1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

556 Commits

Author SHA1 Message Date
Volker Lendecke
2ae7ad97ab librpc: Simplify ndr_size_dom_sid28()
all_zero() treats a NULL pointer as true.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-07 18:40:28 +00:00
Pavel Filipenský
7b9f87b877 librpc:ndr: Update ndr_print_debug() and add macro NDR_PRINT_DEBUG_LEVEL
Bumping the ABI to 3.0.0

This is enhancement of NDR_PRINT_DEBUG macro with following new features:

* debug level can be specified (NDR_PRINT_DEBUG always uses level 1)
* the trace header shows the location and function of the caller
  instead of function 'ndr_print_debug', which is not really useful.

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-15 14:25:37 +00:00
Stefan Metzmacher
43648e95a5 librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0
convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.

But for NDR we need to be correct on the wire...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Andrew Bartlett
558f440f20 CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:32 +00:00
Volker Lendecke
9857c56256 librpc: Simplify GUID_hexstring()
A temporary talloc context seems unnecessary to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Volker Lendecke
0cddd3f2d6 librpc: Simplify GUID_string2() by using GUID_buf_string()
Avoid unnecessary talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Volker Lendecke
5e2ac224b7 librpc: Simplify GUID_zero() with a direct struct return
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24 17:32:28 +00:00
Günther Deschner
91ff058420 librpc: add custom odj_switch_level_from_guid()
This function maintains an arbitrary mapping of GUID strings to
integers. This is required as only integers can be used as
discriminators for autogenerated ODJ unions.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Günther Deschner
9cc62b562c librpc/ndr: do not print strings when NDR_SECRET is used
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-14 16:49:29 +00:00
Andrew Bartlett
3bc680c1e3 pidl: Avoid leaving array_size NDR tokens around
In many cases these can and should be consumed as soon as
they are used.

This is not a complete fix, we don't clean up the array_size
token after using it split between an NDR_SCALARS and
an NDR_BUFFERS pass, but it is much better than it was
and helps the winbind case with a large number of groups
(eg 100,000) as otherwise we hit the 65535 NDR token limit.

(This is an arbitary Samba-only limit to avoid DoS conditions)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
a7d4f93cfd pidl: Avoid leaving array_length NDR tokens around
In many cases these can and should be consumed as soon as
they are used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
139cca7c20 librpc: Use helper function ndr_get_array_size() in ndr_check_array_size()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
40aabcb5cf librpc: Add const to cookie pointer in ndr_check_array_{size,length}
This pointer is only used to find the right token in the list
so can be declared const.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
c35f4180a4 libndr: Return error code from ndr_token_peek()
This makes it safer to change our code to remove tokens after use
if failing to obtain a token would result in an error.

This means changing ndr_get_array_size() and ndr_get_array_length()
to also return an error code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
0cc4478070 selftest: Add test of NDR marshalling from python, starting with wbint
These patches are to address an issue unpacking a very large
winbind.wbint_Principals array (100,000).

We need the NDR_TOKEN_MAX_LIST_SIZE value exposed as
otherwise a well-meaning incrase of this value would
invalidate the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andrew Bartlett
e583140e81 spoolss: Avoid indirection via ndr_get_array_size()
This is set in the call just above and otherwise we will (in the next commit)
need an intermediate variable once we need to check error codes from
ndr_get_array_size().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14710

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-06-02 03:56:36 +00:00
Andreas Schneider
a47fdd9ebb libndr: Use better and more clear check for empty flags
warning: converting the result of '<<' to a boolean always evaluates to true [-Wtautological-constant-compare]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Volker Lendecke
7528b7886b librpc: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
2b9ba992b6 lib: Simplify parse_guid_string() and ndr_syntax_id_from_string()
Return "bool" instead of NTSTATUS, use hex_byte() instead of
read_hex_bytes(). And parse directly into a struct GUID instead of the
components. 99 lines less code.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
a35c8a0ec2 librpc: Add ndr_syntax_id_buf_string()
Same pattern as GUID_buf_string()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
9374313f03 libndr: Simplify ndr_print_GUID()
Fix a small memleak of the tmp GUID_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
29e3c0cdb7 librpc: Use GUID_to_ndr_buf() in GUID_to_ndr_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Volker Lendecke
bbb017637e librpc: Add GUID_to_ndr_buf()
Avoids talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Volker Lendecke
5a143c0931 lib: Avoid a use of includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:33 +00:00
Douglas Bagnall
bf16cd72b2 ndr: fix ndr_pull_string_array() off by one alloc
The correct line should have been

