1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2229 Commits

Author SHA1 Message Date
Volker Lendecke
1bab76223c librpc: Add named_pipe_auth_req_info5->transport
This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
530fb4fdfb named_pipe_auth.idl: Add "need_idle_server"
Once RPC services are done by individual processes, we need to avoid
recursion between processes:

Any RPC server process will be able to serve multiple client requests
simultaneously, but each request is served in a single-threaded
blocking manner.

For example the netlogon RPC service needs to ask samr for
something. The netlogon->samr connection will initially be handled by
a central dispatcher assigning clients to processes. This dispatcher
needs to know that this connection can't end up in the same process
that originated the request.

With this flag an RPC client can request a samr server process that
exclusively serves its own requests and that will not serve anybody
else while serving netlogon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
d1934e2331 named_pipe_auth: Bump info4 to info5
We'll add a field soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Stefan Metzmacher
871d672f51 CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
All other fragments blindly inherit it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
2f0bc04afe CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
That makes the callers much simpler and allow better debugging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
c00e5fc2c6 CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
It's better to see the location that triggered the fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Joseph Sutton
f4ed37ad6a CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
6ec80380dc CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Andrew Bartlett
558f440f20 CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:32 +00:00
Joseph Sutton
aa2e583fde tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-14 18:59:31 +00:00
Ralph Boehme
3afd4bd610 idl: declare token array of storage_offload_token as in-line
This ensures the order of the struct element is the same as in the IDL
definition. For an conformant array using the [sizeis(n)] syntax the sizeis
member is stored as first element in the marshall buffer.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:32 +00:00
Volker Lendecke
246a5ceab1 netlogon: Move netlogon_server_pipe_state to netlogon.idl
Make this available as a shared structure for both source3 and source4

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:32 +00:00
Volker Lendecke
18cbeab98b librpc: Use talloc_asprintf_addbuf() in dcerpc_binding_string()
Saves quite a few lines

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
a767eb55d8 rpc_server3: Avoid a literal number available as a constant
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
e2256c99a6 smbd: Make SID_SAMBA_SMB3 a static SID
No need to parse it

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-10-08 19:28:31 +00:00
Volker Lendecke
1e30fad7ee rpc_server: Simplify dcesrv_handle_lookup()
Reduce indentation with a "break;" from the loop, best reviewed with
git show -b

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-24 23:55:32 +00:00
Volker Lendecke
acaa89aac9 rpc_server: Move a type check in dcesrv_handle_lookup()
This check is independent of whether we found a handle or not, we can
do it before walking the handle list.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-24 23:55:32 +00:00
Samuel Cabrero
9c8521848b librpc:core: Add a function to register an interface passing the binding handle
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-09-21 10:15:34 +00:00
Joseph Sutton
0092b4a3ed security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
ff2f38fae7 krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Volker Lendecke
9857c56256 librpc: Simplify GUID_hexstring()
A temporary talloc context seems unnecessary to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Volker Lendecke
0cddd3f2d6 librpc: Simplify GUID_string2() by using GUID_buf_string()
Avoid unnecessary talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Volker Lendecke
5e2ac224b7 librpc: Simplify GUID_zero() with a direct struct return
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Isaac Boukris
17c86a2c5a s3:winbind: Get rid of the winbind dc-connect child
The new code uses PING_DC to tell the child to try to go online.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-07-14 21:06:36 +00:00
Günther Deschner
705f995458 librpc: make sure the 4 byte _pad in ODJ_WIN7BLOB is never 0
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
9963da126b librpc: more work on ODJ IDL
A lot of nested use of serialization stream pointers
([MS-RPCE] 2.2.6 Type Serialization Version 1).

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
91ff058420 librpc: add custom odj_switch_level_from_guid()
This function maintains an arbitrary mapping of GUID strings to
integers. This is required as only integers can be used as
discriminators for autogenerated ODJ unions.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
8ff687863d librpc: compile ODJ idl
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
dc40f23acd librpc: add "Offline Domain Join" (ODJ) IDL
This IDL is based on

https://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/NetMgmt/odj-idl.md

and has been licensed by Microsoft under the terms of the MIT License.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
9cc62b562c librpc/ndr: do not print strings when NDR_SECRET is used
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Stefan Metzmacher
8cce23acb9 witness.idl: fix length calculation for witness_IPaddrInfoList
If r->num is 0, we should not dereference r->addr.

