:26:36 +04:00
p - > auth . auth_type = DCERPC_AUTH_TYPE_NONE ;
2010-07-11 19:48:22 +04:00
p - > auth . auth_level = DCERPC_AUTH_LEVEL_NONE ;
2015-07-08 01:01:37 +03:00
p - > auth . auth_context_id = 0 ;
2010-07-11 19:48:22 +04:00
}
ZERO_STRUCT ( u . bind_ack ) ;
u . bind_ack . max_xmit_frag = RPC_MAX_PDU_FRAG_LEN ;
u . bind_ack . max_recv_frag = RPC_MAX_PDU_FRAG_LEN ;
u . bind_ack . assoc_group_id = assoc_gid ;
/* name has to be \PIPE\xxxxx */
u . bind_ack . secondary_address =
talloc_asprintf ( pkt , " \\ PIPE \\ %s " ,
rpc_srv_get_pipe_srv_name ( & id ) ) ;
if ( ! u . bind_ack . secondary_address ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
goto err_exit ;
}
u . bind_ack . secondary_address_size =
strlen ( u . bind_ack . secondary_address ) + 1 ;
u . bind_ack . num_results = 1 ;
u . bind_ack . ctx_list = & bind_ack_ctx ;
/* NOTE: We leave the auth_info empty so we can calculate the padding
* later and then append the auth_info - - simo */
2010-07-14 02:01:16 +04:00
/*
* Marshall directly into the outgoing PDU space . We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here .
*/
2014-01-04 01:56:03 +04:00
pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST ;
if ( p - > auth . hdr_signing ) {
pfc_flags | = DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN ;
}
2010-07-14 02:01:16 +04:00
status = dcerpc_push_ncacn_packet ( p - > mem_ctx ,
DCERPC_PKT_BIND_ACK ,
2014-01-04 01:56:03 +04:00
pfc_flags ,
2010-07-11 19:48:22 +04:00
auth_resp . length ,
pkt - > call_id ,
2010-07-14 02:01:16 +04:00
& u ,
& p - > out_data . frag ) ;
2010-07-11 19:48:22 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Failed to marshall bind_ack packet. (%s) \n " ,
nt_errstr ( status ) ) ) ;
2015-07-07 14:05:01 +03:00
goto err_exit ;
2010-07-11 19:48:22 +04:00
}
2010-07-11 19:15:40 +04:00
if ( auth_resp . length ) {
status = dcerpc_push_dcerpc_auth ( pkt ,
2015-07-07 14:05:01 +03:00
p - > auth . auth_type ,
p - > auth . auth_level ,
2015-07-08 01:01:37 +03:00
0 , /* pad_len */
p - > auth . auth_context_id ,
2010-07-11 19:15:40 +04:00
& auth_resp ,
& auth_blob ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Marshalling of dcerpc_auth failed. \n " ) ) ;
goto err_exit ;
}
}
2010-07-11 19:48:22 +04:00
/* Now that we have the auth len store it into the right place in
* the dcerpc header */
2010-07-14 02:01:16 +04:00
dcerpc_set_frag_length ( & p - > out_data . frag ,
2010-07-14 19:09:04 +04:00
p - > out_data . frag . length + auth_blob . length ) ;
2005-07-28 00:25:04 +04:00
2010-07-11 19:48:22 +04:00
if ( auth_blob . length ) {
2010-02-18 02:27:59 +03:00
2010-07-14 02:01:16 +04:00
if ( ! data_blob_append ( p - > mem_ctx , & p - > out_data . frag ,
auth_blob . data , auth_blob . length ) ) {
2010-07-11 19:48:22 +04:00
DEBUG ( 0 , ( " Append of auth info failed. \n " ) ) ;
2010-02-18 02:27:59 +03:00
goto err_exit ;
}
2005-09-30 21:13:37 +04:00
}
2005-07-28 00:25:04 +04:00
2005-09-30 21:13:37 +04:00
/*
* Setup the lengths for the initial reply .
*/
2005-07-28 00:25:04 +04:00
2005-09-30 21:13:37 +04:00
p - > out_data . data_sent_length = 0 ;
p - > out_data . current_pdu_sent = 0 ;
2005-07-28 00:25:04 +04:00
2010-07-11 19:15:40 +04:00
TALLOC_FREE ( auth_blob . data ) ;
2015-07-07 10:15:39 +03:00
if ( bind_ack_ctx . result = = 0 ) {
p - > allow_alter = true ;
p - > allow_auth3 = true ;
if ( p - > auth . auth_type = = DCERPC_AUTH_TYPE_NONE ) {
status = pipe_auth_verify_final ( p ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " pipe_auth_verify_final failed: %s \n " ,
nt_errstr ( status ) ) ) ;
goto err_exit ;
}
}
} else {
goto err_exit ;
}
2005-09-30 21:13:37 +04:00
return True ;
2005-07-28 00:25:04 +04:00
2005-09-30 21:13:37 +04:00
err_exit :
2005-07-28 00:25:04 +04:00
2010-07-14 02:01:16 +04:00
data_blob_free ( & p - > out_data . frag ) ;
2010-07-11 19:15:40 +04:00
TALLOC_FREE ( auth_blob . data ) ;
2010-07-11 18:37:07 +04:00
return setup_bind_nak ( p , pkt ) ;
2005-09-30 21:13:37 +04:00
}
2005-06-03 13:24:48 +04:00
2010-09-03 23:09:34 +04:00
/*******************************************************************
This is the " stage3 " response after a bind request and reply .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
bool api_pipe_bind_auth3 ( struct pipes_struct * p , struct ncacn_packet * pkt )
{
struct dcerpc_auth auth_info ;
DATA_BLOB response = data_blob_null ;
2011-10-19 11:39:27 +04:00
struct gensec_security * gensec_security ;
2010-09-03 23:09:34 +04:00
NTSTATUS status ;
DEBUG ( 5 , ( " api_pipe_bind_auth3: decode request. %d \n " , __LINE__ ) ) ;
2015-07-07 10:15:39 +03:00
if ( ! p - > allow_auth3 ) {
DEBUG ( 1 , ( " Pipe not in allow auth3 state. \n " ) ) ;
goto err ;
}
2015-07-07 17:06:59 +03:00
status = dcerpc_verify_ncacn_packet_header ( pkt ,
DCERPC_PKT_AUTH3 ,
pkt - > u . auth3 . auth_info . length ,
0 , /* required flags */
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST |
DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
0x08 | /* this is not defined, but should be ignored */
DCERPC_PFC_FLAG_CONC_MPX |
DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
DCERPC_PFC_FLAG_MAYBE |
DCERPC_PFC_FLAG_OBJECT_UUID ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " api_pipe_bind_auth3: invalid pdu: %s \n " ,
nt_errstr ( status ) ) ) ;
NDR_PRINT_DEBUG ( ncacn_packet , pkt ) ;
goto err ;
}
2015-07-07 14:05:01 +03:00
/* We can only finish if the pipe is unbound for now */
if ( p - > pipe_bound ) {
DEBUG ( 0 , ( __location__ " : Pipe already bound, "
" AUTH3 not supported! \n " ) ) ;
goto err ;
}
2010-09-03 23:09:34 +04:00
if ( pkt - > auth_length = = 0 ) {
2015-07-07 14:05:01 +03:00
DEBUG ( 1 , ( " No auth field sent for auth3 request! \n " ) ) ;
2010-09-03 23:09:34 +04:00
goto err ;
}
/*
* Decode the authentication verifier response .