       talloc_realloc(ndr->current_mem_ctx, a, const char *, count + 2);

because if the loop does not increment count on exit (it exits via
break), so count is left pointing at the thing that just got put in.
i.e., if there was one item it is at a[0], count is 0, but we also
need the trailing NULL byte at a[1] and the length is 2. Thus + 2, not
+ 1.

This will not affect ordinary (that is, non-malicious) traffic,
because talloc_realloc will not actually realloc unless it is saving a
kilobyte. Since the allocation grows slowly with the exponent ~1.25,
the actual reallocs will start happening at some point between 512 and
1024 items.

In the example we have, there were 666 pointers, and space for 824 was
allocated.

Rather than doing the +2 realloc, it is simpler to leave it off
altogether; in the common case (<512 items) it is a no-op anyway, and
in the best possible case it reduces the temporary array by 20%.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24646

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-07 03:23:44 +00:00
Douglas Bagnall
9148f38c20 ndr: avoid excessive reallocing in pull_string_array
Before, talloc_realloc() was being called n times for an array of
length n. This could be very expensive on long string arrays since it
is reasonable to assume each realloc moves O(n) bytes.

This addresses at least one OSS-Fuzz bug, making a timing out test case
100 times faster. Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19706

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Douglas Bagnall
9bf331b46a ndr: maintain proper talloc tree in pull_string_array
We don't want to leave other parts of the ndr struct hanging off this
string array just because LIBNDR_FLAG_REMAINING is used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Douglas Bagnall
cc3a67760c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").

This retains the logic of e6e2ec0001.

Also DNS compression cannot be turned off for NBT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
c3fa8ada43 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
51a4571849 CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bb63737905 CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
601e8a3f69 CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Gary Lockyer
ba518a1deb librpc ndr: add recursion check macros
Add macros to check the recursion depth.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19280
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Andreas Schneider
7ab1156b1e librpc:ndr: Remove byteorder.h from libndr.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Andreas Schneider
5268c83a48 librpc:ndr: Use bytearray.h in ndr_basic.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-21 02:09:33 +00:00
Gary Lockyer
91d4e79c27 librpc ndr: Change loop index to size_t
Change the loop index in ndr_check_padding to size_t.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
14182350f8 librpc ndr: ndr_pull_advance check for unsigned overflow.
Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
6d05fb3ea7 librpc ndr: NDR_PULL_ALIGN check for unsigned overflow
Handle uint32 overflow in NDR_PULL_ALIGN

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Gary Lockyer
ae6927e4f0 librpc ndr: Heap-buffer-overflow in lzxpress_decompress
Reproducer for oss-fuzz Issue 20083

Project: samba
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT
Job Type: libfuzzer_asan_samba
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6040000002fd
Crash State:
  lzxpress_decompress
    ndr_pull_compression_xpress_chunk
      ndr_pull_compression_start

Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-07 08:53:40 +00:00
Volker Lendecke
a0b967ec15 librpc: Use PRIu32 printf specifiers
Both values printed are uint32_t's

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
4864a4bb96 librpc: Use the MAX() macro where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Volker Lendecke
7b5edaebce librpc: Fix a gcc warning
gcc does not like const before static

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-23 19:11:34 +00:00
Gary Lockyer
86a31defbf ndr basic: Check ndr_token_store return code
Fix for

*** CID 1457529:  Error handling issues  (CHECKED_RETURN)
/librpc/ndr/ndr_basic.c: 786 in ndr_push_full_ptr()
...
ID 1457529:  Error handling issues  (CHECKED_RETURN)
    Calling "ndr_token_store" without checking return value (as is done
    elsewhere 14 out of 17 times).