Using ndr_size_witness_IPaddrInfoList() also make this much simpler
and avoids the magic 12.

Credit Oss-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22175
REF: https://oss-fuzz.com/testcase-detail/5686294157197312

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14452

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-07-08 09:30:40 +00:00
Andreas Schneider
a8052d70cb librpc:tools: Migrate ndrdump to new cmdline option parser
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-20 23:26:32 +00:00
Andreas Schneider
70a09d2cee librpc:tools: Remove '-l' which conflicts with '-l|--log-basename'
The common cmdline parser already provides '-l'.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-20 23:26:32 +00:00
Andreas Schneider
d6eff9c413 librpc: Make sure num_protocols is initialized
Found by covscan.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Noel Power <npower@samba.org>
2021-06-10 10:31:33 +00:00
Andrew Bartlett
3bc680c1e3 pidl: Avoid leaving array_size NDR tokens around
In many cases these can and should be consumed as soon as
they are used.

This is not a complete fix, we don't clean up the array_size
token after using it split between an NDR_SCALARS and
an NDR_BUFFERS pass, but it is much better than it was
and helps the winbind case with a large number of groups
(eg 100,000) as otherwise we hit the 65535 NDR token limit.

(This is an arbitary Samba-only limit to avoid DoS conditions)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
a7d4f93cfd pidl: Avoid leaving array_length NDR tokens around
In many cases these can and should be consumed as soon as
they are used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
139cca7c20 librpc: Use helper function ndr_get_array_size() in ndr_check_array_size()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
40aabcb5cf librpc: Add const to cookie pointer in ndr_check_array_{size,length}
This pointer is only used to find the right token in the list
so can be declared const.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
c35f4180a4 libndr: Return error code from ndr_token_peek()
This makes it safer to change our code to remove tokens after use
if failing to obtain a token would result in an error.

This means changing ndr_get_array_size() and ndr_get_array_length()
to also return an error code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
0cc4478070 selftest: Add test of NDR marshalling from python, starting with wbint
These patches are to address an issue unpacking a very large
winbind.wbint_Principals array (100,000).

We need the NDR_TOKEN_MAX_LIST_SIZE value exposed as
otherwise a well-meaning incrase of this value would
invalidate the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
e583140e81 spoolss: Avoid indirection via ndr_get_array_size()
This is set in the call just above and otherwise we will (in the next commit)
need an intermediate variable once we need to check error codes from
ndr_get_array_size().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Joseph Sutton
74fb2cc473 krb5ccache.idl: Add definition for a Kerberos credentials cache
Based on specifications found at
https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html

This is primarily designed for parsing and storing a single Kerberos
ticket, due to the limitations of PIDL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-05-19 01:32:34 +00:00
Volker Lendecke
bad19e208c printing: Introduce samba-bgqd
This is a separate binary executed from start_background_queue(). As
such it does not really gain much, but the idea is to move all the
code this runs out of the smbd and spoolssd binaries to just link
here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-05-11 22:56:37 +00:00
Volker Lendecke
117f00158a auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-27 13:24:35 +00:00
Bernd Kuhls
4d5fb7d279 dcesrv_core: fix build
Move include of system/network.h to avoid a build error:

In file included from ../../lib/replace/system/network.h:35,
                 from ../../librpc/rpc/dcesrv_core.c:2658:
usr/include/unistd.h: At top level:
usr/include/unistd.h:675:16: error: conflicting types for ‘geteuid’
  675 | extern __uid_t geteuid (void) __THROW;

