samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-03-01 04:58:35 +03:00

Author	SHA1	Message	Date
Stefan Metzmacher	d249ce6fcd	CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:37 +02:00
Stefan Metzmacher	0e26f3ce2f	CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	6ed0ef77ae	CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid Following requests will generate a fault with ACCESS_DENIED. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	615019f103	CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	e0b58a1514	CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter() The basically matches Windows 2012R2, it's not 100% but it's enough for our raw protocol tests to pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	cf0a93910d	CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	f0d318ffee	CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	6228c5336b	CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind() BIND is the first pdu, which means the list of contexts is always empty. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:36 +02:00
Stefan Metzmacher	a7d02ecba7	CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	1d99eec5a7	CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id} BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	6b2d064dcd	CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state We should not use one "global" per connection variable to hold the incoming and outgoing auth_info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	26ad208abd	CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec The first pdu is always a BIND. REQUEST pdus are only allowed once the authentication is finished. A simple anonymous authentication is finished after the BIND. Real authentication may need additional ALTER or AUTH3 exchanges. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	2ed603a378	CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus On protocol errors we should send BIND_NAK or FAULT and mark the connection as to be terminated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	e9511b5566	CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response BIND_NAK or FAULT may mark a connection as to be terminated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	5ab994c4ea	CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:35 +02:00
Stefan Metzmacher	6db7571447	CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind() For now we still force \\PIPE\\ in upper case, we may be able to remove this and change it in our idl files later. But for now we better behave like a windows server without changing too much. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	9f62223dd5	CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses This matches Windows 2012R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	4ea67655ea	CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	8ba1be0882	CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault() This depends on the type of the incoming pdu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	69e1d93695	CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault() This matches a Windows 2012R2 server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	5eb3b63c29	CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	3165b230b9	CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag These values are controlled by the client but only in a range between 2048 and 5840 (including these values in 8 byte steps). recv and xmit result always in same min value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:34 +02:00
Stefan Metzmacher	563d8fe8c7	CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type} BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	fd3b82e1ee	CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	1077b50858	CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type} BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	5325276f96	CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	f8b98b323b	CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id} This will simplify checks in the following commits and avoids derefencing dcesrv_auth->auth_info which is not always arround. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	16e3a4c7d9	CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	308543b2c5	CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0 pkt->u.*.auth_info.length is not the correct thing to check. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:33 +02:00
Stefan Metzmacher	08f976d925	CVE-2015-5370: s4:rpc_server: make use of talloc_zero() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	0235d72491	CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads We should only allow a combined payload of a response of at max 4 MBytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	df2dcc19b1	CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	443e00f303	CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	1551c418a4	CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler() This should give better error messages if the server doesn't support a specific abstract/transfer syntax. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	9b9d3077ea	CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu() dcerpc_pull_ncacn_packet() already verifies this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:32 +02:00
Stefan Metzmacher	735d4ba376	CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	21b90228b1	CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	821d48478a	CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	447f9f1a24	CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values We now avoid reusing the same auth_info structure for incoming and outgoing values. We need to make sure that the remote server doesn't overwrite our own values. This will trigger some failures with our currently broken server, which will be fixed in the next commits. The broken server requires an dcerpc_auth structure with no credentials in order to do an alter_context request that just creates a presentation context without doing authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	220e4ca79d	CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	e6da619500	CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	3df2b07571	CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus It handles the case of DCERPC_AUTH_TYPE_NONE just fine and it makes it possible to do some verification in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:31 +02:00
Stefan Metzmacher	0899c0ac97	CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	71c2c21a68	CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	e39b737261	CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign() We should avoid using the global dcecli_security->auth_info struct for individual requests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	5be0fb1433	CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1 In future we want to verify that the auth_context_id from the server is what we expect. As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we need to use that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	f64b0172e2	CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id} This will simplify the following commits and avoids dereferencing dcecli_security->auth_info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	47d8c31286	CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	1c7be37eca	CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0 All other paranoia checks are done within dcerpc_pull_auth_trailer() now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:30 +02:00
Stefan Metzmacher	82dd128dec	CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-30 04:21:29 +02:00

... 5 6 7 8 9 ...

100764 Commits