1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

2018 Commits

Author SHA1 Message Date
Douglas Bagnall
cc3a67760c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").

This retains the logic of e6e2ec0001.

Also DNS compression cannot be turned off for NBT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
c3fa8ada43 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
51a4571849 CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bb63737905 CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
601e8a3f69 CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bc896d7529 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.

Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Samuel Cabrero
72f73efd7f librpc: core: Move the s4 handles implementation to the RPC server core
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-24 23:55:36 +00:00
Andrew Bartlett
87bf1d687f librpc/idl: Add dnsp_DnsProperty_short
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.

This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-05-15 06:05:30 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Volker Lendecke
1814c14f71 librpc: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-05-05 11:48:39 +00:00
Andrew Bartlett
ae5cb7346b librpc: Provide clearer debug messages for malformed DCE/RPC bind
REF: https://lists.samba.org/archive/samba/2020-April/229334.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-04-29 06:29:31 +00:00
Samuel Cabrero
03f79a3bd7 s3:rpc_server: Improve local dispatching
Craft core structures to dispatch local calls in the same way as remote
ones, removing the special handling in the autogenerated code.

This is also necessary to drop s3 rpc handles implementation.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  8 22:23:05 UTC 2020 on sn-devel-184
2020-04-08 22:23:05 +00:00
Samuel Cabrero
bce570cfd7 spoolss: Add NCALRPC endpoint
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-04-08 20:48:28 +00:00
Samuel Cabrero
34240fd4e8 librpc:core: Make find_interface_by_uuid public
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-04-08 20:48:28 +00:00
Stefan Metzmacher
cefa9be9d7 librpc/tests: make use of replace.h in test_ndr*.c
This fixes the build on FreeBSD 12.1 and maybe other systems.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-27 09:02:37 +00:00
Douglas Bagnall
c680daae6a idl/drsblobs: do not overwrite number of schedules == 1
If the struct has zero or two schedules, that is what it has, and we
should let that be.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Mar 22 06:19:51 UTC 2020 on sn-devel-184
2020-03-22 06:19:51 +00:00
Samuel Cabrero
e8e4ecfb8b s3:rpc_server: Do not generate and build s3 RPC server code
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:36 +00:00
Samuel Cabrero
42a7e7bcad pidl:NDR/ServerCompat: Generate local dispatching function
To be used in rpcint_binding_handle, prepare to remove legacy api_struct
and S3 pidl generated code.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:35 +00:00
Samuel Cabrero
1903467014 pidl:NDR/ServerCompat: Compat server PIDL parser
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:31 +00:00
Günther Deschner
ebda529b59 librpc: fix IDL for svcctl_ChangeServiceConfigW
Found while trying to run winexe against Windows Server 2019.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14313

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-09 15:00:31 +00:00
Günther Deschner
c3fa0b2df9 s4-torture: add ndr svcctl testsuite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14313

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-09 15:00:31 +00:00
Gary Lockyer
575d39048e idl: limit recurion on recursive elements
Limit the max_recursion on self recursive definitions in the idl to
20,000. This value is hopefully large eneough to not impact normal
operation, but small eneough to prevent stack over flow issues.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 27 02:29:21 UTC 2020 on sn-devel-184
2020-02-27 02:29:20 +00:00
Gary Lockyer
2f8c3b6226 idl: drsuapi_DsaAddressListItem_V1 limit recursion
Limit number of drsuapi_DsaAddressListItem_V1 elements to 1024

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Gary Lockyer
ba518a1deb librpc ndr: add recursion check macros
Add macros to check the recursion depth.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19280
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Andreas Schneider
7ab1156b1e librpc:ndr: Remove byteorder.h from libndr.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Andreas Schneider
5268c83a48 librpc:ndr: Use bytearray.h in ndr_basic.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Gary Lockyer
91d4e79c27 librpc ndr: Change loop index to size_t
Change the loop index in ndr_check_padding to size_t.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
14182350f8 librpc ndr: ndr_pull_advance check for unsigned overflow.
Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
d1277f4d02 librpc ndr tests: Unsigned overflow in ndr_pull_advance
Check that uint32 overflow is handled correctly by ndr_pull_advance.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
6d05fb3ea7 librpc ndr: NDR_PULL_ALIGN check for unsigned overflow
Handle uint32 overflow in NDR_PULL_ALIGN