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-07 09:18:30 +00:00
Volker Lendecke
4d3b6506d3 librpc: Remove the gensec dependency from library dcerpc-binding
This means yet another library, but having to depend on gensec just
for dcerpc_parse_binding() and basic packet parsing seems like a bit
overkill to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr  6 23:33:14 UTC 2021 on sn-devel-184
2021-04-06 23:33:14 +00:00
Volker Lendecke
8945d99758 rpc: Give dcerpc_util.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Volker Lendecke
bbfdf2708e tstream_npa: Return named_pipe_auth_req_info4 from accept_existing
Callers might want the full picture. We need to make
named_pipe_auth_req_info4 public for that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-01 19:32:36 +00:00
Douglas Bagnall
d1c47d0c83 rpc/idl dnsserver s/DNS_RPC_DATA/DNS_RPC_RECORD_DATA/
Following MS-DNSP.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 30 00:20:53 UTC 2021 on sn-devel-184
2021-03-30 00:20:53 +00:00
Douglas Bagnall
162e6fb25a librpc/idl: dnsp tombstone timestamp name matches MS-DNSP
MS-DNSP uses the term "EntombedTime" in e.g. "2.2.2.2.4.23 DNS_RPC_RECORD_TS"
which is more descriptive than the generic "timestamp", and less likely to be
confused with dwTimestamp, which has been our curse. Let's make it grep-able,
google-able, and evocative.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 23:20:37 +00:00
Volker Lendecke
55dba99895 librpc: Simplify dcerpc_binding_dup() with common nomem handling
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-19 07:09:37 +00:00
Volker Lendecke
9614273aa3 librpc: Make "dcesrv_context->callbacks" a pointer
This structure just grew from 3 to 6 pointers, avoid making a copy of
this. All callers of dcesrv_init_context() have this as a static
struct in the C object, so a pointer to that won't change.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Volker Lendecke
403eabe4fc librpc: Add "private_data" to struct dcesrv_context_callbacks
Not used right now, but we should never have callbacks without a
"private_data" pointer. Some of the callbacks could even today benefit
from this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Volker Lendecke
c74213830d librpc: Simplify struct dcesrv_handle
This saves a tiny bit of memory: dom_sid_dup() allocates a full struct
dom_sid, although it might not have to. Save the additional talloc
object and the pointer, be more cache-friendly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-09 22:36:28 +00:00
Volker Lendecke
dead4d05ab librpc: Fix typos
While there, wrap the long comment lines

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-09 22:36:28 +00:00
Volker Lendecke
b1ba5d5872 librpc: Fix a typo, while there linewrap the comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-09 22:36:28 +00:00
Volker Lendecke
6d1049796f rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-09 22:36:28 +00:00
Stefan Metzmacher
b145434f24 smbXsrv_client: move the connection passing to smb2srv_client_mc_negprot_send/recv
We need a full request/response pair in order to avoid races in
the multichannel connection passing.

smb2srv_client_mc_negprot_send/recv locks the
db record for the given client_guid.

If there's no entry found, we add ourself and
return NT_STATUS_OK.

If there's an existing process for that client guid
we start messaging_filtered_read_send()
dbwrap_watched_watch_send() before calling
smb2srv_client_connection_pass().

Then we release the lock and wait for either
MSG_SMBXSRV_CONNECTION_PASSED to arrive or
retry if dbwrap_watched_watch_recv signaled
a change in the database.

If we got MSG_SMBXSRV_CONNECTION_PASSED we'll
return NT_STATUS_MESSAGE_RETRIEVED in order to
signal that the other process will take care of
the connection and we terminate the current process.

All that is done completely async, which means that
the IDLE_CLOSED_TIMEOUT (60 seconds) may trigger
deadtime_fn(), which will send itself a MSG_SHUTDOWN.
So the process that accepted the tcp connection
exists if there was no MSG_SMBXSRV_CONNECTION_PASSED
within 60 seconds.

However the fd may still exists in the kernel (and
the new connection may still be handed to the other
process. If that process somehow exists before
there's no way to prevent a connection termination
for the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14433

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  6 03:30:06 UTC 2021 on sn-devel-184
2021-03-06 03:30:06 +00:00
Samuel Cabrero
7d2faa2714 librpc: Lower dcesrv_call_dispatch_local() errors from DBG_ERR to DBG_INFO
Before merging the s3 and s4 RPC servers the rpcint_dispatch function
was not logging any error.

