X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fpatches%2Fsamba%2FCVE-2015-5370-v3-6.patch;fp=src%2Fpatches%2Fsamba%2FCVE-2015-5370-v3-6.patch;h=0000000000000000000000000000000000000000;hp=7af1dd3629a64179f7cd1d04a5d79a1cd76769a9;hb=201ad7ff80eb8870aab2b903be6eb7aea2adf563;hpb=f29f169735ff3b431c6dc7cb50b36d0fe644163b diff --git a/src/patches/samba/CVE-2015-5370-v3-6.patch b/src/patches/samba/CVE-2015-5370-v3-6.patch deleted file mode 100644 index 7af1dd3629..0000000000 --- a/src/patches/samba/CVE-2015-5370-v3-6.patch +++ /dev/null @@ -1,3080 +0,0 @@ -From 8368c32cb69da82c8df36404ec8042c3046866ca Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 16 Jul 2015 22:46:05 +0200 -Subject: [PATCH 01/40] CVE-2015-5370: dcerpc.idl: add - DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner ---- - librpc/idl/dcerpc.idl | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl -index 75ef2ec..bbb42d1 100644 ---- a/librpc/idl/dcerpc.idl -+++ b/librpc/idl/dcerpc.idl -@@ -475,9 +475,11 @@ interface dcerpc - const uint8 DCERPC_PFC_OFFSET = 3; - const uint8 DCERPC_DREP_OFFSET = 4; - const uint8 DCERPC_FRAG_LEN_OFFSET = 8; -+ const uint32 DCERPC_FRAG_MAX_SIZE = 5840; - const uint8 DCERPC_AUTH_LEN_OFFSET = 10; - const uint8 DCERPC_CALL_ID_OFFSET = 12; - const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16; -+ const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */ - - /* little-endian flag */ - const uint8 DCERPC_DREP_LE = 0x10; --- -2.8.1 - - -From e3043ba5aafdb0605ab14b11917d497b59d82bec Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sun, 28 Jun 2015 01:19:57 +0200 -Subject: [PATCH 02/40] CVE-2015-5370: librpc/rpc: simplify and harden - dcerpc_pull_auth_trailer() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner ---- - librpc/rpc/dcerpc_util.c | 63 ++++++++++++++++++++++++++++++++++++------------ - librpc/rpc/rpc_common.h | 4 +-- - 2 files changed, 49 insertions(+), 18 deletions(-) - -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c -index 97ef798..f936ef4 100644 ---- a/librpc/rpc/dcerpc_util.c -+++ b/librpc/rpc/dcerpc_util.c -@@ -92,31 +92,44 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob) - * - * @return - A NTSTATUS error code. - */ --NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt, -+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, - TALLOC_CTX *mem_ctx, -- DATA_BLOB *pkt_trailer, -+ const DATA_BLOB *pkt_trailer, - struct dcerpc_auth *auth, -- uint32_t *auth_length, -+ uint32_t *_auth_length, - bool auth_data_only) - { - struct ndr_pull *ndr; - enum ndr_err_code ndr_err; -- uint32_t data_and_pad; -+ uint16_t data_and_pad; -+ uint16_t auth_length; -+ uint32_t tmp_length; - -- data_and_pad = pkt_trailer->length -- - (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length); -+ ZERO_STRUCTP(auth); -+ if (_auth_length != NULL) { -+ *_auth_length = 0; -+ } - -- /* paranoia check for pad size. This would be caught anyway by -- the ndr_pull_advance() a few lines down, but it scared -- Jeremy enough for him to call me, so we might as well check -- it now, just to prevent someone posting a bogus YouTube -- video in the future. -- */ -- if (data_and_pad > pkt_trailer->length) { -- return NT_STATUS_INFO_LENGTH_MISMATCH; -+ /* Paranoia checks for auth_length. The caller should check this... */ -+ if (pkt->auth_length > pkt->frag_length) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET; -+ tmp_length += DCERPC_AUTH_TRAILER_LENGTH; -+ tmp_length += pkt->auth_length; -+ if (tmp_length > pkt->frag_length) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ if (pkt_trailer->length > UINT16_MAX) { -+ return NT_STATUS_INTERNAL_ERROR; - } - -- *auth_length = pkt_trailer->length - data_and_pad; -+ auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length; -+ if (pkt_trailer->length < auth_length) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ data_and_pad = pkt_trailer->length - auth_length; - - ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx); - if (!ndr) { -@@ -136,14 +149,28 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt, - ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - talloc_free(ndr); -+ ZERO_STRUCTP(auth); - return ndr_map_error2ntstatus(ndr_err); - } - -+ if (data_and_pad < auth->auth_pad_length) { -+ DEBUG(1, (__location__ ": ERROR: pad length mismatch. " -+ "Calculated %u got %u\n", -+ (unsigned)data_and_pad, -+ (unsigned)auth->auth_pad_length)); -+ talloc_free(ndr); -+ ZERO_STRUCTP(auth); -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ - if (auth_data_only && data_and_pad != auth->auth_pad_length) { -- DEBUG(1, (__location__ ": WARNING: pad length mismatch. " -+ DEBUG(1, (__location__ ": ERROR: pad length mismatch. " - "Calculated %u got %u\n", - (unsigned)data_and_pad, - (unsigned)auth->auth_pad_length)); -+ talloc_free(ndr); -+ ZERO_STRUCTP(auth); -+ return NT_STATUS_RPC_PROTOCOL_ERROR; - } - - DEBUG(6,(__location__ ": auth_pad_length %u\n", -@@ -152,6 +179,10 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt, - talloc_steal(mem_ctx, auth->credentials.data); - talloc_free(ndr); - -+ if (_auth_length != NULL) { -+ *_auth_length = auth_length; -+ } -+ - return NT_STATUS_OK; - } - -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h -index fe8129d..98a2e95 100644 ---- a/librpc/rpc/rpc_common.h -+++ b/librpc/rpc/rpc_common.h -@@ -158,9 +158,9 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob); - * - * @return - A NTSTATUS error code. - */ --NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt, -+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, - TALLOC_CTX *mem_ctx, -- DATA_BLOB *pkt_trailer, -+ const DATA_BLOB *pkt_trailer, - struct dcerpc_auth *auth, - uint32_t *auth_length, - bool auth_data_only); --- -2.8.1 - - -From 397300d996299400842938131691fbbeb88c2c82 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 29 Jun 2015 10:24:45 +0200 -Subject: [PATCH 03/40] CVE-2015-5370: s3:librpc/rpc: don't call - dcerpc_pull_auth_trailer() if auth_length is 0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -All other paranoia checks are done within dcerpc_pull_auth_trailer() -now. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner ---- - source3/librpc/rpc/dcerpc_helpers.c | 12 ++---------- - 1 file changed, 2 insertions(+), 10 deletions(-) - -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index 24f2f52..76f2acc 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -899,16 +899,8 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - return NT_STATUS_INVALID_PARAMETER; - } - -- /* Paranioa checks for auth_length. */ -- if (pkt->auth_length > pkt->frag_length) { -- return NT_STATUS_INFO_LENGTH_MISMATCH; -- } -- if (((unsigned int)pkt->auth_length -- + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) || -- ((unsigned int)pkt->auth_length -- + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) { -- /* Integer wrap attempt. */ -- return NT_STATUS_INFO_LENGTH_MISMATCH; -+ if (pkt->auth_length == 0) { -+ return NT_STATUS_INVALID_PARAMETER; - } - - status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer, --- -2.8.1 - - -From faa20091b4a456a5e29f852561f6f5e9863860e0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 26 Jun 2015 08:10:46 +0200 -Subject: [PATCH 04/40] CVE-2015-5370: librpc/rpc: add a - dcerpc_verify_ncacn_packet_header() helper function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 8266be48f455a5e541d0f7f62a1c8c38e0835976) ---- - librpc/rpc/dcerpc_util.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++ - librpc/rpc/rpc_common.h | 5 ++++ - 2 files changed, 78 insertions(+) - -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c -index f936ef4..2f599d5 100644 ---- a/librpc/rpc/dcerpc_util.c -+++ b/librpc/rpc/dcerpc_util.c -@@ -186,6 +186,79 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, - return NT_STATUS_OK; - } - -+/** -+* @brief Verify the fields in ncacn_packet header. -+* -+* @param pkt - The ncacn_packet strcuture -+* @param ptype - The expected PDU type -+* @param max_auth_info - The maximum size of a possible auth trailer -+* @param required_flags - The required flags for the pdu. -+* @param optional_flags - The possible optional flags for the pdu. -+* -+* @return - A NTSTATUS error code. -+*/ -+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, -+ enum dcerpc_pkt_type ptype, -+ size_t max_auth_info, -+ uint8_t required_flags, -+ uint8_t optional_flags) -+{ -+ if (pkt->rpc_vers != 5) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (pkt->rpc_vers_minor != 0) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (pkt->auth_length > pkt->frag_length) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (pkt->ptype != ptype) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (max_auth_info > UINT16_MAX) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ if (pkt->auth_length > 0) { -+ size_t max_auth_length; -+ -+ if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH; -+ -+ if (pkt->auth_length > max_auth_length) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ } -+ -+ if ((pkt->pfc_flags & required_flags) != required_flags) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ if (pkt->pfc_flags & ~(optional_flags|required_flags)) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (pkt->drep[0] & ~DCERPC_DREP_LE) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ if (pkt->drep[1] != 0) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ if (pkt->drep[2] != 0) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ if (pkt->drep[3] != 0) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ return NT_STATUS_OK; -+} -+ - struct dcerpc_read_ncacn_packet_state { - #if 0 - struct { -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h -index 98a2e95..b3ae5b2 100644 ---- a/librpc/rpc/rpc_common.h -+++ b/librpc/rpc/rpc_common.h -@@ -164,6 +164,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, - struct dcerpc_auth *auth, - uint32_t *auth_length, - bool auth_data_only); -+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, -+ enum dcerpc_pkt_type ptype, -+ size_t max_auth_info, -+ uint8_t required_flags, -+ uint8_t optional_flags); - struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct tstream_context *stream); --- -2.8.1 - - -From c176174588c1119a11066b6188ac50cd3c9603f4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 05/40] CVE-2015-5370: s3:rpc_client: move AS/U hack to the top - of cli_pipe_validate_current_pdu() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 665b874b6022bfcdec3f13a9f5a844e5d1784aba) ---- - source3/rpc_client/cli_pipe.c | 24 +++++++++++++----------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 5ddabb7..295b88f 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -414,6 +414,19 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - */ - *rdata = *pdu; - -+ if ((pkt->ptype == DCERPC_PKT_BIND_ACK) && -+ !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) { -+ /* -+ * TODO: do we still need this hack which was introduced -+ * in commit a42afcdcc7ab9aa9ed193ae36d3dbb10843447f0. -+ * -+ * I don't even know what AS/U might be... -+ */ -+ DEBUG(5, (__location__ ": bug in server (AS/U?), setting " -+ "fragment first/last ON.\n")); -+ pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; -+ } -+ - /* Ensure we have the correct type. */ - switch (pkt->ptype) { - case DCERPC_PKT_ALTER_RESP: -@@ -518,17 +531,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - return NT_STATUS_RPC_PROTOCOL_ERROR; - } - -- /* Do this just before return - we don't want to modify any rpc header -- data before now as we may have needed to do cryptographic actions on -- it before. */ -- -- if ((pkt->ptype == DCERPC_PKT_BIND_ACK) && -- !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) { -- DEBUG(5, (__location__ ": bug in server (AS/U?), setting " -- "fragment first/last ON.\n")); -- pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; -- } -- - return NT_STATUS_OK; - } - --- -2.8.1 - - -From b9ae0068be4dfc6f7d09144c353689ab01955b93 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 06/40] CVE-2015-5370: s3:rpc_client: remove useless - frag_length check in rpc_api_pipe_got_pdu() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -dcerpc_pull_ncacn_packet() already verifies this. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 9a3f045244b12ff9f77d2664396137c390042297) ---- - source3/rpc_client/cli_pipe.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 295b88f..2787fbc 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -898,14 +898,6 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - return; - } - -- if (state->incoming_frag.length != state->pkt->frag_length) { -- DEBUG(5, ("Incorrect pdu length %u, expected %u\n", -- (unsigned int)state->incoming_frag.length, -- (unsigned int)state->pkt->frag_length)); -- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -- return; -- } -- - status = cli_pipe_validate_current_pdu(state, - state->cli, state->pkt, - &state->incoming_frag, --- -2.8.1 - - -From 05688274f03e6086e3ba4d7b4cb4409f9c4d9cb1 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 26 Jun 2015 08:10:46 +0200 -Subject: [PATCH 07/40] CVE-2015-5370: s4:rpc_server: no authentication is - indicated by pkt->auth_length == 0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -pkt->u.*.auth_info.length is not the correct thing to check. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(packported from commit c0236de09e542dbb168969d8ae9f0c150a75198e) ---- - source4/rpc_server/dcesrv_auth.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c -index 1e6aa24..61f2176 100644 ---- a/source4/rpc_server/dcesrv_auth.c -+++ b/source4/rpc_server/dcesrv_auth.c -@@ -46,7 +46,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) - NTSTATUS status; - uint32_t auth_length; - -- if (pkt->u.bind.auth_info.length == 0) { -+ if (pkt->auth_length == 0) { - dce_conn->auth_state.auth_info = NULL; - return true; - } -@@ -108,7 +108,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe - struct dcesrv_connection *dce_conn = call->conn; - NTSTATUS status; - -- if (!call->conn->auth_state.gensec_security) { -+ if (call->pkt.auth_length == 0) { - return NT_STATUS_OK; - } - -@@ -155,10 +155,16 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) - NTSTATUS status; - uint32_t auth_length; - -- /* We can't work without an existing gensec state, and an new blob to feed it */ -- if (!dce_conn->auth_state.auth_info || -- !dce_conn->auth_state.gensec_security || -- pkt->u.auth3.auth_info.length == 0) { -+ if (pkt->auth_length == 0) { -+ return false; -+ } -+ -+ if (!dce_conn->auth_state.auth_info) { -+ return false; -+ } -+ -+ /* We can't work without an existing gensec state */ -+ if (!dce_conn->auth_state.gensec_security) { - return false; - } - -@@ -203,7 +209,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) - uint32_t auth_length; - - /* on a pure interface change there is no auth blob */ -- if (pkt->u.alter.auth_info.length == 0) { -+ if (pkt->auth_length == 0) { - return true; - } - -@@ -238,8 +244,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack - - /* on a pure interface change there is no auth_info structure - setup */ -- if (!call->conn->auth_state.auth_info || -- dce_conn->auth_state.auth_info->credentials.length == 0) { -+ if (call->pkt.auth_length == 0) { - return NT_STATUS_OK; - } - --- -2.8.1 - - -From 57230961cee9e82ab060b54b5fb8c2b19f672111 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 27 Jun 2015 10:31:48 +0200 -Subject: [PATCH 08/40] CVE-2015-5370: s4:librpc/rpc: check pkt->auth_length - before calling dcerpc_pull_auth_trailer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Ralph Boehme -(backported from 630dcb55ad7a3a89bcd8643c98a5cdbfb8735ef7) ---- - source4/librpc/rpc/dcerpc.c | 13 ++++++++++--- - source4/rpc_server/dcesrv_auth.c | 5 +++++ - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c -index 742d710..cfbccd6 100644 ---- a/source4/librpc/rpc/dcerpc.c -+++ b/source4/librpc/rpc/dcerpc.c -@@ -701,6 +701,14 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX - return NT_STATUS_INVALID_LEVEL; - } - -+ if (pkt->auth_length == 0) { -+ return NT_STATUS_INVALID_NETWORK_RESPONSE; -+ } -+ -+ if (c->security_state.generic_state == NULL) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ - status = dcerpc_pull_auth_trailer(pkt, mem_ctx, - &pkt->u.response.stub_and_verifier, - &auth, &auth_length, false); -@@ -1074,7 +1082,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *req, - } - - /* the bind_ack might contain a reply set of credentials */ -- if (conn->security_state.auth_info && pkt->u.bind_ack.auth_info.length) { -+ if (conn->security_state.auth_info && pkt->auth_length) { - NTSTATUS status; - uint32_t auth_length; - status = dcerpc_pull_auth_trailer(pkt, conn, &pkt->u.bind_ack.auth_info, -@@ -1847,8 +1855,7 @@ static void dcerpc_alter_recv_handler(struct rpc_request *req, - } - - /* the alter_resp might contain a reply set of credentials */ -- if (recv_pipe->conn->security_state.auth_info && -- pkt->u.alter_resp.auth_info.length) { -+ if (recv_pipe->conn->security_state.auth_info && pkt->auth_length) { - struct dcecli_connection *conn = recv_pipe->conn; - NTSTATUS status; - uint32_t auth_length; -diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c -index 61f2176..3051c1c 100644 ---- a/source4/rpc_server/dcesrv_auth.c -+++ b/source4/rpc_server/dcesrv_auth.c -@@ -320,6 +320,11 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) - return false; - } - -+ if (pkt->auth_length == 0) { -+ DEBUG(1,("dcesrv_auth_request: unexpected auth_length of 0\n")); -+ return false; -+ } -+ - status = dcerpc_pull_auth_trailer(pkt, call, - &pkt->u.request.stub_and_verifier, - &auth, &auth_length, false); --- -2.8.1 - - -From c35b0e37f7d37459f55d67a5037c08bea4d33acf Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sun, 28 Jun 2015 01:19:57 +0200 -Subject: [PATCH 09/40] CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length - == 0 in dcerpc_pull_auth_trailer() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -All callers should have already checked that. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 1ed83c7657a3b405db1928db06c29f41d2738186) ---- - librpc/rpc/dcerpc_util.