From 39282d2ce75c2874712aa0ab795371382a35e450 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 27 Feb 2016 03:45:43 +0100 Subject: [PATCH] CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- .../protocol/clientipcmaxprotocol.xml | 29 +++++++++++++++++++ .../protocol/clientipcminprotocol.xml | 29 +++++++++++++++++++ .../smbdotconf/protocol/clientmaxprotocol.xml | 9 ++++-- .../smbdotconf/protocol/clientminprotocol.xml | 6 ++++ lib/param/loadparm.c | 26 +++++++++++++++++ source3/include/proto.h | 2 ++ source3/param/loadparm.c | 26 +++++++++++++++++ 7 files changed, 124 insertions(+), 3 deletions(-) create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml diff --git a/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml new file mode 100644 index 00000000000..408af50940f --- /dev/null +++ b/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml @@ -0,0 +1,29 @@ + + + The value of the parameter (a string) is the highest + protocol level that will be supported for IPC$ connections as DCERPC transport. + + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. + + The value default refers to the latest + supported protocol, currently SMB3_11. + + See for a full list + of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 + are silently upgraded to NT1. + + +client ipc min protocol +client min protocol +client max protocol + +default +SMB2_10 + diff --git a/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml b/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml new file mode 100644 index 00000000000..fc04b780b15 --- /dev/null +++ b/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml @@ -0,0 +1,29 @@ + + + This setting controls the minimum protocol version that the + will be attempted to use for IPC$ connections as DCERPC transport. + + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. + + The value default refers to the higher value + of NT1 and the effective value of + . + + See for a full list + of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 + are silently upgraded to NT1. + + +client ipc max protocol +client min protocol +client max protocol +default +SMB3_11 + diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml index 240ba1ac917..0131331b876 100644 --- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml +++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml @@ -79,13 +79,16 @@ negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. - The value default refers to the default protocol in each - part of the code, currently NT1 in the client tools and - SMB3_02 in winbindd. + The value default refers to NT1. + + IPC$ connections for DCERPC e.g. in winbindd, are handled by the + option. server max protocol client min protocol +client ipc min protocol +client ipc max protocol default LANMAN1 diff --git a/docs-xml/smbdotconf/protocol/clientminprotocol.xml b/docs-xml/smbdotconf/protocol/clientminprotocol.xml index ac0d460a2e4..fb8f87e4016 100644 --- a/docs-xml/smbdotconf/protocol/clientminprotocol.xml +++ b/docs-xml/smbdotconf/protocol/clientminprotocol.xml @@ -13,10 +13,16 @@ See client max protocol for a full list of available protocols. + + IPC$ connections for DCERPC e.g. in winbindd, are handled by the + option. client max protocol server min protocol +client ipc min protocol +client ipc max protocol + CORE NT1 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 5c9f6a1114d..6247f88c19d 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2614,6 +2614,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3"); lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE"); lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default"); + lpcfg_do_global_parameter(lp_ctx, "client ipc min protocol", "default"); + lpcfg_do_global_parameter(lp_ctx, "client ipc max protocol", "default"); lpcfg_do_global_parameter(lp_ctx, "security", "AUTO"); lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True"); lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True"); @@ -3319,6 +3321,30 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx) return client_max_protocol; } +int lpcfg_client_ipc_min_protocol(struct loadparm_context *lp_ctx) +{ + int client_ipc_min_protocol = lpcfg__client_ipc_min_protocol(lp_ctx); + if (client_ipc_min_protocol == PROTOCOL_DEFAULT) { + client_ipc_min_protocol = lpcfg_client_min_protocol(lp_ctx); + } + if (client_ipc_min_protocol < PROTOCOL_NT1) { + return PROTOCOL_NT1; + } + return client_ipc_min_protocol; +} + +int lpcfg_client_ipc_max_protocol(struct loadparm_context *lp_ctx) +{ + int client_ipc_max_protocol = lpcfg__client_ipc_max_protocol(lp_ctx); + if (client_ipc_max_protocol == PROTOCOL_DEFAULT) { + return PROTOCOL_LATEST; + } + if (client_ipc_max_protocol < PROTOCOL_NT1) { + return PROTOCOL_NT1; + } + return client_ipc_max_protocol; +} + bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory) { bool allowed = true; diff --git a/source3/include/proto.h b/source3/include/proto.h index 3d59690ad01..67af5b7a66e 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -904,6 +904,8 @@ const char *lp_idmap_default_backend (void); int lp_security(void); int lp_client_max_protocol(void); int lp_winbindd_max_protocol(void); +int lp_client_ipc_min_protocol(void); +int lp_client_ipc_max_protocol(void); int lp_smb2_max_credits(void); int lp_cups_encrypt(void); bool lp_widelinks(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 934964f13e1..7ecdd48db11 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -639,6 +639,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.server_min_protocol = PROTOCOL_LANMAN1; Globals._client_max_protocol = PROTOCOL_DEFAULT; Globals.client_min_protocol = PROTOCOL_CORE; + Globals._client_ipc_max_protocol = PROTOCOL_DEFAULT; + Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT; Globals._security = SEC_AUTO; Globals.encrypt_passwords = true; Globals.client_schannel = Auto; @@ -4445,6 +4447,30 @@ int lp_winbindd_max_protocol(void) return client_max_protocol; } +int lp_client_ipc_min_protocol(void) +{ + int client_ipc_min_protocol = lp__client_ipc_min_protocol(); + if (client_ipc_min_protocol == PROTOCOL_DEFAULT) { + client_ipc_min_protocol = lp_client_min_protocol(); + } + if (client_ipc_min_protocol < PROTOCOL_NT1) { + return PROTOCOL_NT1; + } + return client_ipc_min_protocol; +} + +int lp_client_ipc_max_protocol(void) +{ + int client_ipc_max_protocol = lp__client_ipc_max_protocol(); + if (client_ipc_max_protocol == PROTOCOL_DEFAULT) { + return PROTOCOL_LATEST; + } + if (client_ipc_max_protocol < PROTOCOL_NT1) { + return PROTOCOL_NT1; + } + return client_ipc_max_protocol; +} + struct loadparm_global * get_globals(void) { return &Globals;