samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00

Author	SHA1	Message	Date
Stefan Metzmacher	7e0b9c2f4b	CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	e31d8ded95	CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	65d9ab0540	CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context} BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	f37f965e23	CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	97ee4d82b1	CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	9dedf276f0	CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	1c0f927a4e	CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id This is better than using hardcoded values. We need to use the value the client used in the BIND request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	f56428760a	CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id This is better than using hardcoded values. We need to use auth_context_id = 1 for authenticated connections, as old Samba server (before this patchset) will use a hardcoded value of 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	ce8d2d6a70	CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	69236215a9	CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	dc91d35257	CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req() An alter context can't change the syntax of an existing context, a new context_id will be used for that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	3fdc4de983	CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	0f8d4a50f8	CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	28661caa9f	CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	6c9a2d3894	CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	cd1c7d227f	CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	a18a811ce4	CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:32 +02:00
Stefan Metzmacher	ab29002ddc	CVE-2015-5370: s3:rpc_server: verify presentation context arrays BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	e4fa243aa3	CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Jeremy Allison	f74c4c8335	CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec The first pdu is always a BIND. REQUEST pdus are only allowed once the authentication is finished. A simple anonymous authentication is finished after the BIND. Real authentication may need additional ALTER or AUTH3 exchanges. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	302d927ac2	CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	46436d01da	CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	f8aa62d697	CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	b4e38e29e8	CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	84027af3ab	CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req() pipe_auth_generic_bind() does all the required checks already and an explicit DCERPC_AUTH_TYPE_NONE is not supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	ca96d57816	CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	3f02e04221	CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	2e561921bc	CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	574eca7655	CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	a4811d325a	CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	712320489d	CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer() The does much more validation than dcerpc_pull_dcerpc_auth(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	8a6240872c	CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	642fe0aa16	CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth() This simplifies the callers a lot. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	5108d26add	CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer() All callers should have already checked that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	c0f3f308da	CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	0b1656199a	CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association) All presentation contexts of a connection use the same association group. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	ad6a5cfd2d	CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time It's a protocol error if the client doesn't send all fragments of a request in one go. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:31 +02:00
Stefan Metzmacher	4b6197f08c	CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	6b5144c204	CVE-2015-5370: s4:rpc_server: check frag_length for requests Note this is not the negotiated fragment size, but a hardcoded maximum. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	aef225aaca	CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	818e09fff2	CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	a30eee5745	CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid Following requests will generate a fault with ACCESS_DENIED. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	04e92459a4	CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	ed066b6ca4	CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter() The basically matches Windows 2012R2, it's not 100% but it's enough for our raw protocol tests to pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	1f7dc721e7	CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	f2dbb1c8b6	CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	909538c885	CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind() BIND is the first pdu, which means the list of contexts is always empty. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	57afdaa79b	CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	5cb1250457	CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id} BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00
Stefan Metzmacher	cb8e2abe52	CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state We should not use one "global" per connection variable to hold the incoming and outgoing auth_info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-04-12 19:25:30 +02:00

1 2 3 4 5 ...

102787 Commits