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c -index 2f599d5..89b7597 100644 ---- a/librpc/rpc/dcerpc_util.c -+++ b/librpc/rpc/dcerpc_util.c -@@ -111,6 +111,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, - } - - /* Paranoia checks for auth_length. The caller should check this... */ -+ if (pkt->auth_length == 0) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ /* Paranoia checks for auth_length. The caller should check this... */ - if (pkt->auth_length > pkt->frag_length) { - return NT_STATUS_INTERNAL_ERROR; - } --- -2.8.1 - - -From 2341eb0cf8395b1fed628ee6779207d916827a5d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 9 Jul 2015 07:59:24 +0200 -Subject: [PATCH 10/40] CVE-2015-5370: s3:librpc/rpc: remove auth trailer and - possible padding within dcerpc_check_auth() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This simplifies the callers a lot. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit df3cdf072d1c1e6fd0a58e0374348758f5c65a49) ---- - source3/librpc/rpc/dcerpc.h | 5 ++--- - source3/librpc/rpc/dcerpc_helpers.c | 31 ++++++++++++++++++++----------- - source3/rpc_client/cli_pipe.c | 33 ++++++++++----------------------- - source3/rpc_server/srv_pipe.c | 17 +---------------- - 4 files changed, 33 insertions(+), 53 deletions(-) - -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h -index d14d8e0..e7cca9e 100644 ---- a/source3/librpc/rpc/dcerpc.h -+++ b/source3/librpc/rpc/dcerpc.h -@@ -85,9 +85,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, - NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - struct ncacn_packet *pkt, - DATA_BLOB *pkt_trailer, -- size_t header_size, -- DATA_BLOB *raw_pkt, -- size_t *pad_len); -+ uint8_t header_size, -+ DATA_BLOB *raw_pkt); - - /* The following definitions come from librpc/rpc/rpc_common.c */ - -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index 76f2acc..d871339 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -844,19 +844,18 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, - * - * @param auth The auth data for the connection - * @param pkt The actual ncacn_packet --* @param pkt_trailer The stub_and_verifier part of the packet -+* @param pkt_trailer [in][out] The stub_and_verifier part of the packet, -+* the auth_trailer and padding will be removed. - * @param header_size The header size - * @param raw_pkt The whole raw packet data blob --* @param pad_len [out] The padding length used in the packet - * - * @return A NTSTATUS error code - */ - NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - struct ncacn_packet *pkt, - DATA_BLOB *pkt_trailer, -- size_t header_size, -- DATA_BLOB *raw_pkt, -- size_t *pad_len) -+ uint8_t header_size, -+ DATA_BLOB *raw_pkt) - { - struct schannel_state *schannel_auth; - struct auth_ntlmssp_state *ntlmssp_ctx; -@@ -868,6 +867,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - DATA_BLOB full_pkt; - DATA_BLOB data; - -+ /* -+ * These check should be done in the caller. -+ */ -+ SMB_ASSERT(raw_pkt->length == pkt->frag_length); -+ SMB_ASSERT(header_size <= pkt->frag_length); -+ SMB_ASSERT(pkt_trailer->length < pkt->frag_length); -+ SMB_ASSERT((pkt_trailer->length + header_size) <= pkt->frag_length); -+ - switch (auth->auth_level) { - case DCERPC_AUTH_LEVEL_PRIVACY: - DEBUG(10, ("Requested Privacy.\n")); -@@ -881,7 +888,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - if (pkt->auth_length != 0) { - break; - } -- *pad_len = 0; - return NT_STATUS_OK; - - case DCERPC_AUTH_LEVEL_NONE: -@@ -890,7 +896,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - "authenticated connection!\n")); - return NT_STATUS_INVALID_PARAMETER; - } -- *pad_len = 0; - return NT_STATUS_OK; - - default: -@@ -909,10 +914,11 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - return status; - } - -+ pkt_trailer->length -= auth_length; - data = data_blob_const(raw_pkt->data + header_size, -- pkt_trailer->length - auth_length); -- full_pkt = data_blob_const(raw_pkt->data, -- raw_pkt->length - auth_info.credentials.length); -+ pkt_trailer->length); -+ full_pkt = data_blob_const(raw_pkt->data, raw_pkt->length); -+ full_pkt.length -= auth_info.credentials.length; - - switch (auth->auth_type) { - case DCERPC_AUTH_TYPE_NONE: -@@ -988,10 +994,13 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - * pkt_trailer actually has a copy of the raw data, and they - * are still both used in later calls */ - if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { -+ if (pkt_trailer->length != data.length) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } - memcpy(pkt_trailer->data, data.data, data.length); - } - -- *pad_len = auth_info.auth_pad_length; -+ pkt_trailer->length -= auth_info.auth_pad_length; - data_blob_free(&auth_info.credentials); - return NT_STATUS_OK; - } -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 2787fbc..776e2bf 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -404,9 +404,9 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - DATA_BLOB *rdata, - DATA_BLOB *reply_pdu) - { -- struct dcerpc_response *r; -+ const struct dcerpc_response *r = NULL; -+ DATA_BLOB tmp_stub = data_blob_null; - NTSTATUS ret = NT_STATUS_OK; -- size_t pad_len = 0; - - /* - * Point the return values at the real data including the RPC -@@ -440,37 +440,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - - r = &pkt->u.response; - -+ tmp_stub.data = r->stub_and_verifier.data; -+ tmp_stub.length = r->stub_and_verifier.length; -+ - /* Here's where we deal with incoming sign/seal. */ - ret = dcerpc_check_auth(cli->auth, pkt, -- &r->stub_and_verifier, -+ &tmp_stub, - DCERPC_RESPONSE_LENGTH, -- pdu, &pad_len); -+ pdu); - if (!NT_STATUS_IS_OK(ret)) { - return ret; - } - -- if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) { -- return NT_STATUS_BUFFER_TOO_SMALL; -- } -- - /* Point the return values at the NDR data. */ -- rdata->data = r->stub_and_verifier.data; -- -- if (pkt->auth_length) { -- /* We've already done integer wrap tests in -- * dcerpc_check_auth(). */ -- rdata->length = r->stub_and_verifier.length -- - pad_len -- - DCERPC_AUTH_TRAILER_LENGTH -- - pkt->auth_length; -- } else { -- rdata->length = r->stub_and_verifier.length; -- } -+ *rdata = tmp_stub; - -- DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n", -+ DEBUG(10, ("Got pdu len %lu, data_len %lu\n", - (long unsigned int)pdu->length, -- (long unsigned int)rdata->length, -- (unsigned int)pad_len)); -+ (long unsigned int)rdata->length)); - - /* - * If this is the first reply, and the allocation hint is -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 964b843..0ab7dc6 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1848,7 +1848,6 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth, - { - NTSTATUS status; - size_t hdr_size = DCERPC_REQUEST_LENGTH; -- size_t pad_len; - - DEBUG(10, ("Checking request auth.\n")); - -@@ -1859,25 +1858,11 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth, - /* in case of sealing this function will unseal the data in place */ - status = dcerpc_check_auth(auth, pkt, - &pkt->u.request.stub_and_verifier, -- hdr_size, raw_pkt, -- &pad_len); -+ hdr_size, raw_pkt); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - -- -- /* remove padding and auth trailer, -- * this way the caller will get just the data */ -- if (pkt->auth_length) { -- size_t trail_len = pad_len -- + DCERPC_AUTH_TRAILER_LENGTH -- + pkt->auth_length; -- if (pkt->u.request.stub_and_verifier.length < trail_len) { -- return NT_STATUS_INFO_LENGTH_MISMATCH; -- } -- pkt->u.request.stub_and_verifier.length -= trail_len; -- } -- - return NT_STATUS_OK; - } - --- -2.8.1 - - -From 9ecba8f4635aa5dbd42e4838ce124a92395b64ab Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 9 Jul 2015 07:59:24 +0200 -Subject: [PATCH 11/40] CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() - auth_{type,level} against the expected values. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 19f489d32c03ff5fafd34fe86a075d782af1989a) ---- - source3/librpc/rpc/dcerpc_helpers.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index d871339..c07835f 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -914,6 +914,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - return status; - } - -+ if (auth_info.auth_type != auth->auth_type) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ -+ if (auth_info.auth_level != auth->auth_level) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ - pkt_trailer->length -= auth_length; - data = data_blob_const(raw_pkt->data + header_size, - pkt_trailer->length); --- -2.8.1 - - -From 765c10dacf39a3c06c6b12651c205ac270e7fcea Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 12/40] CVE-2015-5370: s3:rpc_client: make use of - dcerpc_pull_auth_trailer() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The does much more validation than dcerpc_pull_dcerpc_auth(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit acea87f158f02c3240abff45c3e54c7d5fa60b29) ---- - source3/rpc_client/cli_pipe.c | 20 ++++++-------------- - 1 file changed, 6 insertions(+), 14 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 776e2bf..27e37f8 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -1938,20 +1938,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) - rpc_pipe_bind_step_two_trigger(req); - return; - -- case DCERPC_AUTH_TYPE_NTLMSSP: -- case DCERPC_AUTH_TYPE_SPNEGO: -- case DCERPC_AUTH_TYPE_KRB5: -- /* Paranoid lenght checks */ -- if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH -- + pkt->auth_length) { -- tevent_req_nterror(req, -- NT_STATUS_INFO_LENGTH_MISMATCH); -+ default: -+ if (pkt->auth_length == 0) { -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); - return; - } - /* get auth credentials */ -- status = dcerpc_pull_dcerpc_auth(talloc_tos(), -- &pkt->u.bind_ack.auth_info, -- &auth, false); -+ status = dcerpc_pull_auth_trailer(pkt, talloc_tos(), -+ &pkt->u.bind_ack.auth_info, -+ &auth, NULL, true); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to pull dcerpc auth: %s.