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Jan  9 21:49:00 UTC 2020 on sn-devel-184
2020-01-09 21:49:00 +00:00
Günther Deschner
c433dac598 librpc: pidlify spoolss_EnumPerMachineConnections
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:31 +00:00
Günther Deschner
c9bebbcc46 librpc/ndr: provide infrastructure for NDR_SPOOLSS_{PUSH|PULL}_ENUM macros
The new macros allow the same macro convenience for enum functions without
level discriminator.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:31 +00:00
Günther Deschner
1038613878 librpc: better naming for NDR_SPOOLSS_{PUSH|PULL}_ENUM variants
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-08 23:51:30 +00:00
Andrew Bartlett
a85d257c1e librpc: Do not access name[-1] trying to push "" into a dnsp_name
This simply matches the behaviour from before e7b1acaddf
when the logic for a trailing . was added.  This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.

No a security bug because we use talloc and so name will be just the
end of the talloc header.

Credit to OSS-Fuzz

Found using the fuzz_ndr_X fuzzer

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
2019-12-20 11:33:52 +00:00
Andreas Schneider
f11e207e01 librpc: Fix string length checking in ndr_pull_charset_to_null()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14219

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-20 07:35:41 +00:00
Andrew Bartlett
0e651b4508 librpc: Fix manually written printer for drsuapi_DsAttributeValue
Credit to OSS-Fuzz

Found using the ndr_fuzz_X target.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
82aff583b7 libndr: Return enum ndr_err_code from ndr_{pull,push}_steal_switch_value()
This breaks the ABI so we merge this into the unreleased libndr-1.0.0.

The advantage of the new functions is there (except for print, which
is unchanged) is an error raised when the token is not found, so
we can be confident in the changes to the token behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 12 03:56:23 UTC 2019 on sn-devel-184
2019-12-12 03:56:23 +00:00
Andrew Bartlett
d30c377d8c librpc/ndr: Remove ndr_{push,pull}_get_switch_value()
By removing this we know we do not need to worry about this list
growing without bounds.  We merge this into the recently created but
not yet released ABI 1.0.0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:41 +00:00
Andrew Bartlett
a44717394d librpc: Remove last callers of ndr_push_get_switch_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
b880bda589 librpc: Remove last callers of ndr_pull_get_switch_value()
By removing this we know we do not need to worry about this list
growing without bounds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
92a7c5a726 librpc: Do not follow a NULL pointer when calculating the size of a union
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
362d70ff2f librpc: Do not follow a NULL pointer when calculating the size of a structure
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
e08461b284 pidl: Add and use ndr_print_steal_switch_value(), removing ndr_print_get_switch_value()
This avoids really long token lists for switch values
that will not be needed past this point.

The function name is changed to clarify what exactly is being
done here, and the old function is removed to ensure it is
not being used anywhere else.

Merge the removal of ndr_print_get_switch_value into
just-tagged librpc/ABI/ndr-1.0.0.sigs as this
has not been put into any release yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
e1a15710a4 librpc/ndr: Add ndr_push_steal_switch_value()
This will allow generated code to instead push and pop union values onto the
switch_list stack, which is more memory efficient than creating a single large
list to be scannned and eventually discarded.

Merge into unreleased ABI 1.0.0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
f7bcf227f7 librpc: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
a22a22e4a8 negoex: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
7a0ed44b0e ndr: Restrict size of ndr_token lists to avoid memory abuse by malicious clients
This is designed to stop a very large number of tokens from being stored for
arrays of structures containing relative pointers in particular.

This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
4501663f6e libndr: Do not overwrite token list with NULL on allocation failure
This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
b6913830bf librpc/ndr: Do not follow a client-supplied NULL pointer in _print_drsuapi_DsAttributeValue_attid()
This is not a security issue as it only happens when printing the structure
during debugging, not normal production.