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
46edde8647 librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN
Check that uint32 overflow is handled correctly by NDR_NEED_BYTES.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
ae6927e4f0 librpc ndr: Heap-buffer-overflow in lzxpress_decompress
Reproducer for oss-fuzz Issue 20083

Project: samba
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT
Job Type: libfuzzer_asan_samba
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6040000002fd
Crash State:
  lzxpress_decompress
    ndr_pull_compression_xpress_chunk
      ndr_pull_compression_start

Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Volker Lendecke
a0b967ec15 librpc: Use PRIu32 printf specifiers
Both values printed are uint32_t's

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
4864a4bb96 librpc: Use the MAX() macro where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
7b5edaebce librpc: Fix a gcc warning
gcc does not like const before static

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Günther Deschner
75367e4b06 librpc: add clusapi_GroupSetControlCode enum
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 16 21:34:27 UTC 2020 on sn-devel-184
2020-01-16 21:34:27 +00:00
Günther Deschner
8dca8aaf95 librpc: add various new clusapi functions and types
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-16 20:09:42 +00:00
Volker Lendecke
5394885167 smbd: Add close-denied-share message
This is like close-share, but kicks out only active users where share
access controls are changed such that now access would be denied

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-15 21:25:35 +00:00
Gary Lockyer
86a31defbf ndr basic: Check ndr_token_store return code
Fix for

*** CID 1457529:  Error handling issues  (CHECKED_RETURN)
/librpc/ndr/ndr_basic.c: 786 in ndr_push_full_ptr()
...
ID 1457529:  Error handling issues  (CHECKED_RETURN)
    Calling "ndr_token_store" without checking return value (as is done
    elsewhere 14 out of 17 times).

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Jan  9 21:49:00 UTC 2020 on sn-devel-184
2020-01-09 21:49:00 +00:00
Günther Deschner
c433dac598 librpc: pidlify spoolss_EnumPerMachineConnections
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:31 +00:00
Günther Deschner
c9bebbcc46 librpc/ndr: provide infrastructure for NDR_SPOOLSS_{PUSH|PULL}_ENUM macros
The new macros allow the same macro convenience for enum functions without
level discriminator.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:31 +00:00
Günther Deschner
1038613878 librpc: better naming for NDR_SPOOLSS_{PUSH|PULL}_ENUM variants
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:30 +00:00
Günther Deschner
479cf55397 librpc: add IDL for spoolss_EnumPerMachineConnections
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:30 +00:00
Günther Deschner
e17c8e1b40 librpc: fix IDL for spoolss_GetCorePrinterDrivers()
The charset determination makes it more difficult to deal with the real
REG_MULTI_SZ nature of that element.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:30 +00:00
Andrew Bartlett
a85d257c1e librpc: Do not access name[-1] trying to push "" into a dnsp_name
This simply matches the behaviour from before e7b1acaddf
when the logic for a trailing . was added.  This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.

No a security bug because we use talloc and so name will be just the
end of the talloc header.

Credit to OSS-Fuzz

Found using the fuzz_ndr_X fuzzer

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
2019-12-20 11:33:52 +00:00
Andreas Schneider
b28d1dca86 librpc: Add test for ndr_string_length()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 20 09:01:30 UTC 2019 on sn-devel-184
2019-12-20 09:01:30 +00:00
Andreas Schneider
f11e207e01 librpc: Fix string length checking in ndr_pull_charset_to_null()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14219

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-20 07:35:41 +00:00
Andrew Bartlett
ad9a81c6a9 librpc: Move winstation.idl to the top level and exclude from fuzzing
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 18 08:05:05 UTC 2019 on sn-devel-184
2019-12-18 08:05:05 +00:00
Andrew Bartlett
5eac5813cc lib/fuzzing and librpc: Do not generate fuzzers for pointless targets
We need to focus the fuzzing effort on reachable code, and these IDL
are just historical artifacts, many are entirely [todo] and have
no samba client nor server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
0e651b4508 librpc: Fix manually written printer for drsuapi_DsAttributeValue
Credit to OSS-Fuzz

Found using the ndr_fuzz_X target.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00