IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is needed in order to get NDR_PRINT_FUNCTION_DEBUG(..., NDR_OUT) called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Fri Oct 23 17:24:37 UTC 2020 on sn-devel-184
This is just not supported for now...
We would need a dcesrv_call_dispatch_local_send/recv in order to
support async calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
The caller wants to get a useful NTSTATUS instead of a generic
NT_STATUS_NET_WRITE_FAULT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
We only need this function once, so that we need to fix bugs only once...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
This must only be used between winbindd parent and child!
It must not leak into outside world.
Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.
This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This makes it clear that it's a hint from the parent to the
child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
If the binding string ends with "[", we were setting options to an
empty string, then asking for 'options[strlen(options)-1]', which
UBSan dosn't like because the offset evaluates to (size_t)0xFFFFF...
causing pointer overflow.
I believe this is actually well defined in practice, but we don't want
to be in the habit of leaving sanitiser warnings in code parsing
untrusted strings.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14541
Symbols _ndr_push_error and _ndr_pull_error keep getting redefined as
they are included without wildcard in abi_match. Apparently on linux ld
does not complain about duplicate symbols, but on freebsd ld fails to
link with following error:
[ 918/3912] Linking bin/default/librpc/libndr.so
ld: error: duplicate symbol '_ndr_pull_error' in version script
ld: error: duplicate symbol '_ndr_push_error' in version script
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Oct 17 10:46:12 UTC 2020 on sn-devel-184
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.
Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Aug 7 04:44:17 UTC 2020 on sn-devel-184
The correct line should have been
talloc_realloc(ndr->current_mem_ctx, a, const char *, count + 2);
because if the loop does not increment count on exit (it exits via
break), so count is left pointing at the thing that just got put in.
i.e., if there was one item it is at a[0], count is 0, but we also
need the trailing NULL byte at a[1] and the length is 2. Thus + 2, not
+ 1.
This will not affect ordinary (that is, non-malicious) traffic,
because talloc_realloc will not actually realloc unless it is saving a
kilobyte. Since the allocation grows slowly with the exponent ~1.25,
the actual reallocs will start happening at some point between 512 and
1024 items.
In the example we have, there were 666 pointers, and space for 824 was
allocated.
Rather than doing the +2 realloc, it is simpler to leave it off
altogether; in the common case (<512 items) it is a no-op anyway, and
in the best possible case it reduces the temporary array by 20%.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24646
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before, talloc_realloc() was being called n times for an array of
length n. This could be very expensive on long string arrays since it
is reasonable to assume each realloc moves O(n) bytes.
This addresses at least one OSS-Fuzz bug, making a timing out test case
100 times faster. Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19706
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't want to leave other parts of the ndr struct hanging off this
string array just because LIBNDR_FLAG_REMAINING is used.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").
This retains the logic of e6e2ec0001.
Also DNS compression cannot be turned off for NBT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These time the push and pull function in isolation.
Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.
This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Craft core structures to dispatch local calls in the same way as remote
ones, removing the special handling in the autogenerated code.
This is also necessary to drop s3 rpc handles implementation.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 8 22:23:05 UTC 2020 on sn-devel-184
This fixes the build on FreeBSD 12.1 and maybe other systems.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If the struct has zero or two schedules, that is what it has, and we
should let that be.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Mar 22 06:19:51 UTC 2020 on sn-devel-184
To be used in rpcint_binding_handle, prepare to remove legacy api_struct
and S3 pidl generated code.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Found while trying to run winexe against Windows Server 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14313
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Limit the max_recursion on self recursive definitions in the idl to
20,000. This value is hopefully large eneough to not impact normal
operation, but small eneough to prevent stack over flow issues.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 27 02:29:21 UTC 2020 on sn-devel-184
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 16 21:34:27 UTC 2020 on sn-devel-184
This is like close-share, but kicks out only active users where share
access controls are changed such that now access would be denied
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fix for
*** CID 1457529: Error handling issues (CHECKED_RETURN)
/librpc/ndr/ndr_basic.c: 786 in ndr_push_full_ptr()
...
ID 1457529: Error handling issues (CHECKED_RETURN)
Calling "ndr_token_store" without checking return value (as is done
elsewhere 14 out of 17 times).
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Jan 9 21:49:00 UTC 2020 on sn-devel-184
The new macros allow the same macro convenience for enum functions without
level discriminator.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The charset determination makes it more difficult to deal with the real
REG_MULTI_SZ nature of that element.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This simply matches the behaviour from before e7b1acaddf
when the logic for a trailing . was added. This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.