Found by Michael Hanselmann using an NDR fuzzer and Hongfuzz.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 02:53:34 +00:00
Andrew Bartlett
d15a3797c7 librpc: Avoid spinning on string_array elements with a short input
Without this protection we will spin during decode of a string_array or nstring_array
that is terminated by only a single NUL byte, not two as required by UTF-16.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13874

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-04 05:10:31 +00:00
Volker Lendecke
4cd6c87a3d libndr: Fix a talloc context leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-12-02 21:23:35 +00:00
Andrew Bartlett
674d2cfd04 librpc/ndr: Remove unused ndr_cab_generate_checksum()
This function is not just unused, it is a problem because there is no
enforced connection between r->ab.length and r->cbData.

The last caller was removed in the previous commit.

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-11-29 00:44:40 +00:00
Douglas Bagnall
536a84935c ndr_orpc: properly allocate empty DUALSTRINGARRAY
When there is no data we still need to allocate for the terminating NULL.

Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13875

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-20 04:41:28 +00:00
Andrew Bartlett
42ac80fb46 ndr: Include the caller location in ndr_{pull,push}_error() messages
This should aid in debugging NDR parse failures.

Use the ABI bump to again exclude ndr_table_misc incorrectly
added in ABI 0.2.1.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 19 14:47:46 UTC 2019 on sn-devel-184
2019-11-19 14:47:46 +00:00
Andrew Bartlett
83b1c21dd0 librpc: Do not return an NDR table for a zero GUID
The source3 RPC server will do a lookup by GUID and should
not be returned a table for a zero GUID.

Thankfully such a pipe would also need to have been registered
but regardless this is not a determinsitic result so should
be avoided.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-11-14 08:01:43 +00:00
Andrew Bartlett
7299b9ba90 librpc: Allow registration of ndr tables with a zero UUID
This helps ndrdump find public structures to dump

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-11-13 00:32:37 +00:00
Björn Jacke
5915a40b25 librpc/ndr/ndr_compression.c: typo fixes
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2019-10-31 00:43:36 +00:00
Günther Deschner
86a0e4850e librpc/ndr: add ndr_print_netlogon_samlogon_response()
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:26 +00:00
Mathieu Parent
619e8f46d8 Spelling fixes s/ upto / up to /
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:27 +00:00
Noel Power
9c58684566 librpc/ndr: clang: Fix warning 'Value stored to 'towernum' is never read'
Fixes:

librpc/ndr/ndr_orpc.c:140:2: warning: Value stored to 'towernum' is never read <--[clang]
        towernum = 0;
        ^          ~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-06-26 10:30:23 +00:00
Noel Power
0152925879 librpc/ndr: clang: Fix Assigned value is garbage or undefined warning
Fixes:

librpc/ndr/ndr_basic.c:170:5: warning: Assigned value is garbage or undefined <--[clang]

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer gary@catalyst.net.nz
2019-06-11 12:10:17 +00:00
Gary Lockyer
5d67e87d1c pidl: Allow ndrdump to print public structures
Generate code to allow ndrdump to operate on public structures.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2019-06-06 03:30:18 +00:00
Douglas Bagnall
c737b61cb4 librpc/ndr: make push_charset_to_null UTF-16 safe (CID 1399648)
The length is in test units, not bytes, and includes terminating
nulls. For 16-bit character sets, the terminating null must be two
bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Stefan Metzmacher
6da3664f8a ndr_spoolss_buf: fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13818

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-03-06 03:16:14 +00:00
Andreas Schneider
96df6878ed lib:util: Move discard_const(_p) to own header for libndr.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13778

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-02-14 15:59:26 +01:00
Andreas Schneider
666802a3db librpc:ndr: Add NDR_ZERO_STRUCT(P) macros
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13778

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-02-14 15:59:26 +01:00
Andreas Schneider
2a7086f1ac librpc:ndr: Implement ndr_zero_memory()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13778

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-02-14 15:59:25 +01:00
Aliaksei Karaliou
51bc92d8c8 build: Get rid of hardcoded 'bin/default' in includes
Removed occurrences of bin/default used in #include directive for
auto-generated headers residing in build directory.
Build system is capable of resolving path to such headers by itself
without extra hardcoded path to build directory.