*/
2015-07-07 14:05:01 +03:00
status = dcerpc_pull_auth_trailer ( pkt , pkt ,
& pkt - > u . auth3 . auth_info ,
& auth_info , NULL , true ) ;
2010-09-03 23:09:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2013-04-19 13:21:06 +04:00
DEBUG ( 1 , ( " Failed to unmarshall dcerpc_auth. \n " ) ) ;
2010-09-03 23:09:34 +04:00
goto err ;
}
/* We must NEVER look at auth_info->auth_pad_len here,
* as old Samba client code gets it wrong and sends it
* as zero . JRA .
*/
2010-09-11 17:52:42 +04:00
if ( auth_info . auth_type ! = p - > auth . auth_type ) {
2013-04-19 13:21:06 +04:00
DEBUG ( 1 , ( " Auth type mismatch! Client sent %d, "
2010-09-11 17:52:42 +04:00
" but auth was started as type %d! \n " ,
auth_info . auth_type , p - > auth . auth_type ) ) ;
goto err ;
}
2015-07-07 14:05:01 +03:00
if ( auth_info . auth_level ! = p - > auth . auth_level ) {
DEBUG ( 1 , ( " Auth level mismatch! Client sent %d, "
" but auth was started as level %d! \n " ,
auth_info . auth_level , p - > auth . auth_level ) ) ;
goto err ;
}
2015-07-08 01:01:37 +03:00
if ( auth_info . auth_context_id ! = p - > auth . auth_context_id ) {
DEBUG ( 0 , ( " Auth context id mismatch! Client sent %u, "
" but auth was started as level %u! \n " ,
( unsigned ) auth_info . auth_context_id ,
( unsigned ) p - > auth . auth_context_id ) ) ;
goto err ;
}
2014-09-23 07:45:55 +04:00
gensec_security = p - > auth . auth_ctx ;
2014-04-23 15:02:35 +04:00
status = auth_generic_server_step ( gensec_security ,
pkt , & auth_info . credentials ,
& response ) ;
2010-09-03 23:09:34 +04:00
if ( NT_STATUS_EQUAL ( status ,
NT_STATUS_MORE_PROCESSING_REQUIRED ) | |
response . length ) {
2013-04-19 13:21:06 +04:00
DEBUG ( 1 , ( __location__ " : This was supposed to be the final "
2010-09-03 23:09:34 +04:00
" leg, but crypto machinery claims a response is "
" needed, aborting auth! \n " ) ) ;
data_blob_free ( & response ) ;
goto err ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2013-04-19 13:21:06 +04:00
DEBUG ( 2 , ( " Auth failed (%s) \n " , nt_errstr ( status ) ) ) ;
2010-09-03 23:09:34 +04:00
goto err ;
}
/* Now verify auth was indeed successful and extract server info */
status = pipe_auth_verify_final ( p ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2013-04-19 13:21:06 +04:00
DEBUG ( 2 , ( " Auth Verify failed (%s) \n " , nt_errstr ( status ) ) ) ;
2010-09-03 23:09:34 +04:00
goto err ;
}
return true ;
err :
2015-07-14 17:18:45 +03:00
p - > pipe_bound = false ;
2015-07-07 10:15:39 +03:00
p - > allow_bind = false ;
p - > allow_alter = false ;
p - > allow_auth3 = false ;
2010-09-04 00:33:45 +04:00
TALLOC_FREE ( p - > auth . auth_ctx ) ;
2010-09-03 23:09:34 +04:00
return false ;
}
2005-09-30 21:13:37 +04:00
/****************************************************************************
Deal with an alter context call . Can be third part of 3 leg auth request for
SPNEGO calls .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-03-10 00:45:16 +03:00
2010-08-02 18:28:10 +04:00
static bool api_pipe_alter_context ( struct pipes_struct * p ,
struct ncacn_packet * pkt )
2005-09-30 21:13:37 +04:00
{
2015-03-04 12:47:03 +03:00
struct dcerpc_auth auth_info = { 0 } ;
2015-05-09 20:02:05 +03:00
uint16_t assoc_gid ;
2010-07-08 09:14:16 +04:00
NTSTATUS status ;
2010-07-12 01:35:02 +04:00
union dcerpc_payload u ;
2015-07-07 17:06:59 +03:00
struct dcerpc_ack_ctx alter_ack_ctx ;
2010-07-12 01:07:19 +04:00
DATA_BLOB auth_resp = data_blob_null ;
DATA_BLOB auth_blob = data_blob_null ;
2011-10-19 11:39:27 +04:00
struct gensec_security * gensec_security ;
2005-09-30 21:13:37 +04:00
DEBUG ( 5 , ( " api_pipe_alter_context: make response. %d \n " , __LINE__ ) ) ;
2015-07-07 10:15:39 +03:00
if ( ! p - > allow_alter ) {
DEBUG ( 1 , ( " Pipe not in allow alter state. \n " ) ) ;
goto err_exit ;
}
2015-07-07 17:06:59 +03:00
status = dcerpc_verify_ncacn_packet_header ( pkt ,
DCERPC_PKT_ALTER ,
pkt - > u . alter . auth_info . length ,
0 , /* required flags */
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST |
DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
0x08 | /* this is not defined, but should be ignored */
DCERPC_PFC_FLAG_CONC_MPX |
DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
DCERPC_PFC_FLAG_MAYBE |
DCERPC_PFC_FLAG_OBJECT_UUID ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " api_pipe_alter_context: invalid pdu: %s \n " ,
nt_errstr ( status ) ) ) ;
NDR_PRINT_DEBUG ( ncacn_packet , pkt ) ;