\n", - nt_errstr(status))); -@@ -1959,9 +1954,6 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) - return; - } - break; -- -- default: -- goto err_out; - } - - /* --- -2.8.1 - - -From b58616bbcc810b076e5fd9dd976272847f832b06 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 13/40] CVE-2015-5370: s3:rpc_client: make use of - dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 81bbffa14f5f6faa9801a3bf2d564d2762d49bb6) ---- - source3/rpc_client/cli_pipe.c | 111 ++++++++++++++++++++++++++++++++++++------ - 1 file changed, 96 insertions(+), 15 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 27e37f8..6a22d38 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -429,17 +429,89 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - - /* Ensure we have the correct type. */ - switch (pkt->ptype) { -- case DCERPC_PKT_ALTER_RESP: -+ case DCERPC_PKT_BIND_NAK: -+ DEBUG(1, (__location__ ": Bind NACK received from %s!\n", -+ rpccli_pipe_txt(talloc_tos(), cli))); -+ -+ ret = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_BIND_NAK, -+ 0, /* max_auth_info */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST, -+ 0); /* optional flags */ -+ if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ return ret; -+ } -+ -+ /* Use this for now... */ -+ return NT_STATUS_NETWORK_ACCESS_DENIED; -+ - case DCERPC_PKT_BIND_ACK: -+ ret = dcerpc_verify_ncacn_packet_header(pkt, -+ expected_pkt_type, -+ pkt->u.bind_ack.auth_info.length, -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST, -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN); -+ if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ return ret; -+ } - -- /* Client code never receives this kind of packets */ - break; - -+ case DCERPC_PKT_ALTER_RESP: -+ ret = dcerpc_verify_ncacn_packet_header(pkt, -+ expected_pkt_type, -+ pkt->u.alter_resp.auth_info.length, -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST, -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN); -+ if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ return ret; -+ } -+ -+ break; - - case DCERPC_PKT_RESPONSE: - - r = &pkt->u.response; - -+ ret = dcerpc_verify_ncacn_packet_header(pkt, -+ expected_pkt_type, -+ r->stub_and_verifier.length, -+ 0, /* required_flags */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST); -+ if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ return ret; -+ } -+ - tmp_stub.data = r->stub_and_verifier.data; - tmp_stub.length = r->stub_and_verifier.length; - -@@ -449,6 +521,12 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - DCERPC_RESPONSE_LENGTH, - pdu); - if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); - return ret; - } - -@@ -478,14 +556,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - - break; - -- case DCERPC_PKT_BIND_NAK: -- DEBUG(1, (__location__ ": Bind NACK received from %s!\n", -- rpccli_pipe_txt(talloc_tos(), cli))); -- /* Use this for now... */ -- return NT_STATUS_NETWORK_ACCESS_DENIED; -- - case DCERPC_PKT_FAULT: - -+ ret = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_FAULT, -+ 0, /* max_auth_info */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST, -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE); -+ if (!NT_STATUS_IS_OK(ret)) { -+ DEBUG(1, (__location__ ": Connection to %s got an unexpected " -+ "RPC packet type - %u, expected %u: %s\n", -+ rpccli_pipe_txt(talloc_tos(), cli), -+ pkt->ptype, expected_pkt_type, -+ nt_errstr(ret))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ return ret; -+ } -+ - DEBUG(1, (__location__ ": RPC fault code %s received " - "from %s!\n", - dcerpc_errstr(talloc_tos(), -@@ -502,13 +590,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, - return NT_STATUS_RPC_PROTOCOL_ERROR; - } - -- if (pkt->ptype != expected_pkt_type) { -- DEBUG(3, (__location__ ": Connection to %s got an unexpected " -- "RPC packet type - %u, not %u\n", -- rpccli_pipe_txt(talloc_tos(), cli), -- pkt->ptype, expected_pkt_type)); -- return NT_STATUS_RPC_PROTOCOL_ERROR; -- } - - if (pkt->call_id != call_id) { - DEBUG(3, (__location__ ": Connection to %s got an unexpected " --- -2.8.1 - - -From 3e03b1e6d5b20c14d53763f22442bf510a8d6dcd Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 10 Jul 2015 14:48:38 +0200 -Subject: [PATCH 14/40] CVE-2015-5370: s3:rpc_client: protect - rpc_api_pipe_got_pdu() against too large payloads -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 98182969e761429e577064e1a0fd5cbc6b50d7d9) ---- - source3/rpc_client/cli_pipe.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 6a22d38..755b458 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -1007,6 +1007,11 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - return; - } - -+ if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) { -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return; -+ } -+ - /* Now copy the data portion out of the pdu into rbuf. */ - if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) { - if (!data_blob_realloc(NULL, &state->reply_pdu, --- -2.8.1 - - -From fa884c266be5d808d19955f92921417f435b2957 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 22:51:18 +0200 -Subject: [PATCH 15/40] CVE-2015-5370: s3:rpc_client: verify auth_{type,level} - in rpc_pipe_bind_step_one_done() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit df51c22bea7fbf906613ceb160f16f298b2e3106) ---- - source3/rpc_client/cli_pipe.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 755b458..1c4ff01 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -2039,6 +2039,21 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) - tevent_req_nterror(req, status); - return; - } -+ -+ if (auth.auth_type != pauth->auth_type) { -+ DEBUG(0, (__location__ " Auth type %u mismatch expected %u.\n", -+ auth.auth_type, pauth->auth_type)); -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); -+ return; -+ } -+ -+ if (auth.auth_level != pauth->auth_level) { -+ DEBUG(0, (__location__ " Auth level %u mismatch expected %u.\n", -+ auth.auth_level, pauth->auth_level)); -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); -+ return; -+ } -+ - break; - } - --- -2.8.1 - - -From 6d2767ad8b084590c572e90d1985ca6d7d36b188 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 16/40] CVE-2015-5370: s3:rpc_server: make use of - dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 2a92546590a78760d2fe0e63067a3888dbce53be) ---- - source3/rpc_server/srv_pipe.c | 62 +++++++++---------------------------------- - 1 file changed, 13 insertions(+), 49 deletions(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 0ab7dc6..40b1b8e 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1012,25 +1012,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - * Check if this is an authenticated bind request. - */ - if (pkt->auth_length) { -- /* Quick length check. Won't catch a bad auth footer, -- * prevents overrun. */ -- -- if (pkt->frag_length < RPC_HEADER_LEN + -- DCERPC_AUTH_TRAILER_LENGTH + -- pkt->auth_length) { -- DEBUG(0,("api_pipe_bind_req: auth_len (%u) " -- "too long for fragment %u.\n", -- (unsigned int)pkt->auth_length, -- (unsigned int)pkt->frag_length)); -- goto err_exit; -- } -- - /* - * Decode the authentication verifier. - */ -- status = dcerpc_pull_dcerpc_auth(pkt, -- &pkt->u.bind.auth_info, -- &auth_info, p->endian); -+ status = dcerpc_pull_auth_trailer(pkt, pkt, -+ &pkt->u.bind.auth_info, -+ &auth_info, NULL, true); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); - goto err_exit; -@@ -1233,23 +1220,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - goto err; - } - -- /* Ensure there's enough data for an authenticated request. */ -- if (pkt->frag_length < RPC_HEADER_LEN -- + DCERPC_AUTH_TRAILER_LENGTH -- + pkt->auth_length) { -- DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len " -- "%u is too large.\n", -- (unsigned int)pkt->auth_length)); -- goto err; -- } -- - /* - * Decode the authentication verifier response. - */ - -- status = dcerpc_pull_dcerpc_auth(pkt, -- &pkt->u.auth3.auth_info, -- &auth_info, p->endian); -+ status = dcerpc_pull_auth_trailer(pkt, pkt, -+ &pkt->u.auth3.auth_info, -+ &auth_info, NULL, true); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n")); - goto err; -@@ -1382,34 +1359,21 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - * Check if this is an authenticated alter context request. - */ - if (pkt->auth_length) { -- /* Quick length check. Won't catch a bad auth footer, -- * prevents overrun. */ -- -- if (pkt->frag_length < RPC_HEADER_LEN + -- DCERPC_AUTH_TRAILER_LENGTH + -- pkt->auth_length) { -- DEBUG(0,("api_pipe_alter_context: auth_len (%u) " -- "too long for fragment %u.\n", -- (unsigned int)pkt->auth_length, -- (unsigned int)pkt->frag_length )); -+ /* We can only finish if the pipe is unbound for now */ -+ if (p->pipe_bound) { -+ DEBUG(0, (__location__ ": Pipe already bound, " -+ "Altering Context not yet supported!