No a security bug because we use talloc and so name will be just the
end of the talloc header.
Credit to OSS-Fuzz
Found using the fuzz_ndr_X fuzzer
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 20 09:01:30 UTC 2019 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 18 08:05:05 UTC 2019 on sn-devel-184
We need to focus the fuzzing effort on reachable code, and these IDL
are just historical artifacts, many are entirely [todo] and have
no samba client nor server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Credit to OSS-Fuzz
Found using the ndr_fuzz_X target.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This breaks the ABI so we merge this into the unreleased libndr-1.0.0.
The advantage of the new functions is there (except for print, which
is unchanged) is an error raised when the token is not found, so
we can be confident in the changes to the token behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 12 03:56:23 UTC 2019 on sn-devel-184
By removing this we know we do not need to worry about this list
growing without bounds. We merge this into the recently created but
not yet released ABI 1.0.0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
By removing this we know we do not need to worry about this list
growing without bounds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This avoids really long token lists for switch values
that will not be needed past this point.
The function name is changed to clarify what exactly is being
done here, and the old function is removed to ensure it is
not being used anywhere else.
Merge the removal of ndr_print_get_switch_value into
just-tagged librpc/ABI/ndr-1.0.0.sigs as this
has not been put into any release yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This will allow generated code to instead push and pop union values onto the
switch_list stack, which is more memory efficient than creating a single large
list to be scannned and eventually discarded.
Merge into unreleased ABI 1.0.0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This is designed to stop a very large number of tokens from being stored for
arrays of structures containing relative pointers in particular.
This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
The next commits will register legacy api_struct when the endpoint server
is initialized. This commit adds a shutdown function which will be used
to unregister the legacy api_struct.
The shutdown function will be also used to replace the rpc_srv_callbacks
struct shutdown member used, for example, by the spoolss service to
cleanup before exiting.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Clears all registered endpoints and interfaces, association groups and
broken connections.
To be used by S3 forked daemons.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The dcesrv_init_registered_ep_servers() will be used by the S3 server to
initialize all registered endpoint servers (for embedded services), and
the dcesrv_init_ep_server() function will be used by the external
daemons to initialize the required ones.
As serveral S3 services may require to initialize another one before
itself (svcctl and eventlog for example require winreg) a boolean flag is
added to track the initialization status.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The S4 server will initialize the endpoint servers specified in smb.conf,
but the S3 server need to initialize all registered endpoint servers (the
embedded ones).
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There are two concerns here, assuming the attacker can place arbitary values
in a dnsProperty attribute over LDAP (eg is a DNS administrator).
This comes from the fact that id is used as the switch value at the C layer
but at the NDR layer the wDataLength value is considered first.
One concern is that a pull/push round-trip could include server memory:
The previous switch_is() behaviour could store the server memory back
into the attribute.
However this pattern of pull/push only happens in ndrdump and fuzzing tools, as
dnsserver_db_do_reset_dword() operates only on the uint32/bitmap union
arms, and fully initialises those.
The other is that a pull of the attacker-supplied value could
cause the server to expose memory.
This would be over the network via DNS or the RPC dnsserver protocols.
However at all times the ndr_pull_struct_blob is passed zeroed memory.
The final concern (which fuzz_ndr_X found) is that in the ndr_size_dnsPropertyData()
the union descriminent is only id.
This has no impact as only zeroed memory is used so there will be a
zero value in all scalars, including data->d_ns_servers.AddrArray.
Therefore the server will not crash processing the attacker-supplied blob
[MS-DNSP] 2.3.2.1 dnsProperty has no mention of this special behaviour.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80
This was known as CVE-2019-14908 before being triaged back to a normal bug.
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14206
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This NDR fuzzer links with each "interface" in the IDL files to
create avsingle binary. This tries to matches what the fuzzing
engines desire.
It started as a copy of ndrdump but very little of that remains
in place.
The fancy build rules try to avoid needing a lof of boilerplate
in the wscript_build files and ensure new fuzzers are generated
and run when new IDL is added automatically.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is not a security issue as it only happens when printing the structure
during debugging, not normal production.
Found by Michael Hanselmann using an NDR fuzzer and Hongfuzz.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Without this protection we will spin during decode of a string_array or nstring_array
that is terminated by only a single NUL byte, not two as required by UTF-16.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Tests to ensure that ndr_pull_string handles zero and one byte length
data correctly for both character strings and UTF-16 strings.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13874
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This avoids ending a failed parse with 'dump OK'
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This function is not just unused, it is a problem because there is no
enforced connection between r->ab.length and r->cbData.