This commit lowers from DBG_ERR to DBG_INFO the importance of error
messages when dispatching local RPC calls. There are some situations
where RPC functions return RPC faults and this is not a fatal condition.
One example is _lsa_QueryInfoPolicy2.

This change prevents a noisy error logged when winbindd tries to connect to
its primary domain in the nt4_member and ad_member test environments:

[2021/03/01 16:49:38.486111,  0, pid=12456] ../../librpc/rpc/dcesrv_core.c:2990(dcesrv_call_dispatch_local)
  dcesrv_call_dispatch_local: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Andreas Schneider
a47fdd9ebb libndr: Use better and more clear check for empty flags
warning: converting the result of '<<' to a boolean always evaluates to true [-Wtautological-constant-compare]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Volker Lendecke
e14fc159a2 librpc: Simplify find_interface_by_binding()
Use find_interface_by_syntax_id() instead of duplicating the loop.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 28 18:03:53 UTC 2021 on sn-devel-184
2021-01-28 18:03:53 +00:00
Volker Lendecke
ecd95fc55e librpc: Simplify find_interface_by_syntax_id()
Directly use ndr_syntax_id_equal() instead of duplicating it with
interface_match_by_uuid().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
9c1d7632e3 librpc: Convert find_interface_by_uuid to search by syntax_id
All callers manually dissected the syntax id for this API.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
7528b7886b librpc: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
9d512a099a librpc: Simplify dcesrv_check_or_create_context()
Use ndr_syntax_id_buf_string(), avoid a talloc/talloc_free

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
ce91a899a6 librpc: Simplify dcerpc_binding_string()
Make it follow a more conventional memory handling style for reallocs.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
4df6c594c6 librpc: Simplify dcerpc_binding_string()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
08757d213e rpc_server: Introduce "goto nomem;" to dcesrv_endpoint_connect()
Avoid the control-flow changing NT_STATUS_HAVE_NO_MEMORY macro.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
2b9ba992b6 lib: Simplify parse_guid_string() and ndr_syntax_id_from_string()
Return "bool" instead of NTSTATUS, use hex_byte() instead of
read_hex_bytes(). And parse directly into a struct GUID instead of the
components. 99 lines less code.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
fcf60f155a librpc: Simplify dcerpc_binding_set_abstract_syntax()
It might be a question of style, but I find it simpler this way.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
eed1257268 librpc: Use ndr_syntax_id_buf_string() in dcerpc_binding_set_abstract_syntax()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
243ce60212 librpc: Use ndr_syntax_id_buf_string() in dcerpc_sec_vt_pctx_check()
"mem_ctx" is no longer needed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
a35c8a0ec2 librpc: Add ndr_syntax_id_buf_string()
Same pattern as GUID_buf_string()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
2e3e297b25 librpc: Add a NULL check to dcerpc_binding_build_tower()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
9374313f03 libndr: Simplify ndr_print_GUID()
Fix a small memleak of the tmp GUID_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
10d3a1c068 rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:38 +00:00
Volker Lendecke
b4077f7911 librpc: Fix a small memleak in epm_floor_string()
Use GUID_buf_string(), don't leak the output of GUID_string()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:38 +00:00
Volker Lendecke
b417fd1967 rpc_server: Slightly simplify dcesrv_bind()
Factor out dereferencing conn->dce_ctx