Signed-off-by: Aliaksei Karaliou <akaraliou@panasas.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-02-08 08:51:19 +01:00
Volker Lendecke
64e05bc8c1 librpc: Solaris cc does not like unnamed struct members
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-02-03 13:52:29 +01:00
Volker Lendecke
c9036f2597 libndr: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-01-08 03:40:27 +01:00
Andreas Schneider
7b60d72f67 librpc:ndr: Give the optimizer hints for ndr_push_bytes()
Also remove the redundant check in ndr_push_DATA_BLOB.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  7 15:33:38 CET 2018 on sn-devel-144
2018-12-07 15:33:38 +01:00
Andreas Schneider
d9e95849e3 librpc:ndr: Fix undefined behavior in ndr_basic
librpc/ndr/ndr_basic.c:723:2: runtime error: null pointer passed as
argument 2, which is declared to never be null

The following triggered the undefined behavior:

(gdb) bt
    at librpc/gen_ndr/ndr_drsuapi.c:2318
    fn=0x7ffff6e72983 <ndr_push_drsuapi_DsReplicaObjectIdentifier3Binary>) at ../../librpc/ndr/ndr.c:1337
    at ../../source4/dsdb/schema/schema_syntax.c:2136
    drs_str=<optimized out>) at ../../source4/dsdb/schema/tests/schema_syntax.c:122
    already_setup=<optimized out>, restricted=restricted@entry=0x0) at ../../lib/torture/torture.c:442
    at ../../lib/torture/torture.c:507
    suite=0x5555563d9490, matched=0x7fffffffcef7) at ../../source4/torture/smbtorture.c:93
    matched=0x7fffffffcef7) at ../../source4/torture/smbtorture.c:95
    at ../../source4/torture/smbtorture.c:143
(gdb) f 1
1335            NDR_CHECK(ndr_push_bytes(ndr, blob.data, blob.length));
(gdb) p blob
$2 = {data = 0x0, length = 0}

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Dec  6 08:48:28 CET 2018 on sn-devel-144
2018-12-06 08:48:27 +01:00
Andreas Schneider
6f48bc840c librpc:ndr: Fix undefined behavior in ndr.c
librpc/ndr/ndr.c:1430 runtime error: left shift of 1 by 31 places cannot
be represented in type 'int'

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Fri Nov 23 01:23:09 CET 2018 on sn-devel-144
2018-11-23 01:23:09 +01:00
Andreas Schneider
9c37ed26f0 librpc:ndr: Initialize inblob
Found by cppcheck.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-14 05:07:15 +01:00
Andreas Schneider
f040d660c0 ndr: Init variables of GUID_from_data_blob()
Found by covscan.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-10-19 23:11:26 +02:00
Douglas Bagnall
cd2365175f ndr_misc: read syntax_id using strict util_str_hex functions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-31 01:57:16 +02:00
Mathieu Parent
e8a3a43649 Fix spelling s/ouput/output/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:27 +02:00
Volker Lendecke
1cd0fe90cf ndr_string: Do overflow checks in ndr_push/pull_charset
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 28 16:08:16 CEST 2018 on sn-devel-144
2018-03-28 16:08:16 +02:00
Volker Lendecke
360804ed4f ndr_string: Fix a signed/unsigned glitch
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-28 13:03:25 +02:00
Andreas Schneider
64c9ca3a3d librpc:ndr: Add FALL_THROUGH statements in ndr_cab.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Douglas Bagnall
6ef6ddce5a shift read_hex_bytes() and parse_guid_string() into lib/util
read_hex_bytes() is going to be used in lib/util/rfc1738.c.

parse_guid_string() is shifted for two reasons: Firstly, it is called
very often in some operations, sometimes constituting a few percent of
the CPU load, and it makes several calls to read_hex_bytes(). We want
the compiler to be able to inline those calls if it thinks that is
wise. Secondly, there are other places that could do with fast GUID
parsing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 01:04:18 +01:00
Volker Lendecke
15748c325c ndr_dns: fix pushing unknown resource records
When pulling for example an RRSIG record, we end up with length!=0 *and*
unexpected.length != 0, but with an unknown rrec. We should be able to
marshall what we retrieved from the wire.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Andrew Bartlett
4a5c2bfec1 Use the rpc_parse debug class for PIDL genrated code
This means that the default print binding string qualifier will now go via this debug class
as will explicit calls to ndr_print_debug() and ndr_print_union_debug().