The last caller was removed in the previous commit.
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We can do this because ndr_{pull,push}_CFDATA is unused.
The earlier commit 466d5e8147 removed
the link between "uint16 cbData" and the size of "DATA_BLOB ab" so
when the new ndr_fuzz_X fusser pushed a new structure this allowed
a read beyond the end of allocated memory.
The ndr_push_cab_file() function is also manually written and
does not rely on the value of cbData to calculate the checksum.
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer, which like ndrdump's struct mode uses the public structure
tables. (This is how it found the unused functions to test).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows ndrdump --validate to avoid following a NULL pointer when re-pushing
a valid but unusual input.
It also avoids an issue if the Samba server code were to provide a response
without an EncryptedRandomSessionKey.
At this stage ntlmssp.idl is not used for this, instead the packets are
generated with msrpc_gen().
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 20 06:06:29 UTC 2019 on sn-devel-184
When there is no data we still need to allocate for the terminating NULL.
Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13875
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This may assist in distinguishing between "runner" and "pull" failures.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
It has become customary to provide reproduction steps for fuzzing failures
in terms of an ndrdump command line. This allows the input to be provided
as a argument or in a file rather than via base64 -d. This makes reproducing
the issue easier as everything can be put in a plaintext bug report.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows us to learn if there are other memory leaks not on the mem_ctx
during the processing of the packet.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
There were two duplicate implementations of packet dumping just for the s4 RPC server!
This unifies them and makes them easier to find because they are not triggered
from the generated server stub any more.
The behaviour have unified on setting "dcesrv:stubs directory" and
being compiled with --enable-developer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 20 02:14:56 UTC 2019 on sn-devel-184
This should aid in debugging NDR parse failures.
Use the ABI bump to again exclude ndr_table_misc incorrectly
added in ABI 0.2.1.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 19 14:47:46 UTC 2019 on sn-devel-184
It is important that the generated print function checks r->messages
before de-referencing r->messages[num] as r->num can be non-zero
while r->messages is NULL.
There is not witness server in Samba and print functions are only
used during debugging and ndrdump in any case.
The change in the IDL does not change the header and the IDL
function is already nopull,nopush so only the print function changes.
Found by Douglas Bagnall using Honggfuzz and a new fuzzer for
Samba's NDR layer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sun Nov 17 23:54:11 UTC 2019 on sn-devel-184
These make much more sense than the NTSTATUS values they can be forced
to map to.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This requires that misc.GUID not move in the IDL, so a comment is added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We were finding a function that happened to have the same ordinal
number.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This avoids a race with file_exist() and demostrates a better
way to use this function.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 15 18:48:27 UTC 2019 on sn-devel-184
The source3 RPC server will do a lookup by GUID and should
not be returned a table for a zero GUID.
Thankfully such a pipe would also need to have been registered
but regardless this is not a determinsitic result so should
be avoided.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The function or struct number should be >= 0 ans the underlying
number it is compared to is uint32_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 13 01:55:33 UTC 2019 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-progammed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows ndrdump to dump many more public structures because most
of these are not in files with a UUID as they are not RPC protocols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-progammed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This helps ndrdump find public structures to dump
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is just a list of event IDs, there are no structures to parse.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-progammed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
If a data stream fails to parse as an NDR object, the default ndrdump
action is to try to print those structures anyway, resulting perhaps in
a NULL dereference. Sometimes you don't want to see that because it isn't
very interesting and makes it harder to distinguish a crash in the parse
routines. So --stop-on-parse-failure will skip the print and validate
stages altogether if the parse failed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
This helps generate fuzzers for this IDL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Will be used from s3 implementation when a connection is passed to other
process where a particular association group was created.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 18 17:30:39 UTC 2019 on sn-devel-184
This function will be public and available for s3 and s4 implementations.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The S3 implementation needs to reinit the dcesrv_context and free the
endpoints list with their registered interfaces.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Next commits will move the core of s4 rpc server to this library.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Split the common bits of dcerpc_generic_session_key to librpc and rename
client the specific part to dcecli_generic_session_key.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We do not have a server for this DCOM component so do not generate
the code for it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We do not have a server for the Win32 Time Server so do not generate
the code for it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We do not have a client or server for this DCOM component so do not generate
the code for it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We do not have a source4 varient of the dfs server, so do not generate
the code for it.
DFS is very closely tied to SMB so we use the DFS server in
smbd.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We do not have a source3 varient of the unixinfo server, so do not generate
the code for it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