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:37 +00:00
Volker Lendecke
ec4850d520 rpc_server: Slightly simplify dcesrv_bind()
We have already dereferenced call->conn in a variable, use that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:37 +00:00
Volker Lendecke
922b8d18c3 librpc: gen_ndr/dcerpc.h references DATA_BLOB
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
cc01ba1b0e librpc: Align a few integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
ca0104d451 rpc_server: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
93d387fb6d rpc_server: Avoid a pointless ZERO_STRUCTP
We've done talloc_zero() 4 lines above.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
f9f7aafaeb rpc_server: Move a variable closer to its use
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
83d85833bb rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
08da3439ed librpc: Use GUID_buf_string in dcerpc_binding_string()
Avoid a (small) memleak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 11 14:25:04 UTC 2021 on sn-devel-184
2021-01-11 14:25:04 +00:00
Volker Lendecke
de9b7312f1 librpc: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Andreas Schneider
8bbe5c8c94 librpc: Add dcerpc helper dcerpc_is_transport_encrypted()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-29 14:19:36 +00:00
Andreas Schneider
56879ec587 idl: Add SID_SAMBA_SMB3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-29 14:19:36 +00:00
Volker Lendecke
79b0829ea2 notify: Remove an unused structure definition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-24 05:57:31 +00:00
Stefan Metzmacher
d08a6b4200 librpc/dcesrv_core: let dcesrv_call_dispatch_local() call context->iface->reply()
This is needed in order to get NDR_PRINT_FUNCTION_DEBUG(..., NDR_OUT) called.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Fri Oct 23 17:24:37 UTC 2020 on sn-devel-184
2020-10-23 17:24:37 +00:00
Stefan Metzmacher
7bd321e71b librpc/dcesrv_core: assert that dcesrv_call_dispatch_local() never gets async.
This is just not supported for now...

We would need a dcesrv_call_dispatch_local_send/recv in order to
support async calls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2020-10-23 16:02:37 +00:00
Stefan Metzmacher
42e79cee3d librpc/dcesrv_core: make use of dcerpc_fault_to_nt_status() in dcesrv_call_dispatch_local()
The caller wants to get a useful NTSTATUS instead of a generic
NT_STATUS_NET_WRITE_FAULT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2020-10-23 16:02:37 +00:00
Stefan Metzmacher
7c8a7e8a15 librpc/dcesrv_core: move two rpcint_dispatch() copies into dcesrv_call_dispatch_local()
We only need this function once, so that we need to fix bugs only once...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2020-10-23 16:02:37 +00:00
Stefan Metzmacher
493f5d6b07 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-10-23 03:25:37 +00:00
Stefan Metzmacher
1576421dbd winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint
This makes it clear that it's a hint from the parent to the
child.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-10-23 03:25:35 +00:00
Douglas Bagnall
302098c325 rpc: avoid undefined behaviour when parsing bindings
If the binding string ends with "[", we were setting options to an
empty string, then asking for 'options[strlen(options)-1]', which
UBSan dosn't like because the offset evaluates to (size_t)0xFFFFF...
causing pointer overflow.

I believe this is actually well defined in practice, but we don't want
to be in the habit of leaving sanitiser warnings in code parsing
untrusted strings.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-23 03:25:35 +00:00
Amitay Isaacs
4cd195aafe libndr: Avoid assigning duplicate versions to symbols
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14541

Symbols _ndr_push_error and _ndr_pull_error keep getting redefined as
they are included without wildcard in abi_match.  Apparently on linux ld
does not complain about duplicate symbols, but on freebsd ld fails to
link with following error:

  [ 918/3912] Linking bin/default/librpc/libndr.so
  ld: error: duplicate symbol '_ndr_pull_error' in version script
  ld: error: duplicate symbol '_ndr_push_error' in version script
  clang: error: linker command failed with exit code 1 (use -v to see invocation)

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-10-22 16:05:30 +00:00
Björn Jacke
40a4dd2862 spoolss.idl: remove obviously bogous PROCESSOR_ARM 0 define
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Oct 17 10:46:12 UTC 2020 on sn-devel-184
2020-10-17 10:46:12 +00:00
Björn Jacke
38391ccc5d printing/spoolss: add ARM64 support
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-17 09:22:31 +00:00
Björn Jacke
ca1a301461 spoolss.idl: add spoolss architecture defines, that we require
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-17 09:22:31 +00:00
Björn Jacke
9212357236 spoolss.idl: add some missing processor defines
information from wine's winnt.h

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-17 09:22:31 +00:00
Björn Jacke
9b6e2393f7 spoolss.idl: add some missing PROCESSOR_ARCHITECTURE defines
information from wine's winnt.h and MSDN