Calls to ndr_print_debugc() are not changed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-07 06:56:27 +02:00
Jeremy Allison
1c1fce7414 lib: rpc: The registered interfaces are a lists of singletons that are never removed.
Allocate them off the NULL context not the talloc_autofree_context().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-26 21:35:21 +02:00
Aurelien Aptel
c60ad394fa librpc/ndr: add MSZIP compression for cabinet files
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
43a1952b17 librpc/ndr: simplify cabinet file size calculation
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Andreas Schneider
7c20a87097 librpc/ndr: Use correct value for max compression size
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Günther Deschner
a2816122f9 librpc/ndr: Use MAX_WBITS zlib define and change memLevel in MSZIP code
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
9ec74a319f librpc/ndr: remove unused ndr_cab_get_compression() function
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
466d5e8147 librpc: use DATA_BLOB in CFDATA structure
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
1edf126693 librpc/ndr: add helper functions to setup and free compression states.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Günther Deschner
096efc93df librpc/ndr: add new MSZIP compression type for cabinet files
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
aa33aa6e64 librpc/ndr: add new ndr_compression_state
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Günther Deschner
a44bce6dfa libndr/compression: pass down compressed length in ndr_pull_compression_start
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
3b5442e77b librpc/ndr: remove trailing whitespace from compression file.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Andreas Schneider
9a2180cd04 librpc:ndr_cab: Cast data pointer correctly
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Aurelien Aptel
e54adf516e ndr_compression: use MAX_WBITS constant
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-19 21:22:13 +02:00
Stefan Metzmacher
32aa3a199d librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:43 +02:00
Stefan Metzmacher
91d8272e86 librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
The range included the unused (1<<14) before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:43 +02:00
Andreas Schneider
ef109f86c7 librpc:ndr: Set the length to 1 if we assign and empty string
CID #1399648

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-05-16 12:38:20 +02:00
Douglas Bagnall
70923b7521 ndr: Use resizing array instead of linked lists (breaking ABI)
The ndr token code keeps a temporary store of tokens which are
referred to a small number of times (often once) before being
discarded. The access patterns are somewhat stack-like, with recently
placed tokens being accessed most often.

The old code kept these tokens in a linked list, which we replace with
a self-resizing array.

This keeps everything roughly the same in big-O terms, but makes it
all faster in practice by vastly reducing the amount of tallocing and
pointer-chasing.

The peak memory use is strictly reduced. On a 64 bit machine each core
token struct fits in 16 bytes (after padding) while the two pointers
used by the DLIST add another 16 bytes, so the overall list allocation
is the same as the peak 2n array allocation -- except in the list case
it is dwarfed by the talloc and malloc metadata overhead.

Before settling on the resized arrays, we tried red-black trees, which
are bound to be better for large ndr structures. As it happens, we
don't deal with large structures (the size of replication clumps is
limited to 400 objects) and the asymptotic benefits of the trees are
not realised in practice.

With luck you should find graphs comparing the performance of these
various techniques at:

https://www.samba.org/~dbagnall/perf-tests/ndr-token/

This necessarily breaks the ABI because the linked list implementation
was publicly exposed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar  2 08:38:22 CET 2017 on sn-devel-144
2017-03-02 08:38:21 +01:00
Douglas Bagnall
4bd8e63165 ndr: fix whitespace in libndr.h, ndr.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-02 04:35:14 +01:00
Günther Deschner
303ae2a023 librpc/ndr: add ndr_push_charset_to_null and increase library version (abi change)
We were crashing earlier when calculating the length of NULL strings in
fixed size arrays (noticed while replying with an empty
spoolss_CorePrinterDriver struct within the spoolss_GetCorePrinterDrivers
call).