\n")); - goto err_exit; - } - -- status = dcerpc_pull_dcerpc_auth(pkt, -- &pkt->u.bind.auth_info, -- &auth_info, p->endian); -+ status = dcerpc_pull_auth_trailer(pkt, pkt, -+ &pkt->u.bind.auth_info, -+ &auth_info, NULL, true); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); - goto err_exit; - } - -- /* We can only finish if the pipe is unbound for now */ -- if (p->pipe_bound) { -- DEBUG(0, (__location__ ": Pipe already bound, " -- "Altering Context not yet supported!\n")); -- goto err_exit; -- } -- - if (auth_info.auth_type != p->auth.auth_type) { - DEBUG(0, ("Auth type mismatch! Client sent %d, " - "but auth was started as type %d!\n", --- -2.8.1 - - -From 7400ac11282d540d4f5f80d0f58ec99beabb7d8e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Dec 2015 12:38:55 +0100 -Subject: [PATCH 17/40] CVE-2015-5370: s3:rpc_server: let a failing - sec_verification_trailer mark the connection as broken - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 189c0fbb7a3405f0893f23e5b8d755d259f98eaf) ---- - source3/rpc_server/srv_pipe.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 40b1b8e..da9b91c 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1663,6 +1663,7 @@ static bool api_pipe_request(struct pipes_struct *p, - - if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) { - DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n")); -+ set_incoming_fault(p); - setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED)); - data_blob_free(&p->out_data.rdata); - TALLOC_FREE(frame); --- -2.8.1 - - -From 55da4653f5986989e46be6320f96590f8ebb4ef7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 18/40] CVE-2015-5370: s3:rpc_server: don't ignore failures of - dcerpc_push_ncacn_packet() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 25bf597124f217c55b5ca71a5ea9cb0ea83943e5) ---- - source3/rpc_server/srv_pipe.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index da9b91c..71b4665 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1152,6 +1152,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", - nt_errstr(status))); -+ goto err_exit; - } - - if (auth_resp.length) { -@@ -1469,6 +1470,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", - nt_errstr(status))); -+ goto err_exit; - } - - if (auth_resp.length) { --- -2.8.1 - - -From 893c840a1aac6711a081eb8e25f2c2a6078fc373 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 19/40] CVE-2015-5370: s3:rpc_server: don't allow auth3 if the - authentication was already finished -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 69280e6acef7c3941407d4308b659c5e90ed702d) ---- - source3/rpc_server/srv_pipe.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 71b4665..4e5b50d4 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1216,8 +1216,15 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - - DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); - -+ /* We can only finish if the pipe is unbound for now */ -+ if (p->pipe_bound) { -+ DEBUG(0, (__location__ ": Pipe already bound, " -+ "AUTH3 not supported!\n")); -+ goto err; -+ } -+ - if (pkt->auth_length == 0) { -- DEBUG(0, ("No auth field sent for bind request!\n")); -+ DEBUG(1, ("No auth field sent for auth3 request!\n")); - goto err; - } - --- -2.8.1 - - -From a66baed0c65b7acb4d76ef9ea3ae1248a6b5773a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 14 Jul 2015 16:18:45 +0200 -Subject: [PATCH 20/40] CVE-2015-5370: s3:rpc_server: let a failing auth3 mark - the authentication as invalid -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 8c96ef7b4fbd925607b26d351b14ad9a95febd88) ---- - source3/rpc_server/srv_pipe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 4e5b50d4..d28ba8e 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1304,7 +1304,7 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - return true; - - err: -- -+ p->pipe_bound = false; - TALLOC_FREE(p->auth.auth_ctx); - return false; - } --- -2.8.1 - - -From e47becdf2c03d68662ab998c4608adb371ca2f08 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 21/40] CVE-2015-5370: s3:rpc_server: make sure auth_level - isn't changed by alter_context or auth3 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 63d21d2546a1064be73582a499ec15b0e11e2708) ---- - source3/rpc_server/srv_pipe.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index d28ba8e..1b81a4c 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1252,6 +1252,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - goto err; - } - -+ if (auth_info.auth_level != p->auth.auth_level) { -+ DEBUG(1, ("Auth level mismatch! Client sent %d, " -+ "but auth was started as level %d!\n", -+ auth_info.auth_level, p->auth.auth_level)); -+ goto err; -+ } -+ - switch (auth_info.auth_type) { - case DCERPC_AUTH_TYPE_NTLMSSP: - ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, -@@ -1389,6 +1396,12 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - goto err_exit; - } - -+ if (auth_info.auth_level != p->auth.auth_level) { -+ DEBUG(0, ("Auth level mismatch! Client sent %d, " -+ "but auth was started as level %d!\n", -+ auth_info.auth_level, p->auth.auth_level)); -+ goto err_exit; -+ } - - switch (auth_info.auth_type) { - case DCERPC_AUTH_TYPE_SPNEGO: --- -2.8.1 - - -From 687a4801391c946a62d07a7bdad096a97da0d432 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 7 Jul 2015 09:15:39 +0200 -Subject: [PATCH 22/40] CVE-2015-5370: s3:rpc_server: ensure that the message - ordering doesn't violate the spec -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The first pdu is always a BIND. - -REQUEST pdus are only allowed once the authentication -is finished. - -A simple anonymous authentication is finished after the BIND. -Real authentication may need additional ALTER or AUTH3 exchanges. - -Pair-Programmed-With: Stefan Metzmacher - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Jeremy Allison -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 0239bfa562ee303c4ac204375b3c66ca287f6cb0) ---- - source3/include/ntdomain.h | 7 ++++++ - source3/rpc_server/rpc_ncacn_np.c | 1 + - source3/rpc_server/rpc_server.c | 1 + - source3/rpc_server/srv_pipe.c | 51 ++++++++++++++++++++++++++++++++++----- - 4 files changed, 54 insertions(+), 6 deletions(-) - -diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h -index 650f1d0..b3c5451 100644 ---- a/source3/include/ntdomain.h -+++ b/source3/include/ntdomain.h -@@ -139,6 +139,13 @@ struct pipes_struct { - bool pipe_bound; - - /* -+ * States we can be in. -+ */ -+ bool allow_alter; -+ bool allow_bind; -+ bool allow_auth3; -+ -+ /* - * Set the DCERPC_FAULT to return. - */ - -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c -index efdee27..f2e9d10 100644 ---- a/source3/rpc_server/rpc_ncacn_np.c -+++ b/source3/rpc_server/rpc_ncacn_np.c -@@ -171,6 +171,7 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx, - - p->syntax = *syntax; - p->transport = NCALRPC; -+ p->allow_bind = true; - - DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n", - get_pipe_name_from_syntax(talloc_tos(), syntax), pipes_open)); -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c -index 8ec55bb..376d26a 100644 ---- a/source3/rpc_server/rpc_server.c -+++ b/source3/rpc_server/rpc_server.c -@@ -102,6 +102,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, - p->syntax = id; - p->transport = transport; - p->ncalrpc_as_system = ncalrpc_as_system; -+ p->allow_bind = true; - - p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p); - if (!p->mem_ctx) { -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 1b81a4c..41111aa 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -279,6 +279,9 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt) - p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; - p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; - p->pipe_bound = False; -+ p->allow_bind = false; -+ p->allow_alter = false; -+ p->allow_auth3 = false; - - return True; - } -@@ -828,6 +831,11 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p) - void *mech_ctx; - NTSTATUS status; - -+ if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) { -+ p->pipe_bound = true; -+ return NT_STATUS_OK; -+ } -+ - switch (p->auth.auth_type) { - case DCERPC_AUTH_TYPE_NTLMSSP: - ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, -@@ -919,13 +927,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - DATA_BLOB auth_resp = data_blob_null; - DATA_BLOB auth_blob = data_blob_null; - -- /* No rebinds on a bound pipe - use alter context. */ -- if (p->pipe_bound) { -- DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound " -- "pipe %s.\n", -- get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); -+ if (!p->allow_bind) { -+ DEBUG(2,("Pipe not in allow bind state\n")); - return setup_bind_nak(p, pkt); - } -+ p->allow_bind = false; - - if (pkt->u.bind.num_contexts == 0) { - DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n")); -@@ -1192,6 +1198,22 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - p->out_data.current_pdu_sent = 0; - - TALLOC_FREE(auth_blob.data); -+ -+ if (bind_ack_ctx.result == 0) { -+ p->allow_alter = true; -+ p->allow_auth3 = true; -+ if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) { -+ status = pipe_auth_verify_final(p); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("pipe_auth_verify_final failed: %s\n", -+ nt_errstr(status))); -+ goto err_exit; -+ } -+ } -+ } else { -+ goto err_exit; -+ } -+ - return True; - - err_exit: -@@ -1216,6 +1238,11 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - - DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__)); - -+ if (!p->allow_auth3) { -+ DEBUG(1, ("Pipe not in allow auth3 state.