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-17 09:22:31 +00:00
Volker Lendecke
29e3c0cdb7 librpc: Use GUID_to_ndr_buf() in GUID_to_ndr_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Volker Lendecke
bbb017637e librpc: Add GUID_to_ndr_buf()
Avoids talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Volker Lendecke
5a143c0931 lib: Avoid a use of includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Douglas Bagnall
fc83b47051 libprc/test: add pull_string_array large array test
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Aug  7 04:44:17 UTC 2020 on sn-devel-184
2020-08-07 04:44:17 +00:00
Douglas Bagnall
bf16cd72b2 ndr: fix ndr_pull_string_array() off by one alloc
The correct line should have been

       talloc_realloc(ndr->current_mem_ctx, a, const char *, count + 2);

because if the loop does not increment count on exit (it exits via
break), so count is left pointing at the thing that just got put in.
i.e., if there was one item it is at a[0], count is 0, but we also
need the trailing NULL byte at a[1] and the length is 2. Thus + 2, not
+ 1.

This will not affect ordinary (that is, non-malicious) traffic,
because talloc_realloc will not actually realloc unless it is saving a
kilobyte. Since the allocation grows slowly with the exponent ~1.25,
the actual reallocs will start happening at some point between 512 and
1024 items.

In the example we have, there were 666 pointers, and space for 824 was
allocated.

Rather than doing the +2 realloc, it is simpler to leave it off
altogether; in the common case (<512 items) it is a no-op anyway, and
in the best possible case it reduces the temporary array by 20%.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24646

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-07 03:23:44 +00:00
Douglas Bagnall
9148f38c20 ndr: avoid excessive reallocing in pull_string_array
Before, talloc_realloc() was being called n times for an array of
length n. This could be very expensive on long string arrays since it
is reasonable to assume each realloc moves O(n) bytes.

This addresses at least one OSS-Fuzz bug, making a timing out test case
100 times faster. Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19706

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Douglas Bagnall
9bf331b46a ndr: maintain proper talloc tree in pull_string_array
We don't want to leave other parts of the ndr struct hanging off this
string array just because LIBNDR_FLAG_REMAINING is used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Douglas Bagnall
cc3a67760c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").

This retains the logic of e6e2ec0001.

Also DNS compression cannot be turned off for NBT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
c3fa8ada43 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
51a4571849 CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bb63737905 CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
601e8a3f69 CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bc896d7529 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.

Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Samuel Cabrero
72f73efd7f librpc: core: Move the s4 handles implementation to the RPC server core
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-24 23:55:36 +00:00
Andrew Bartlett
87bf1d687f librpc/idl: Add dnsp_DnsProperty_short
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.

This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-05-15 06:05:30 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Volker Lendecke
1814c14f71 librpc: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-05-05 11:48:39 +00:00
Andrew Bartlett
ae5cb7346b librpc: Provide clearer debug messages for malformed DCE/RPC bind
REF: https://lists.samba.org/archive/samba/2020-April/229334.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-04-29 06:29:31 +00:00
Samuel Cabrero
03f79a3bd7 s3:rpc_server: Improve local dispatching
Craft core structures to dispatch local calls in the same way as remote
ones, removing the special handling in the autogenerated code.

This is also necessary to drop s3 rpc handles implementation.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  8 22:23:05 UTC 2020 on sn-devel-184
2020-04-08 22:23:05 +00:00
Samuel Cabrero
bce570cfd7 spoolss: Add NCALRPC endpoint
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-04-08 20:48:28 +00:00
Samuel Cabrero
34240fd4e8 librpc:core: Make find_interface_by_uuid public
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-04-08 20:48:28 +00:00
Stefan Metzmacher
cefa9be9d7 librpc/tests: make use of replace.h in test_ndr*.c
This fixes the build on FreeBSD 12.1 and maybe other systems.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-27 09:02:37 +00:00
Douglas Bagnall
c680daae6a idl/drsblobs: do not overwrite number of schedules == 1
If the struct has zero or two schedules, that is what it has, and we
should let that be.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Mar 22 06:19:51 UTC 2020 on sn-devel-184
2020-03-22 06:19:51 +00:00
Samuel Cabrero
e8e4ecfb8b s3:rpc_server: Do not generate and build s3 RPC server code
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:36 +00:00
Samuel Cabrero
42a7e7bcad pidl:NDR/ServerCompat: Generate local dispatching function
To be used in rpcint_binding_handle, prepare to remove legacy api_struct
and S3 pidl generated code.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:35 +00:00
Samuel Cabrero
1903467014 pidl:NDR/ServerCompat: Compat server PIDL parser
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-20 15:36:31 +00:00
Günther Deschner
ebda529b59 librpc: fix IDL for svcctl_ChangeServiceConfigW
Found while trying to run winexe against Windows Server 2019.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14313