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-01-24 10:53:17 +01:00
Volker Lendecke
f46932abfc librpc: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Volker Lendecke
ce9e4a3501 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.

Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
2016-12-20 07:51:14 +01:00
Douglas Bagnall
91d5ea2ae9 librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing
GUID_from_data_blob() was relying on sscanf to parse strings, which was
slow and quite accepting of invalid GUIDs. Instead we directly read a
fixed number of hex bytes for each field.

This now passes the samba4.local.ndr.*.guid_from_string_invalid tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Dec 14 08:55:42 CET 2016 on sn-devel-144
2016-12-14 08:55:42 +01:00
Jeremy Allison
446851c861 librpc: cab: Fix ndr_size_cab_file() to detect integer wrap.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec  1 05:53:43 CET 2016 on sn-devel-144
2016-12-01 05:53:43 +01:00
Jeremy Allison
d2fe23ae0a librpc: cab: Integer wrap protection for ndr_count_cfdata().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-01 02:02:19 +01:00
Günther Deschner
e91895f411 librpc: Add ndr_cab_get_compression() for Cabinet compression evaluation
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Günther Deschner
983dac44f2 librpc: Add autogenerated file offset calculation for Cabinet files
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Günther Deschner
59ae0e5f34 librpc: Add autogenerated total cabinet size for Cabinet files
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Günther Deschner
4cc4fca23e librpc: Add autogenerated checksum calculation for Cabinet files
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Günther Deschner
88e1c4dc44 librpc: Introduce cab.idl
This allows processing of Windows Cabinet files (required for the MS-PAR
print protocol implementation)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Stefan Metzmacher
e2f2250456 dcerpc.idl: set LIBNDR_FLAG_* flags based on DCERPC_PFC_FLAG_OBJECT_UUID and DCERPC_DREP_LE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:18 +02:00
Günther Deschner
23f404b7f5 spoolss: rename spoolss_EnumPrintProcDataTypes to spoolss_EnumPrintProcessorDataTypes
This change makes automatic mapping for PAR->RPRN opcodes easier.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-22 12:29:26 +02:00
Andrew Bartlett
1246904d41 librpc: Add ndr_push_struct_into_fixed_blob() and use it in GUID_to_ndr_blob()
This allows us to allocate only the correct size, not a default of 1024 bytes
per push.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-28 10:06:12 +02:00
Stefan Metzmacher
38527702fd krb5pac.idl: implement PAC_UPN_DNS_INFO correct
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:18 +02:00
Stefan Metzmacher
8e458360b4 krb5pac: fix push/pull of subcontexts in PAC_BUFFER
We need to have two subcontexts to get the padding right,
the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
the inner subcontext only uses _ndr_size.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:18 +02:00
Günther Deschner
4f5dde6730 krb5pac: no need for a noprint PAC_BUFFER.
Guenther

@@ -1,6 +1,7 @@
 _PUBLIC_ void ndr_print_PAC_BUFFER(struct ndr_print *ndr, const char *name, const struct PAC_BUFFER *r)
 {
        ndr_print_struct(ndr, name, "PAC_BUFFER");
+       if (r == NULL) { ndr_print_null(ndr); return; }
        ndr->depth++;
        ndr_print_PAC_TYPE(ndr, "type", r->type);
        ndr_print_uint32(ndr, "_ndr_size", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?_ndr_size_PAC_INFO(r->info,r->type,0):r->_ndr_size);
@@ -11,7 +12,7 @@
                ndr_print_PAC_INFO(ndr, "info", r->info);
        }
        ndr->depth--;
-       ndr_print_uint32(ndr, "_pad", r->_pad);
+       ndr_print_uint32(ndr, "_pad", (ndr->flags & LIBNDR_PRINT_SET_VALUES)?0:r->_pad);
        ndr->depth--;
 }

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-07-20 21:27:18 +02:00
Stefan Metzmacher
26d2ea389b drsblobs.idl: supplementalCredentialsSubBlob make it possible to parse strange blobs
Windows omits the uint16 num_packages field when the packages array is empty.
This happens if the UF_SMARTCARD_REQUIRED flag is set for an account.