goto err_exit ;
}
2015-07-07 17:06:59 +03:00
if ( pkt - > u . alter . num_contexts = = 0 ) {
DEBUG ( 1 , ( " api_pipe_alter_context: no rpc contexts around \n " ) ) ;
goto err_exit ;
}
if ( pkt - > u . alter . ctx_list [ 0 ] . num_transfer_syntaxes = = 0 ) {
DEBUG ( 1 , ( " api_pipe_alter_context: no transfer syntaxes around \n " ) ) ;
goto err_exit ;
}
2015-07-07 17:06:59 +03:00
if ( pkt - > u . alter . assoc_group_id ! = 0 ) {
assoc_gid = pkt - > u . alter . assoc_group_id ;
2010-07-08 09:14:16 +04:00
} else {
assoc_gid = 0x53f0 ;
}
2000-03-10 00:45:16 +03:00
/*
* Create the bind response struct .
*/
2000-05-16 00:08:26 +04:00
/* If the requested abstract synt uuid doesn't match our client pipe,
2015-07-07 17:06:59 +03:00
reject the alter_ack & set the transfer interface synt to all 0 ' s ,
2000-05-16 00:08:26 +04:00
ver 0 ( observed when NT5 attempts to bind to abstract interfaces
unknown to NT4 )
Needed when adding entries to a DACL from NT5 - SK */
2010-07-08 01:14:27 +04:00
if ( check_bind_req ( p ,
2015-07-07 17:06:59 +03:00
& pkt - > u . alter . ctx_list [ 0 ] . abstract_syntax ,
& pkt - > u . alter . ctx_list [ 0 ] . transfer_syntaxes [ 0 ] ,
pkt - > u . alter . ctx_list [ 0 ] . context_id ) ) {
2010-07-12 01:35:02 +04:00
2015-07-07 17:06:59 +03:00
alter_ack_ctx . result = 0 ;
alter_ack_ctx . reason . value = 0 ;
alter_ack_ctx . syntax = pkt - > u . alter . ctx_list [ 0 ] . transfer_syntaxes [ 0 ] ;
2000-05-16 00:08:26 +04:00
} else {
2010-07-12 01:35:02 +04:00
/* Rejection reason: abstract syntax not supported */
2015-07-07 17:06:59 +03:00
alter_ack_ctx . result = DCERPC_BIND_PROVIDER_REJECT ;
alter_ack_ctx . reason . value = DCERPC_BIND_REASON_ASYNTAX ;
alter_ack_ctx . syntax = ndr_syntax_id_null ;
2000-05-16 00:08:26 +04:00
}
2000-03-10 00:45:16 +03:00
2010-02-18 02:27:59 +03:00
/*
* Check if this is an authenticated alter context request .
*/
2010-07-12 01:35:02 +04:00
if ( pkt - > auth_length ) {
2015-07-07 14:05:01 +03:00
/* We can only finish if the pipe is unbound for now */
if ( p - > pipe_bound ) {
DEBUG ( 0 , ( __location__ " : Pipe already bound, "
" Altering Context not yet supported! \n " ) ) ;
2010-02-18 02:27:59 +03:00
goto err_exit ;
}
2015-07-07 14:05:01 +03:00
status = dcerpc_pull_auth_trailer ( pkt , pkt ,
2015-07-07 17:06:59 +03:00
& pkt - > u . alter . auth_info ,
2015-07-07 14:05:01 +03:00
& auth_info , NULL , true ) ;
2010-07-10 03:34:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Unable to unmarshall dcerpc_auth. \n " ) ) ;
2010-02-18 02:27:59 +03:00
goto err_exit ;
}
2010-09-11 17:52:42 +04:00
if ( auth_info . auth_type ! = p - > auth . auth_type ) {
DEBUG ( 0 , ( " Auth type mismatch! Client sent %d, "
" but auth was started as type %d! \n " ,
auth_info . auth_type , p - > auth . auth_type ) ) ;
goto err_exit ;
}
2015-07-07 14:05:01 +03:00
if ( auth_info . auth_level ! = p - > auth . auth_level ) {
DEBUG ( 0 , ( " Auth level mismatch! Client sent %d, "
" but auth was started as level %d! \n " ,
auth_info . auth_level , p - > auth . auth_level ) ) ;
goto err_exit ;
}
2015-07-08 01:01:37 +03:00
if ( auth_info . auth_context_id ! = p - > auth . auth_context_id ) {
DEBUG ( 0 , ( " Auth context id mismatch! Client sent %u, "
" but auth was started as level %u! \n " ,
( unsigned ) auth_info . auth_context_id ,
( unsigned ) p - > auth . auth_context_id ) ) ;
goto err_exit ;
}
2014-09-23 07:45:55 +04:00
gensec_security = p - > auth . auth_ctx ;
2014-04-23 15:02:35 +04:00
status = auth_generic_server_step ( gensec_security ,
pkt ,
& auth_info . credentials ,
& auth_resp ) ;
2010-09-03 18:19:27 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
/* third leg of auth, verify auth info */
status = pipe_auth_verify_final ( p ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Auth Verify failed (%s) \n " ,
nt_errstr ( status ) ) ) ;
goto err_exit ;
}
} else if ( NT_STATUS_EQUAL ( status ,
NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
DEBUG ( 10 , ( " More auth legs required. \n " ) ) ;
} else {
DEBUG ( 0 , ( " Auth step returned an error (%s) \n " ,
nt_errstr ( status ) ) ) ;
goto err_exit ;
}
2010-07-12 01:35:02 +04:00
}
ZERO_STRUCT ( u . alter_resp ) ;
u . alter_resp . max_xmit_frag = RPC_MAX_PDU_FRAG_LEN ;
u . alter_resp . max_recv_frag = RPC_MAX_PDU_FRAG_LEN ;
u . alter_resp . assoc_group_id = assoc_gid ;
/* secondary address CAN be NULL
* as the specs say it ' s ignored .