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-09 15:00:31 +00:00
Günther Deschner
c3fa0b2df9 s4-torture: add ndr svcctl testsuite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14313

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-03-09 15:00:31 +00:00
Gary Lockyer
575d39048e idl: limit recurion on recursive elements
Limit the max_recursion on self recursive definitions in the idl to
20,000. This value is hopefully large eneough to not impact normal
operation, but small eneough to prevent stack over flow issues.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 27 02:29:21 UTC 2020 on sn-devel-184
2020-02-27 02:29:20 +00:00
Gary Lockyer
2f8c3b6226 idl: drsuapi_DsaAddressListItem_V1 limit recursion
Limit number of drsuapi_DsaAddressListItem_V1 elements to 1024

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Gary Lockyer
ba518a1deb librpc ndr: add recursion check macros
Add macros to check the recursion depth.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19280
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Andreas Schneider
7ab1156b1e librpc:ndr: Remove byteorder.h from libndr.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Andreas Schneider
5268c83a48 librpc:ndr: Use bytearray.h in ndr_basic.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Gary Lockyer
91d4e79c27 librpc ndr: Change loop index to size_t
Change the loop index in ndr_check_padding to size_t.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
14182350f8 librpc ndr: ndr_pull_advance check for unsigned overflow.
Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
d1277f4d02 librpc ndr tests: Unsigned overflow in ndr_pull_advance
Check that uint32 overflow is handled correctly by ndr_pull_advance.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
6d05fb3ea7 librpc ndr: NDR_PULL_ALIGN check for unsigned overflow
Handle uint32 overflow in NDR_PULL_ALIGN

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
46edde8647 librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN
Check that uint32 overflow is handled correctly by NDR_NEED_BYTES.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
ae6927e4f0 librpc ndr: Heap-buffer-overflow in lzxpress_decompress
Reproducer for oss-fuzz Issue 20083

Project: samba
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT
Job Type: libfuzzer_asan_samba
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6040000002fd
Crash State:
  lzxpress_decompress
    ndr_pull_compression_xpress_chunk
      ndr_pull_compression_start

Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Volker Lendecke
a0b967ec15 librpc: Use PRIu32 printf specifiers
Both values printed are uint32_t's

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
4864a4bb96 librpc: Use the MAX() macro where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
7b5edaebce librpc: Fix a gcc warning
gcc does not like const before static

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Günther Deschner
75367e4b06 librpc: add clusapi_GroupSetControlCode enum
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 16 21:34:27 UTC 2020 on sn-devel-184
2020-01-16 21:34:27 +00:00
Günther Deschner
8dca8aaf95 librpc: add various new clusapi functions and types
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-16 20:09:42 +00:00
Volker Lendecke
5394885167 smbd: Add close-denied-share message
This is like close-share, but kicks out only active users where share
access controls are changed such that now access would be denied

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-15 21:25:35 +00:00
Gary Lockyer
86a31defbf ndr basic: Check ndr_token_store return code
Fix for

*** CID 1457529:  Error handling issues  (CHECKED_RETURN)
/librpc/ndr/ndr_basic.c: 786 in ndr_push_full_ptr()
...
ID 1457529:  Error handling issues  (CHECKED_RETURN)
    Calling "ndr_token_store" without checking return value (as is done
    elsewhere 14 out of 17 times).

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Jan  9 21:49:00 UTC 2020 on sn-devel-184
2020-01-09 21:49:00 +00:00