sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned

Browse Source 
That what Windows also asserts.

It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 890fff1ca0)
This commit is contained in:
Stefan Metzmacher 2020-11-11 17:05:21 +01:00 committed by Jule Anger
parent 432f8a3b69
commit 1dbcb533af
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
librpc/rpc/dcerpc_util.c
View File

@ -239,8 +239,10 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
enum ndr_err_code ndr_err;
uint16_t data_and_pad;
uint16_t auth_length;
uint16_t auth_offset;
uint32_t tmp_length;
uint32_t max_pad_len = 0;
DATA_BLOB auth_blob;
ZERO_STRUCTP(auth);
if (_auth_length != NULL) {
@ -280,8 +282,16 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
}
data_and_pad = pkt_trailer->length - auth_length;
auth_offset = pkt->frag_length - auth_length;
if ((auth_offset % 4) != 0) {
DBG_WARNING("auth_offset[%u] not 4 byte aligned\n",
(unsigned)auth_offset);
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
auth_blob = data_blob_const(pkt_trailer->data + data_and_pad,
auth_length);
ndr = ndr_pull_init_blob(&auth_blob, mem_ctx);
if (!ndr) {
return NT_STATUS_NO_MEMORY;
}
@ -290,12 +300,6 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
ndr_err = ndr_pull_advance(ndr, data_and_pad);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(ndr);
return ndr_map_error2ntstatus(ndr_err);
}
ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(ndr);

1
selftest/knownfail.d/dcerpc-auth-pad
View File

@ -17,7 +17,6 @@
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_spnego_integrity_bind_auth_align2
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding.*chgdcpass
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding.*chgdcpass
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_bind_no_padding.*chgdcpass