* It MUST be NULL to have the spoolss working .
*/
u . alter_resp . secondary_address = " " ;
u . alter_resp . secondary_address_size = 1 ;
u . alter_resp . num_results = 1 ;
2015-07-07 17:06:59 +03:00
u . alter_resp . ctx_list = & alter_ack_ctx ;
2010-07-12 01:35:02 +04:00
/* NOTE: We leave the auth_info empty so we can calculate the padding
* later and then append the auth_info - - simo */
2010-07-14 02:01:16 +04:00
/*
* Marshall directly into the outgoing PDU space . We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here .
*/
status = dcerpc_push_ncacn_packet ( p - > mem_ctx ,
DCERPC_PKT_ALTER_RESP ,
2010-07-12 01:35:02 +04:00
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST ,
auth_resp . length ,
pkt - > call_id ,
2010-07-14 02:01:16 +04:00
& u ,
& p - > out_data . frag ) ;
2010-07-12 01:35:02 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2015-07-07 17:06:59 +03:00
DEBUG ( 0 , ( " Failed to marshall alter_resp packet. (%s) \n " ,
2010-07-12 01:35:02 +04:00
nt_errstr ( status ) ) ) ;
2015-07-07 14:05:01 +03:00
goto err_exit ;
2010-02-18 02:27:59 +03:00
}
2010-07-12 01:07:19 +04:00
if ( auth_resp . length ) {
status = dcerpc_push_dcerpc_auth ( pkt ,
2015-07-08 01:01:37 +03:00
p - > auth . auth_type ,
p - > auth . auth_level ,
2015-06-19 23:09:57 +03:00
0 , /* pad_len */
2015-07-08 01:01:37 +03:00
p - > auth . auth_context_id ,
2010-07-12 01:07:19 +04:00
& auth_resp ,
& auth_blob ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Marshalling of dcerpc_auth failed. \n " ) ) ;
goto err_exit ;
}
2000-03-10 00:45:16 +03:00
}
2010-07-12 01:35:02 +04:00
/* Now that we have the auth len store it into the right place in
* the dcerpc header */
2010-07-14 02:01:16 +04:00
dcerpc_set_frag_length ( & p - > out_data . frag ,
p - > out_data . frag . length +
2015-06-19 23:09:57 +03:00
auth_blob . length ) ;
2000-03-10 00:45:16 +03:00
2010-07-12 01:35:02 +04:00
if ( auth_resp . length ) {
2010-07-14 02:01:16 +04:00
if ( ! data_blob_append ( p - > mem_ctx , & p - > out_data . frag ,
auth_blob . data , auth_blob . length ) ) {
2010-07-12 01:35:02 +04:00
DEBUG ( 0 , ( " Append of auth info failed. \n " ) ) ;
2010-02-18 02:27:59 +03:00
goto err_exit ;
}
2000-03-10 00:45:16 +03:00
}
/*
* Setup the lengths for the initial reply .
*/
p - > out_data . data_sent_length = 0 ;
p - > out_data . current_pdu_sent = 0 ;
2010-07-12 01:07:19 +04:00
TALLOC_FREE ( auth_blob . data ) ;
2000-03-10 00:45:16 +03:00
return True ;
err_exit :
2010-07-14 02:01:16 +04:00
data_blob_free ( & p - > out_data . frag ) ;
2010-07-12 01:07:19 +04:00
TALLOC_FREE ( auth_blob . data ) ;
2010-07-11 18:37:07 +04:00
return setup_bind_nak ( p , pkt ) ;
2000-03-10 00:45:16 +03:00
}
1998-11-12 19:07:00 +03:00
2010-07-28 12:16:34 +04:00
static bool api_rpcTNP ( struct pipes_struct * p , struct ncacn_packet * pkt ,
2011-05-30 13:11:48 +04:00
const struct api_struct * api_rpc_cmds , int n_cmds ,
const struct ndr_syntax_id * syntax ) ;
2008-07-26 13:25:24 +04:00
2014-01-10 16:56:06 +04:00
static bool srv_pipe_check_verification_trailer ( struct pipes_struct * p ,
struct ncacn_packet * pkt ,
struct pipe_rpc_fns * pipe_fns )
{
TALLOC_CTX * frame = talloc_stackframe ( ) ;
struct dcerpc_sec_verification_trailer * vt = NULL ;
const uint32_t bitmask1 =
p - > auth . client_hdr_signing ? DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0 ;
const struct dcerpc_sec_vt_pcontext pcontext = {
. abstract_syntax = pipe_fns - > syntax ,
. transfer_syntax = ndr_transfer_syntax_ndr ,
} ;
const struct dcerpc_sec_vt_header2 header2 =
dcerpc_sec_vt_header2_from_ncacn_packet ( pkt ) ;
struct ndr_pull * ndr ;
enum ndr_err_code ndr_err ;
bool ret = false ;
ndr = ndr_pull_init_blob ( & p - > in_data . data , frame ) ;
if ( ndr = = NULL ) {
goto done ;
}
ndr_err = ndr_pop_dcerpc_sec_verification_trailer ( ndr , frame , & vt ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
goto done ;
}
ret = dcerpc_sec_verification_trailer_check ( vt , & bitmask1 ,
& pcontext , & header2 ) ;
done :
TALLOC_FREE ( frame ) ;
return ret ;
}
2000-03-10 00:45:16 +03:00
/****************************************************************************
Find the correct RPC function to call for this request .