\n")); -+ goto err; -+ } -+ - /* We can only finish if the pipe is unbound for now */ - if (p->pipe_bound) { - DEBUG(0, (__location__ ": Pipe already bound, " -@@ -1312,6 +1339,10 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - - err: - p->pipe_bound = false; -+ p->allow_bind = false; -+ p->allow_alter = false; -+ p->allow_auth3 = false; -+ - TALLOC_FREE(p->auth.auth_ctx); - return false; - } -@@ -1338,6 +1369,11 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - - DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__)); - -+ if (!p->allow_alter) { -+ DEBUG(1, ("Pipe not in allow alter state.\n")); -+ goto err_exit; -+ } -+ - if (pkt->u.bind.assoc_group_id != 0) { - assoc_gid = pkt->u.bind.assoc_group_id; - } else { -@@ -1363,7 +1399,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - bind_ack_ctx.reason = 0; - bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; - } else { -- p->pipe_bound = False; - /* Rejection reason: abstract syntax not supported */ - bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; - bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; -@@ -1826,6 +1861,10 @@ void set_incoming_fault(struct pipes_struct *p) - p->in_data.pdu.length = 0; - p->fault_state = DCERPC_FAULT_CANT_PERFORM; - -+ p->allow_alter = false; -+ p->allow_auth3 = false; -+ p->pipe_bound = false; -+ - DEBUG(10, ("Setting fault state\n")); - } - --- -2.8.1 - - -From 45701966d49ec1003f19c137a548c26915f75a99 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 16:06:59 +0200 -Subject: [PATCH 23/40] CVE-2015-5370: s3:rpc_server: use 'alter' instead of - 'bind' for variables in api_pipe_alter_context() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit cdefee174d2f8920323e9e62966df4f4ced49ed3) ---- - source3/rpc_server/srv_pipe.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 41111aa..382d94a 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1359,7 +1359,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - uint16 assoc_gid; - NTSTATUS status; - union dcerpc_payload u; -- struct dcerpc_ack_ctx bind_ack_ctx; -+ struct dcerpc_ack_ctx alter_ack_ctx; - DATA_BLOB auth_resp = data_blob_null; - DATA_BLOB auth_blob = data_blob_null; - int pad_len = 0; -@@ -1374,8 +1374,8 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - goto err_exit; - } - -- if (pkt->u.bind.assoc_group_id != 0) { -- assoc_gid = pkt->u.bind.assoc_group_id; -+ if (pkt->u.alter.assoc_group_id != 0) { -+ assoc_gid = pkt->u.alter.assoc_group_id; - } else { - assoc_gid = 0x53f0; - } -@@ -1385,24 +1385,24 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - */ - - /* If the requested abstract synt uuid doesn't match our client pipe, -- reject the bind_ack & set the transfer interface synt to all 0's, -+ reject the alter_ack & set the transfer interface synt to all 0's, - ver 0 (observed when NT5 attempts to bind to abstract interfaces - unknown to NT4) - Needed when adding entries to a DACL from NT5 - SK */ - - if (check_bind_req(p, -- &pkt->u.bind.ctx_list[0].abstract_syntax, -- &pkt->u.bind.ctx_list[0].transfer_syntaxes[0], -- pkt->u.bind.ctx_list[0].context_id)) { -+ &pkt->u.alter.ctx_list[0].abstract_syntax, -+ &pkt->u.alter.ctx_list[0].transfer_syntaxes[0], -+ pkt->u.alter.ctx_list[0].context_id)) { - -- bind_ack_ctx.result = 0; -- bind_ack_ctx.reason = 0; -- bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0]; -+ alter_ack_ctx.result = 0; -+ alter_ack_ctx.reason = 0; -+ alter_ack_ctx.syntax = pkt->u.alter.ctx_list[0].transfer_syntaxes[0]; - } else { - /* Rejection reason: abstract syntax not supported */ -- bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; -- bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; -- bind_ack_ctx.syntax = null_ndr_syntax_id; -+ alter_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT; -+ alter_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX; -+ alter_ack_ctx.syntax = null_ndr_syntax_id; - } - - /* -@@ -1417,7 +1417,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - } - - status = dcerpc_pull_auth_trailer(pkt, pkt, -- &pkt->u.bind.auth_info, -+ &pkt->u.alter.auth_info, - &auth_info, NULL, true); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n")); -@@ -1503,7 +1503,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - u.alter_resp.secondary_address_size = 1; - - u.alter_resp.num_results = 1; -- u.alter_resp.ctx_list = &bind_ack_ctx; -+ u.alter_resp.ctx_list = &alter_ack_ctx; - - /* NOTE: We leave the auth_info empty so we can calculate the padding - * later and then append the auth_info --simo */ -@@ -1523,7 +1523,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - &u, - &p->out_data.frag); - if (!NT_STATUS_IS_OK(status)) { -- DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n", -+ DEBUG(0, ("Failed to marshall alter_resp packet. (%s)\n", - nt_errstr(status))); - goto err_exit; - } --- -2.8.1 - - -From 62b936e134a53662601b0f614f95dbca5ff7a369 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 16:06:59 +0200 -Subject: [PATCH 24/40] CVE-2015-5370: s3:rpc_server: verify presentation - context arrays -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 1e6b4abac14840e4cee1afc5d4811b0f0277eade) ---- - source3/rpc_server/srv_pipe.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 382d94a..335af2a 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -934,7 +934,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - p->allow_bind = false; - - if (pkt->u.bind.num_contexts == 0) { -- DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n")); -+ DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n")); -+ goto err_exit; -+ } -+ -+ if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) { -+ DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n")); - goto err_exit; - } - -@@ -1374,6 +1379,16 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - goto err_exit; - } - -+ if (pkt->u.alter.num_contexts == 0) { -+ DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n")); -+ goto err_exit; -+ } -+ -+ if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) { -+ DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n")); -+ goto err_exit; -+ } -+ - if (pkt->u.alter.assoc_group_id != 0) { - assoc_gid = pkt->u.alter.assoc_group_id; - } else { --- -2.8.1 - - -From 585e8aefafcb5f8c501cdf4454b375ebda82f7a6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 16:06:59 +0200 -Subject: [PATCH 25/40] CVE-2015-5370: s3:rpc_server: make use of - dcerpc_verify_ncacn_packet_header() to verify incoming pdus -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit e39fdceb25fc75b6f8c77c097bf8dbd2f4286618) ---- - source3/rpc_server/srv_pipe.c | 81 +++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 81 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 335af2a..2f404b4 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -42,6 +42,7 @@ - #include "auth.h" - #include "ntdomain.h" - #include "rpc_server/srv_pipe.h" -+#include "../librpc/gen_ndr/ndr_dcerpc.h" - #include "../librpc/ndr/ndr_dcerpc.h" - #include "../librpc/gen_ndr/ndr_samr.h" - #include "../librpc/gen_ndr/ndr_lsa.h" -@@ -933,6 +934,25 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - } - p->allow_bind = false; - -+ status = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_BIND, -+ pkt->u.bind.auth_info.length, -+ 0, /* required flags */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST | -+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN | -+ 0x08 | /* this is not defined, but should be ignored */ -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE | -+ DCERPC_PFC_FLAG_MAYBE | -+ DCERPC_PFC_FLAG_OBJECT_UUID); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n", -+ nt_errstr(status))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ goto err_exit; -+ } -+ - if (pkt->u.bind.num_contexts == 0) { - DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n")); - goto err_exit; -@@ -1248,6 +1268,25 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - goto err; - } - -+ status = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_AUTH3, -+ pkt->u.auth3.auth_info.length, -+ 0, /* required flags */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST | -+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN | -+ 0x08 | /* this is not defined, but should be ignored */ -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE | -+ DCERPC_PFC_FLAG_MAYBE | -+ DCERPC_PFC_FLAG_OBJECT_UUID); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n", -+ nt_errstr(status))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ goto err; -+ } -+ - /* We can only finish if the pipe is unbound for now */ - if (p->pipe_bound) { - DEBUG(0, (__location__ ": Pipe already bound, " -@@ -1379,6 +1418,25 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - goto err_exit; - } - -+ status = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_ALTER, -+ pkt->u.alter.auth_info.length, -+ 0, /* required flags */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST | -+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN | -+ 0x08 | /* this is not defined, but should be ignored */ -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE | -+ DCERPC_PFC_FLAG_MAYBE | -+ DCERPC_PFC_FLAG_OBJECT_UUID); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n", -+ nt_errstr(status))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ goto err_exit; -+ } -+ - if (pkt->u.alter.num_contexts == 0) { - DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n")); - goto err_exit; -@@ -1923,6 +1981,29 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt - return False; - } - -+ /* -+ * We don't ignore DCERPC_PFC_FLAG_PENDING_CANCEL. -+ * TODO: we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later. -+ */ -+ status = dcerpc_verify_ncacn_packet_header(pkt, -+ DCERPC_PKT_REQUEST, -+ pkt->u.request.stub_and_verifier.length, -+ 0, /* required_flags */ -+ DCERPC_PFC_FLAG_FIRST | -+ DCERPC_PFC_FLAG_LAST | -+ 0x08 | /* this is not defined, but should be ignored */ -+ DCERPC_PFC_FLAG_CONC_MPX | -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE | -+ DCERPC_PFC_FLAG_MAYBE | -+ DCERPC_PFC_FLAG_OBJECT_UUID); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(1, ("process_request_pdu: invalid pdu: %s\n", -+ nt_errstr(status))); -+ NDR_PRINT_DEBUG(ncacn_packet, pkt); -+ set_incoming_fault(p); -+ return false; -+ } -+ - /* Store the opnum */ - p->opnum = pkt->u.request.opnum; - --- -2.8.1 - - -From b16b1a5f331adc3bb2f3d0bee586ec084935a202 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Dec 2015 12:40:58 +0100 -Subject: [PATCH 26/40] CVE-2015-5370: s3:rpc_server: disconnect the connection - after a fatal FAULT pdu -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 664d7ace0e68b42d2de99583757e0a985647eb4b) ---- - source3/rpc_server/rpc_server.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c -index 376d26a..3ba83e0 100644 ---- a/source3/rpc_server/rpc_server.c -+++ b/source3/rpc_server/rpc_server.c -@@ -664,6 +664,12 @@ static void named_pipe_packet_done(struct tevent_req *subreq) - goto fail; - } - -+ if (npc->p->fault_state != 0) { -+ DEBUG(2, ("Disconnect after fault\n")); -+ sys_errno = EINVAL; -+ goto fail; -+ } -+ - /* clear out any data that may have been left around */ - npc->count = 0; - TALLOC_FREE(npc->iov); -@@ -1392,6 +1398,12 @@ static void dcerpc_ncacn_packet_done(struct tevent_req *subreq) - goto fail; - } - -+ if (ncacn_conn->p->fault_state != 0) { -+ DEBUG(2, ("Disconnect after fault\n")); -+ sys_errno = EINVAL; -+ goto fail; -+ } -+ - /* clear out any data that may have been left around */ - ncacn_conn->count = 0; - TALLOC_FREE(ncacn_conn->iov); --- -2.8.1 - - -From 642d2b7090e46a87bc94cabf29eccb09e329c125 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Dec 2015 12:38:55 +0100 -Subject: [PATCH 27/40] CVE-2015-5370: s3:rpc_server: let a failing BIND mark - the connection as broken -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 8d97085efd8782e48d0f1162e3f56756acb99472) ---- - source3/rpc_server/srv_pipe.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 2f404b4..6275190 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -276,6 +276,7 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt) - p->out_data.data_sent_length = 0; - p->out_data.current_pdu_sent = 0; - -+ set_incoming_fault(p); - TALLOC_FREE(p->auth.auth_ctx); - p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; - p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; --- -2.8.1 - - -From f4aa07176636982d9be3c0ce2452fc43a8781d47 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Dec 2015 12:38:55 +0100 -Subject: [PATCH 28/40] CVE-2015-5370: s3:rpc_server: use - DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit d30363f08efb81b22055d4445977c96df3737adf) ---- - source3/rpc_server/srv_pipe.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 6275190..3fb8855 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1933,7 +1933,7 @@ void set_incoming_fault(struct pipes_struct *p) - data_blob_free(&p->in_data.data); - p->in_data.pdu_needed_len = 0; - p->in_data.pdu.length = 0; -- p->fault_state = DCERPC_FAULT_CANT_PERFORM; -+ p->fault_state = DCERPC_NCA_S_PROTO_ERROR; - - p->allow_alter = false; - p->allow_auth3 = false; -@@ -2254,7 +2254,7 @@ done: - "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(), - &p->syntax))); - set_incoming_fault(p); -- setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); -+ setup_fault_pdu(p, NT_STATUS(DCERPC_NCA_S_PROTO_ERROR)); - TALLOC_FREE(pkt); - } else { - /* --- -2.8.1 - - -From ef175975f587d73092461c36b10e4c9cf1805727 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 11 Jul 2015 10:58:07 +0200 -Subject: [PATCH 29/40] CVE-2015-5370: s3:librpc/rpc: remove unused - dcerpc_pull_dcerpc_auth() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 02aef978ff8f16009a52c2d981d414d019bc8dd9) ---- - source3/librpc/rpc/dcerpc.h | 4 ---- - source3/librpc/rpc/dcerpc_helpers.c | 41 ------------------------------------- - 2 files changed, 45 deletions(-) - -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h -index e7cca9e..9452e85 100644 ---- a/source3/librpc/rpc/dcerpc.h -+++ b/source3/librpc/rpc/dcerpc.h -@@ -71,10 +71,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx, - uint32_t auth_context_id, - const DATA_BLOB *credentials, - DATA_BLOB *blob); --NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, -- const DATA_BLOB *blob, -- struct dcerpc_auth *r, -- bool bigendian); - NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, - size_t header_len, size_t data_left, - size_t max_xmit_frag, size_t pad_alignment, -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index c07835f..e4d0e3a 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -210,47 +210,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx, - } - - /** --* @brief Decodes a dcerpc_auth blob --* --* @param mem_ctx The memory context on which to allocate the packet --* elements --* @param blob The blob of data to decode --* @param r An empty dcerpc_auth structure, must not be NULL --* --* @return a NTSTATUS error code --*/ --NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, -- const DATA_BLOB *blob, -- struct dcerpc_auth *r, -- bool bigendian) --{ -- enum ndr_err_code ndr_err; -- struct ndr_pull *ndr; -- -- ndr = ndr_pull_init_blob(blob, mem_ctx); -- if (!ndr) { -- return NT_STATUS_NO_MEMORY; -- } -- if (bigendian) { -- ndr->flags |= LIBNDR_FLAG_BIGENDIAN; -- } -- -- ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r); -- -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- talloc_free(ndr); -- return ndr_map_error2ntstatus(ndr_err); -- } -- talloc_free(ndr); -- -- if (DEBUGLEVEL >= 10) { -- NDR_PRINT_DEBUG(dcerpc_auth, r); -- } -- -- return NT_STATUS_OK; --} -- --/** - * @brief Calculate how much data we can in a packet, including calculating - * auth token and pad lengths. - * --- -2.8.1 - - -From 49d0e60d28d3b615d4ee368cd3f260b3a6386858 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 30/40] CVE-2015-5370: s3:rpc_server: check the transfer syntax - in check_bind_req() first -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 9464684010461947fa98d8ee084069e9cf362625) ---- - source3/rpc_server/srv_pipe.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 3fb8855..0e6b073 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -351,16 +351,24 @@ static bool check_bind_req(struct pipes_struct *p, - DEBUG(3,("check_bind_req for %s\n", - get_pipe_name_from_syntax(talloc_tos(), abstract))); - -+ ok = ndr_syntax_id_equal(transfer, &ndr_transfer_syntax); -+ if (!ok) { -+ DEBUG(1,("check_bind_req unknown transfer syntax for " -+ "%s context_id=%u\n", -+ get_pipe_name_from_syntax(talloc_tos(), abstract), -+ (unsigned)context_id)); -+ return false; -+ } -+ - /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ -- if (rpc_srv_pipe_exists_by_id(abstract) && -- ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) { -- DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", -- rpc_srv_get_pipe_cli_name(abstract), -- rpc_srv_get_pipe_srv_name(abstract))); -- } else { -+ if (!rpc_srv_pipe_exists_by_id(abstract)) { - return false; - } - -+ DEBUG(3, ("check_bind_req: %s -> %s rpc service\n", -+ rpc_srv_get_pipe_cli_name(abstract), -+ rpc_srv_get_pipe_srv_name(abstract))); -+ - context_fns = SMB_MALLOC_P(struct pipe_rpc_fns); - if (context_fns == NULL) { - DEBUG(0,("check_bind_req: malloc() failed!\n")); --- -2.8.1 - - -From 7ee6698f706e51568f53347f422ac6671cdba9a4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 13:05:01 +0200 -Subject: [PATCH 31/40] CVE-2015-5370: s3:rpc_server: don't allow an existing - context to be changed in check_bind_req() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -An alter context can't change the syntax of an existing context, -a new context_id will be used for that. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit a995740d4e7fbd8fbb5c8c6280b73eaceae53574) ---- - source3/rpc_server/srv_pipe.