A user was created with a password and then userAccountControl was changed to
UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED. In that case I'm getting
(as the whole supplementalCredentialsBlob):

[0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
[0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 30       . . . .  . .P.0

I've also got cases (where I created an account with
UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_SMARTCARD_REQUIRED
in the LDAP add) with the following strange blobs:

One time:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00
and once:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 53

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:17 +02:00
Stefan Metzmacher
e9c9615a1f drsblobs.idl: mark supplementalCredentialsSubBlob as nopull,nopush
This commit moves the autogenerated ndr_{pull,push}_supplementalCredentialsSubBlob()
function to the handwritten librpc/ndr/ndr_drsblobs.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:17 +02:00
Garming Sam
1a2427d97e typo: componemt => component
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:15 +02:00
Günther Deschner
8b7d92bb73 librpc: add decode_netlogon_samlogon_response_packet for mailslot debugging.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul  1 01:29:42 CEST 2016 on sn-devel-144
2016-07-01 01:29:42 +02:00
Stefan Metzmacher
9722f064e7 librpc/ndr: add support for NDR_ALIGN* to ndr_push_short_relative_ptr2()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:15 +02:00
Andrew Bartlett
4304eac854 librpc: Avoid talloc in GUID_from_data_blob()
This is often found in inner loops in the dsdb code, because LDB DNs often contain a GUID string

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-27 00:18:17 +02:00
Ralph Boehme
a51f998956 librpc/dns: don't compress strings in TKEY and TSIG responses
Certain DNS clients fail TSIG record MAC validation if the TSIG record
contains compressed strings.

Windows DNS server behaviour seems to be to not send compressed names in
TKEY and TSIG records.

This patch ensures we conform to this behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
df079962ef librpc/ndr: add flag LIBNDR_FLAG_NO_COMPRESSION
This flag can be used to change marshalling behaviour with regard to
compression.

Example: DNS packets make use of so called DNS name compression which
means that for identical strings in a DNS packet, the second string is
replaced with a reference (an offset) to the first.

Setting this flag requests to turns off the marshalling compression.

This will be used in the next commit to prevent name compression in DNS
TSIG records.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Andrew Bartlett
98712e9bda libndr: Add ndr_pull_struct_blob_all_noalloc
This allows us to remove talloc() calls from GUID_from_ndr_blob().

To do this the struct ndr_pull is placed on the stack, and filled in there.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-05-03 08:10:10 +02:00
Garming Sam
89f5bbc971 dns: remove double talloc for strings
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Douglas Bagnall
c20e7b8c01 ndr: inline search for ndr_token_peek()
This is often a hot path, particularly with complex structures like
nt-acls.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-22 08:00:31 +01:00
Douglas Bagnall
7261433fe1 librpc ndr: add ndr_pull_steal_switch_value()
Switch values currently only have a peek variant, instead of a retrieve
variant for getting their values. This can create performance issues
with complex structures as the token list simply grows longer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-22 08:00:31 +01:00
Stefan Metzmacher
c1e2a1f0a7 librpc/ndr: add ndr_ntlmssp_find_av() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
ee8d777bbf CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:

    3.3.14. TXT RDATA format

        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        /                   TXT-DATA                    /
        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    where:

    TXT-DATA        One or more <character-string>s.

    TXT RRs are used to hold descriptive text.  The semantics of the text
    depends on the domain where it is found.

Each record contains an array of strings instead of just one string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:24 +01:00
Stefan Metzmacher
1cc57a98d4 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:23 +01:00
Jelmer Vernooij
ffbd9c4584 Add a new header file for functions in lib/util/util.c.
This allows public headers to not include samba_util.h, but rather
specific header files under lib/util.

Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Stefan Metzmacher
bf1fa9e080 negoex.idl: use DATA_BLOB for negoex_BYTE_VECTOR
That's much easier for the callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 18 04:07:56 CET 2015 on sn-devel-144
2015-12-18 04:07:56 +01:00
Stefan Metzmacher
a4fa489705 negoex.idl: initial version
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-12-18 01:03:20 +01:00