If the pipe is authenticated then become the correct UNIX user
before doing the call .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-02 18:28:10 +04:00
static bool api_pipe_request ( struct pipes_struct * p ,
struct ncacn_packet * pkt )
delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service. the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.
this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).
removed reference to pipes_struct in msrpc services. all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.
created become_vuser() which does everything not related to connection_struct
that become_user() does.
removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.
todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.
had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons. why? because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency. so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc. this is the MINIMUM info identified so far that's
actually implemented. missing bits include the called and calling
netbios names etc. (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8dba0437c17c60055a6ed30fdfecdb6d)
1999-12-12 04:25:49 +03:00
{
2014-01-15 13:27:49 +04:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2007-10-19 04:40:25 +04:00
bool ret = False ;
2011-07-21 17:53:10 +04:00
struct pipe_rpc_fns * pipe_fns ;
2016-03-18 06:40:30 +03:00
const char * interface_name = NULL ;
2009-01-06 13:32:07 +03:00
2011-08-30 18:37:40 +04:00
if ( ! p - > pipe_bound ) {
DEBUG ( 1 , ( " Pipe not bound! \n " ) ) ;
data_blob_free ( & p - > out_data . rdata ) ;
2014-01-15 13:27:49 +04:00
TALLOC_FREE ( frame ) ;
2011-08-30 18:37:40 +04:00
return false ;
2000-03-10 00:45:16 +03:00
}
2003-08-15 01:14:28 +04:00
/* get the set of RPC functions for this context */
2010-07-10 03:34:34 +04:00
pipe_fns = find_pipe_fns_by_context ( p - > contexts ,
pkt - > u . request . context_id ) ;
2014-01-15 13:27:49 +04:00
if ( pipe_fns = = NULL ) {
2010-07-10 03:34:34 +04:00
DEBUG ( 0 , ( " No rpc function table associated with context "
2011-05-30 13:02:47 +04:00
" [%d] \n " ,
pkt - > u . request . context_id ) ) ;
2014-01-15 13:27:49 +04:00
data_blob_free ( & p - > out_data . rdata ) ;
TALLOC_FREE ( frame ) ;
return false ;
}
2016-03-18 06:40:30 +03:00
interface_name = ndr_interface_name ( & pipe_fns - > syntax . uuid ,
pipe_fns - > syntax . if_version ) ;
SMB_ASSERT ( interface_name ! = NULL ) ;
switch ( p - > auth . auth_level ) {
case DCERPC_AUTH_LEVEL_NONE :
2016-09-23 01:16:13 +03:00
case DCERPC_AUTH_LEVEL_PACKET :
2016-03-18 06:40:30 +03:00
case DCERPC_AUTH_LEVEL_INTEGRITY :
case DCERPC_AUTH_LEVEL_PRIVACY :
break ;
default :
if ( ! pipe_fns - > allow_connect ) {
char * addr ;
addr = tsocket_address_string ( p - > remote_address , frame ) ;
DEBUG ( 1 , ( " %s: restrict auth_level_connect access "
" to [%s] with auth[type=0x%x,level=0x%x] "
" on [%s] from [%s] \n " ,
__func__ , interface_name ,
p - > auth . auth_type ,
p - > auth . auth_level ,
derpc_transport_string_by_transport ( p - > transport ) ,
addr ) ) ;
setup_fault_pdu ( p , NT_STATUS ( DCERPC_FAULT_ACCESS_DENIED ) ) ;
TALLOC_FREE ( frame ) ;
return true ;
}
break ;
}
2014-01-10 16:56:06 +04:00
if ( ! srv_pipe_check_verification_trailer ( p , pkt , pipe_fns ) ) {
DEBUG ( 1 , ( " srv_pipe_check_verification_trailer: failed \n " ) ) ;
2015-12-23 14:38:55 +03:00
set_incoming_fault ( p ) ;
2014-01-10 16:56:06 +04:00
setup_fault_pdu ( p , NT_STATUS ( DCERPC_FAULT_ACCESS_DENIED ) ) ;
data_blob_free ( & p - > out_data . rdata ) ;
TALLOC_FREE ( frame ) ;
return true ;
}
2014-01-15 13:27:49 +04:00
if ( ! become_authenticated_pipe_user ( p - > session_info ) ) {
DEBUG ( 1 , ( " Failed to become pipe user! \n " ) ) ;
data_blob_free ( & p - > out_data . rdata ) ;
TALLOC_FREE ( frame ) ;
return false ;
2000-03-10 00:45:16 +03:00
}
2016-03-18 06:40:30 +03:00
DEBUG ( 5 , ( " Requested %s rpc service \n " , interface_name ) ) ;
2014-01-15 13:27:49 +04:00
ret = api_rpcTNP ( p , pkt , pipe_fns - > cmds , pipe_fns - > n_cmds ,
& pipe_fns - > syntax ) ;
2011-08-30 18:37:40 +04:00
unbecome_authenticated_pipe_user ( ) ;
2000-03-10 00:45:16 +03:00
2014-01-15 13:27:49 +04:00
TALLOC_FREE ( frame ) ;
2000-03-10 00:45:16 +03:00
return ret ;
1998-11-12 19:07:00 +03:00
}
2000-03-10 00:45:16 +03:00
/*******************************************************************
Calls the underlying RPC function for a named pipe .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
static bool api_rpcTNP ( struct pipes_struct * p , struct ncacn_packet * pkt ,
2011-05-30 13:11:48 +04:00
const struct api_struct * api_rpc_cmds , int n_cmds ,
const struct ndr_syntax_id * syntax )
2000-03-10 00:45:16 +03:00
{
int fn_num ;
2010-07-13 23:43:44 +04:00
uint32_t offset1 ;
2013-09-18 12:59:14 +04:00
const struct ndr_interface_table * table ;
2009-01-06 13:32:07 +03:00
2000-03-10 00:45:16 +03:00
/* interpret the command */
2009-11-08 21:37:53 +03:00
DEBUG ( 4 , ( " api_rpcTNP: %s op 0x%x - " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & syntax - > uuid , syntax - > if_version ) ,
2010-07-10 03:34:34 +04:00
pkt - > u . request . opnum ) ) ;
2000-03-10 00:45:16 +03:00
2013-09-18 12:59:14 +04:00
table = ndr_table_by_uuid ( & syntax - > uuid ) ;
if ( table = = NULL ) {
DEBUG ( 0 , ( " unknown interface \n " ) ) ;
return false ;
}
2009-02-01 14:03:31 +03:00
if ( DEBUGLEVEL > = 50 ) {
fstring name ;
2009-11-08 21:37:53 +03:00
slprintf ( name , sizeof ( name ) - 1 , " in_%s " ,
2013-09-18 12:59:14 +04:00
dcerpc_default_transport_endpoint ( pkt , NCACN_NP , table ) ) ;
2010-07-16 00:54:14 +04:00
dump_pdu_region ( name , pkt - > u . request . opnum ,
& p - > in_data . data , 0 ,
2010-07-15 18:28:59 +04:00
p - > in_data . data . length ) ;
2009-02-01 14:03:31 +03:00
}
2000-05-15 11:18:12 +04:00
2003-02-14 03:48:28 +03:00
for ( fn_num = 0 ; fn_num < n_cmds ; fn_num + + ) {
2010-07-10 03:34:34 +04:00
if ( api_rpc_cmds [ fn_num ] . opnum = = pkt - > u . request . opnum & &
api_rpc_cmds [ fn_num ] . fn ! = NULL ) {
DEBUG ( 3 , ( " api_rpcTNP: rpc command: %s \n " ,
api_rpc_cmds [ fn_num ] . name ) ) ;
2000-03-10 00:45:16 +03:00
break ;
}
}
2003-02-14 03:48:28 +03:00
if ( fn_num = = n_cmds ) {
2000-03-10 00:45:16 +03:00
/*
* For an unknown RPC just return a fault PDU but
* return True to allow RPC ' s on the pipe to continue
* and not put the pipe into fault state . JRA .
*/
DEBUG ( 4 , ( " unknown \n " ) ) ;
2006-03-21 03:04:05 +03:00
setup_fault_pdu ( p , NT_STATUS ( DCERPC_FAULT_OP_RNG_ERROR ) ) ;
2000-03-10 00:45:16 +03:00
return True ;
}
2010-07-13 23:43:44 +04:00
offset1 = p - > out_data . rdata . length ;
2000-05-15 13:59:58 +04:00
2003-02-14 03:48:28 +03:00
DEBUG ( 6 , ( " api_rpc_cmds[%d].fn == %p \n " ,
fn_num , api_rpc_cmds [ fn_num ] . fn ) ) ;
2000-03-10 00:45:16 +03:00
/* do the actual command */
2000-06-16 12:11:32 +04:00
if ( ! api_rpc_cmds [ fn_num ] . fn ( p ) ) {
2009-11-08 21:37:53 +03:00
DEBUG ( 0 , ( " api_rpcTNP: %s: %s failed. \n " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & syntax - > uuid , syntax - > if_version ) ,
2009-02-01 14:03:31 +03:00
api_rpc_cmds [ fn_num ] . name ) ) ;
2010-07-13 23:43:44 +04:00
data_blob_free ( & p - > out_data . rdata ) ;
2000-03-10 00:45:16 +03:00
return False ;
}
2012-06-27 17:21:11 +04:00
if ( p - > fault_state ) {
DEBUG ( 4 , ( " api_rpcTNP: fault(%d) return. \n " , p - > fault_state ) ) ;
setup_fault_pdu ( p , NT_STATUS ( p - > fault_state ) ) ;
p - > fault_state = 0 ;
return true ;
2006-10-10 11:53:41 +04:00
}
2009-02-01 14:03:31 +03:00
if ( DEBUGLEVEL > = 50 ) {
fstring name ;
2009-11-08 21:37:53 +03:00
slprintf ( name , sizeof ( name ) - 1 , " out_%s " ,
2013-09-18 12:59:14 +04:00
dcerpc_default_transport_endpoint ( pkt , NCACN_NP , table ) ) ;
2010-07-16 00:54:14 +04:00
dump_pdu_region ( name , pkt - > u . request . opnum ,
& p - > out_data . rdata , offset1 ,
2010-07-13 23:43:44 +04:00
p - > out_data . rdata . length ) ;
2009-02-01 14:03:31 +03:00
}
2000-05-15 13:59:58 +04:00
2009-02-01 14:03:31 +03:00
DEBUG ( 5 , ( " api_rpcTNP: called %s successfully \n " ,
2013-09-18 12:58:16 +04:00
ndr_interface_name ( & syntax - > uuid , syntax - > if_version ) ) ) ;
2000-03-10 00:45:16 +03:00
2000-10-18 05:15:05 +04:00
/* Check for buffer underflow in rpc parsing */
2010-07-15 18:28:59 +04:00
if ( ( DEBUGLEVEL > = 10 ) & &
( pkt - > frag_length < p - > in_data . data . length ) ) {
2000-10-18 05:15:05 +04:00
DEBUG ( 10 , ( " api_rpcTNP: rpc input buffer underflow (parse error?) \n " ) ) ;
2010-07-15 18:28:59 +04:00
dump_data ( 10 , p - > in_data . data . data + pkt - > frag_length ,
p - > in_data . data . length - pkt - > frag_length ) ;
2000-10-18 05:15:05 +04:00
}
2000-03-10 00:45:16 +03:00
return True ;
}
2010-07-17 23:22:26 +04:00
/****************************************************************************
Initialise an outgoing packet .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
static bool pipe_init_outgoing_data ( struct pipes_struct * p )
2010-07-17 23:22:26 +04:00
{
output_data * o_data = & p - > out_data ;
/* Reset the offset counters. */
o_data - > data_sent_length = 0 ;
o_data - > current_pdu_sent = 0 ;
data_blob_free ( & o_data - > frag ) ;
/* Free any memory in the current return data buffer. */
data_blob_free ( & o_data - > rdata ) ;
return True ;
}
/****************************************************************************
Sets the fault state on incoming packets .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
void set_incoming_fault ( struct pipes_struct * p )
2010-07-17 23:22:26 +04:00
{
data_blob_free ( & p - > in_data . data ) ;
p - > in_data . pdu_needed_len = 0 ;
p - > in_data . pdu . length = 0 ;
2015-12-23 14:38:55 +03:00
p - > fault_state = DCERPC_NCA_S_PROTO_ERROR ;
2011-05-30 13:27:07 +04:00
2015-07-07 10:15:39 +03:00
p - > allow_alter = false ;
p - > allow_auth3 = false ;
p - > pipe_bound = false ;
2011-05-30 13:27:07 +04:00
DEBUG ( 10 , ( " Setting fault state \n " ) ) ;
2010-07-17 23:22:26 +04:00
}
2010-07-20 03:34:34 +04:00
static NTSTATUS dcesrv_auth_request ( struct pipe_auth_data * auth ,
struct ncacn_packet * pkt ,
DATA_BLOB * raw_pkt )
{
NTSTATUS status ;
size_t hdr_size = DCERPC_REQUEST_LENGTH ;
DEBUG ( 10 , ( " Checking request auth. \n " ) ) ;
if ( pkt - > pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID ) {
hdr_size + = 16 ;
}
/* in case of sealing this function will unseal the data in place */
status = dcerpc_check_auth ( auth , pkt ,
& pkt - > u . request . stub_and_verifier ,
2015-07-09 08:59:24 +03:00
hdr_size , raw_pkt ) ;
2010-07-20 03:34:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2010-07-20 01:14:56 +04:00
return NT_STATUS_OK ;
2010-07-17 23:22:26 +04:00
}
/****************************************************************************
Processes a request pdu . This will do auth processing if needed , and
appends the data into the complete stream if the LAST flag is not set .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 12:16:34 +04:00
static bool process_request_pdu ( struct pipes_struct * p , struct ncacn_packet * pkt )
2010-07-17 23:22:26 +04:00
{
2010-07-20 01:14:56 +04:00
NTSTATUS status ;
2010-07-17 23:22:26 +04:00
DATA_BLOB data ;
2014-01-09 16:55:27 +04:00
struct dcerpc_sec_vt_header2 hdr2 ;
2010-07-17 23:22:26 +04:00
if ( ! p - > pipe_bound ) {
DEBUG ( 0 , ( " process_request_pdu: rpc request with no bind. \n " ) ) ;
set_incoming_fault ( p ) ;
return False ;
}
2015-07-07 17:06:59 +03:00
/*
* We don ' t ignore DCERPC_PFC_FLAG_PENDING_CANCEL .
* TODO : we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later .
*/
status = dcerpc_verify_ncacn_packet_header ( pkt ,
DCERPC_PKT_REQUEST ,
pkt - > u . request . stub_and_verifier . length ,
0 , /* required_flags */
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST |
0x08 | /* this is not defined, but should be ignored */
DCERPC_PFC_FLAG_CONC_MPX |
DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
DCERPC_PFC_FLAG_MAYBE |
DCERPC_PFC_FLAG_OBJECT_UUID ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " process_request_pdu: invalid pdu: %s \n " ,
nt_errstr ( status ) ) ) ;
NDR_PRINT_DEBUG ( ncacn_packet , pkt ) ;
set_incoming_fault ( p ) ;
return false ;
}
2014-01-09 16:55:27 +04:00
hdr2 = dcerpc_sec_vt_header2_from_ncacn_packet ( pkt ) ;
if ( pkt - > pfc_flags & DCERPC_PFC_FLAG_FIRST ) {
p - > header2 = hdr2 ;
} else {
if ( ! dcerpc_sec_vt_header2_equal ( & hdr2 , & p - > header2 ) ) {
set_incoming_fault ( p ) ;
return false ;
}
}
2010-07-17 23:22:26 +04:00
/* Store the opnum */
p - > opnum = pkt - > u . request . opnum ;
2010-07-20 01:51:18 +04:00
status = dcesrv_auth_request ( & p - > auth , pkt , & p - > in_data . pdu ) ;
2010-07-20 01:14:56 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-07-20 03:34:34 +04:00
DEBUG ( 0 , ( " Failed to check packet auth. (%s) \n " ,
nt_errstr ( status ) ) ) ;
2010-07-17 23:22:26 +04:00
set_incoming_fault ( p ) ;
return false ;
}
data = pkt - > u . request . stub_and_verifier ;
/*
* Check the data length doesn ' t go over the 15 Mb limit .
* increased after observing a bug in the Windows NT 4.0 SP6a
* spoolsv . exe when the response to a GETPRINTERDRIVER2 RPC
* will not fit in the initial buffer of size 0x1068 - - jerry 22 / 01 / 2002
*/
if ( p - > in_data . data . length + data . length > MAX_RPC_DATA_SIZE ) {
DEBUG ( 0 , ( " process_request_pdu: "
" rpc data buffer too large (%u) + (%u) \n " ,
( unsigned int ) p - > in_data . data . length ,
( unsigned int ) data . length ) ) ;
set_incoming_fault ( p ) ;
return False ;
}
/*
* Append the data portion into the buffer and return .
*/
if ( data . length ) {
if ( ! data_blob_append ( p - > mem_ctx , & p - > in_data . data ,
data . data , data . length ) ) {
DEBUG ( 0 , ( " Unable to append data size %u "
" to parse buffer of size %u. \n " ,
( unsigned int ) data . length ,
( unsigned int ) p - > in_data . data . length ) ) ;
set_incoming_fault ( p ) ;
return False ;
}
}
2014-01-09 13:15:31 +04:00
if ( ! ( pkt - > pfc_flags & DCERPC_PFC_FLAG_LAST ) ) {
return true ;
}
2010-07-17 23:22:26 +04:00
2014-01-09 13:15:31 +04:00
/*
* Ok - we finally have a complete RPC stream .
* Call the rpc command to process it .
*/
2010-07-17 23:22:26 +04:00
2014-01-09 13:15:31 +04:00
return api_pipe_request ( p , pkt ) ;
2010-07-17 23:22:26 +04:00
}
2013-12-10 16:59:06 +04:00
void process_complete_pdu ( struct pipes_struct * p , struct ncacn_packet * pkt )
2010-07-17 23:22:26 +04:00
{
2013-12-10 16:59:06 +04:00
bool reply = false ;
2010-07-17 23:22:26 +04:00
/* Store the call_id */
p - > call_id = pkt - > call_id ;
2011-05-30 13:27:07 +04:00
DEBUG ( 10 , ( " Processing packet type %u \n " , ( unsigned int ) pkt - > ptype ) ) ;
2010-07-17 23:22:26 +04:00
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1) connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Guenther Deschner <gd@samba.org
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
2014-03-20 17:45:01 +04:00
if ( ! pipe_init_outgoing_data ( p ) ) {
goto done ;
}
2010-07-17 23:22:26 +04:00
switch ( pkt - > ptype ) {
case DCERPC_PKT_REQUEST :
reply = process_request_pdu ( p , pkt ) ;
break ;
case DCERPC_PKT_PING : /* CL request - ignore... */
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - Connectionless packet type %u received \n " ,
( unsigned int ) pkt - > ptype ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_RESPONSE : /* No responses here. */
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - DCERPC_PKT_RESPONSE received from client " ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_FAULT :
case DCERPC_PKT_WORKING :
/* CL request - reply to a ping when a call in process. */
case DCERPC_PKT_NOCALL :
/* CL - server reply to a ping call. */
case DCERPC_PKT_REJECT :
case DCERPC_PKT_ACK :
case DCERPC_PKT_CL_CANCEL :
case DCERPC_PKT_FACK :
case DCERPC_PKT_CANCEL_ACK :
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - Connectionless packet type %u received \n " ,
( unsigned int ) pkt - > ptype ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_BIND :
/*
* We assume that a pipe bind is only in one pdu .
*/
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1) connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Guenther Deschner <gd@samba.org
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
2014-03-20 17:45:01 +04:00
reply = api_pipe_bind_req ( p , pkt ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_BIND_ACK :
case DCERPC_PKT_BIND_NAK :
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
" packet type %u received. \n " ,
( unsigned int ) pkt - > ptype ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_ALTER :
/*
* We assume that a pipe bind is only in one pdu .
*/
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1) connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Guenther Deschner <gd@samba.org
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
2014-03-20 17:45:01 +04:00
reply = api_pipe_alter_context ( p , pkt ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_ALTER_RESP :
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - DCERPC_PKT_ALTER_RESP received: "
" Should only be server -> client. \n " ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_AUTH3 :
/*
2010-08-27 23:23:20 +04:00
* The third packet in an auth exchange .
2010-07-17 23:22:26 +04:00
*/
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1) connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Guenther Deschner <gd@samba.org
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
2014-03-20 17:45:01 +04:00
reply = api_pipe_bind_auth3 ( p , pkt ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_SHUTDOWN :
2011-05-30 13:27:07 +04:00
DEBUG ( 0 , ( " Error - DCERPC_PKT_SHUTDOWN received: "
" Should only be server -> client. \n " ) ) ;
2010-07-17 23:22:26 +04:00
break ;
case DCERPC_PKT_CO_CANCEL :
/* For now just free all client data and continue
* processing . */
DEBUG ( 3 , ( " process_complete_pdu: DCERPC_PKT_CO_CANCEL. "
" Abandoning rpc call. \n " ) ) ;
/* As we never do asynchronous RPC serving, we can
* never cancel a call ( as far as I know ) .
* If we ever did we ' d have to send a cancel_ack reply .
* For now , just free all client data and continue
* processing . */
reply = True ;
break ;
#if 0
/* Enable this if we're doing async rpc. */
/* We must check the outstanding callid matches. */
if ( pipe_init_outgoing_data ( p ) ) {
/* Send a cancel_ack PDU reply. */
/* We should probably check the auth-verifier here. */
reply = setup_cancel_ack_reply ( p , pkt ) ;
}
break ;
# endif
case DCERPC_PKT_ORPHANED :
/* We should probably check the auth-verifier here.
* For now just free all client data and continue
* processing . */
DEBUG ( 3 , ( " process_complete_pdu: DCERPC_PKT_ORPHANED. "
" Abandoning rpc call. \n " ) ) ;
reply = True ;
break ;
default :
DEBUG ( 0 , ( " process_complete_pdu: "
" Unknown rpc type = %u received. \n " ,
( unsigned int ) pkt - > ptype ) ) ;
break ;
}
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1) connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Guenther Deschner <gd@samba.org
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
2014-03-20 17:45:01 +04:00
done :
2010-07-17 23:22:26 +04:00
if ( ! reply ) {
2011-05-30 13:27:07 +04:00
DEBUG ( 3 , ( " DCE/RPC fault sent! " ) ) ;
2010-07-17 23:22:26 +04:00
set_incoming_fault ( p ) ;
2015-12-23 14:38:55 +03:00
setup_fault_pdu ( p , NT_STATUS ( DCERPC_NCA_S_PROTO_ERROR ) ) ;
2010-07-17 23:22:26 +04:00
}
2013-12-10 16:59:06 +04:00
/* pkt and p->in_data.pdu.data freed by caller */
2010-07-17 23:22:26 +04:00
}