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 0e6b073..4263a91 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -360,6 +360,28 @@ static bool check_bind_req(struct pipes_struct *p, - return false; - } - -+ for (context_fns = p->contexts; -+ context_fns != NULL; -+ context_fns = context_fns->next) -+ { -+ if (context_fns->context_id != context_id) { -+ continue; -+ } -+ -+ ok = ndr_syntax_id_equal(&context_fns->syntax, -+ abstract); -+ if (ok) { -+ return true; -+ } -+ -+ DEBUG(1,("check_bind_req: changing abstract syntax for " -+ "%s context_id=%u into %s not supported\n", -+ get_pipe_name_from_syntax(talloc_tos(), &context_fns->syntax), -+ (unsigned)context_id, -+ get_pipe_name_from_syntax(talloc_tos(), abstract))); -+ return false; -+ } -+ - /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ - if (!rpc_srv_pipe_exists_by_id(abstract)) { - return false; --- -2.8.1 - - -From 79a238d0c868c7e182f49637b66f544dc1dd86da Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 32/40] CVE-2015-5370: s3:rpc_client: pass struct - pipe_auth_data to create_rpc_{bind_auth3,alter_context}() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit f556d9245c13d018d4e772f06d013ebe558703d9) ---- - source3/rpc_client/cli_pipe.c | 26 ++++++++++---------------- - 1 file changed, 10 insertions(+), 16 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 1c4ff01..3af3d8f 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -1816,9 +1816,8 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r, - - static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, - struct rpc_pipe_client *cli, -- uint32 rpc_call_id, -- enum dcerpc_AuthType auth_type, -- enum dcerpc_AuthLevel auth_level, -+ struct pipe_auth_data *auth, -+ uint32_t rpc_call_id, - DATA_BLOB *pauth_blob, - DATA_BLOB *rpc_out) - { -@@ -1828,8 +1827,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, - u.auth3._pad = 0; - - status = dcerpc_push_dcerpc_auth(mem_ctx, -- auth_type, -- auth_level, -+ auth->auth_type, -+ auth->auth_level, - 0, /* auth_pad_length */ - 1, /* auth_context_id */ - pauth_blob, -@@ -1861,9 +1860,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, - ********************************************************************/ - - static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, -- enum dcerpc_AuthType auth_type, -- enum dcerpc_AuthLevel auth_level, -- uint32 rpc_call_id, -+ struct pipe_auth_data *auth, -+ uint32_t rpc_call_id, - const struct ndr_syntax_id *abstract, - const struct ndr_syntax_id *transfer, - const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */ -@@ -1873,8 +1871,8 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, - NTSTATUS status; - - status = dcerpc_push_dcerpc_auth(mem_ctx, -- auth_type, -- auth_level, -+ auth->auth_type, -+ auth->auth_level, - 0, /* auth_pad_length */ - 1, /* auth_context_id */ - pauth_blob, -@@ -2300,9 +2298,7 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req, - /* Now prepare the alter context pdu. */ - data_blob_free(&state->rpc_out); - -- status = create_rpc_alter_context(state, -- auth->auth_type, -- auth->auth_level, -+ status = create_rpc_alter_context(state, auth, - state->rpc_call_id, - &state->cli->abstract_syntax, - &state->cli->transfer_syntax, -@@ -2335,10 +2331,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req, - /* Now prepare the auth3 context pdu. */ - data_blob_free(&state->rpc_out); - -- status = create_rpc_bind_auth3(state, state->cli, -+ status = create_rpc_bind_auth3(state, state->cli, auth, - state->rpc_call_id, -- auth->auth_type, -- auth->auth_level, - auth_token, - &state->rpc_out); - if (!NT_STATUS_IS_OK(status)) { --- -2.8.1 - - -From 18a50ed6ead11287ff72cb38f100d0f2641c3e7d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 33/40] CVE-2015-5370: s3:librpc/rpc: add auth_context_id to - struct pipe_auth_data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit cbf20b43d7b40e3b6ccf044f6f51a5adff1f5e6d) ---- - source3/librpc/rpc/dcerpc.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h -index 9452e85..c25b0f5 100644 ---- a/source3/librpc/rpc/dcerpc.h -+++ b/source3/librpc/rpc/dcerpc.h -@@ -42,6 +42,7 @@ struct pipe_auth_data { - bool verified_bitmask1; - - void *auth_ctx; -+ uint32_t auth_context_id; - - /* Only the client code uses these 3 for now */ - char *domain; --- -2.8.1 - - -From 7dbaaca2a638406331d4653e1afdc18f7c8502f6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 34/40] CVE-2015-5370: s3:rpc_client: make use of - pipe_auth_data->auth_context_id -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is better than using hardcoded values. -We need to use auth_context_id = 1 for authenticated -connections, as old Samba server (before this patchset) -will use a hardcoded value of 1. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit ae68d3f325c3880144b80385779c9445897646e6) ---- - source3/rpc_client/cli_pipe.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 3af3d8f..755d676 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -1314,7 +1314,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, - auth->auth_type, - auth->auth_level, - 0, /* auth_pad_length */ -- 1, /* auth_context_id */ -+ auth->auth_context_id, - &auth_token, - &auth_info); - if (!NT_STATUS_IS_OK(ret)) { -@@ -1830,7 +1830,7 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, - auth->auth_type, - auth->auth_level, - 0, /* auth_pad_length */ -- 1, /* auth_context_id */ -+ auth->auth_context_id, - pauth_blob, - &u.auth3.auth_info); - if (!NT_STATUS_IS_OK(status)) { -@@ -1874,7 +1874,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, - auth->auth_type, - auth->auth_level, - 0, /* auth_pad_length */ -- 1, /* auth_context_id */ -+ auth->auth_context_id, - pauth_blob, - &auth_info); - if (!NT_STATUS_IS_OK(status)) { -@@ -2704,6 +2704,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx, - - result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM; - result->auth_level = DCERPC_AUTH_LEVEL_CONNECT; -+ result->auth_context_id = 1; - - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, ""); -@@ -2728,6 +2729,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx, - - result->auth_type = DCERPC_AUTH_TYPE_NONE; - result->auth_level = DCERPC_AUTH_LEVEL_NONE; -+ result->auth_context_id = 0; - - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, ""); -@@ -2765,6 +2767,7 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx, - - result->auth_type = auth_type; - result->auth_level = auth_level; -+ result->auth_context_id = 1; - - result->user_name = talloc_strdup(result, username); - result->domain = talloc_strdup(result, domain); -@@ -2836,6 +2839,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain, - - result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL; - result->auth_level = auth_level; -+ result->auth_context_id = 1; - - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, domain); -@@ -3500,6 +3504,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, - } - auth->auth_type = DCERPC_AUTH_TYPE_KRB5; - auth->auth_level = auth_level; -+ auth->auth_context_id = 1; - - if (!username) { - username = ""; -@@ -3570,6 +3575,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli, - } - auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO; - auth->auth_level = auth_level; -+ auth->auth_context_id = 1; - - if (!username) { - username = ""; -@@ -3644,6 +3650,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, - } - auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO; - auth->auth_level = auth_level; -+ auth->auth_context_id = 1; - - if (!username) { - username = ""; --- -2.8.1 - - -From 82cd4e90c70d1ababd5fa1ee61206e37edbf40e4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 35/40] CVE-2015-5370: s3:rpc_server: make use of - pipe_auth_data->auth_context_id -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is better than using hardcoded values. -We need to use the value the client used in the BIND request. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 2bc617293a5d8652e484af69660b3646f3d48690) ---- - source3/rpc_server/rpc_ncacn_np.c | 1 + - source3/rpc_server/srv_pipe.c | 11 +++++++---- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c -index f2e9d10..c0f24a6 100644 ---- a/source3/rpc_server/rpc_ncacn_np.c -+++ b/source3/rpc_server/rpc_ncacn_np.c -@@ -781,6 +781,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx, - } - result->auth->auth_type = DCERPC_AUTH_TYPE_NONE; - result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE; -+ result->auth->auth_context_id = 0; - - status = rpccli_anon_bind_data(result, &auth); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 4263a91..d6c4118 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -534,6 +534,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p, - - p->auth.auth_ctx = spnego_ctx; - p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO; -+ p->auth.auth_context_id = auth_info->auth_context_id; - - DEBUG(10, ("SPNEGO auth started\n")); - -@@ -644,6 +645,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p, - /* We're finished with this bind - no more packets. */ - p->auth.auth_ctx = schannel_auth; - p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL; -+ p->auth.auth_context_id = auth_info->auth_context_id; - - p->pipe_bound = True; - -@@ -688,6 +690,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p, - - p->auth.auth_ctx = ntlmssp_state; - p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP; -+ p->auth.auth_context_id = auth_info->auth_context_id; - - DEBUG(10, (__location__ ": NTLMSSP auth started\n")); - -@@ -1173,6 +1176,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - p->pipe_bound = True; - /* The session key was initialized from the SMB - * session in make_internal_rpc_pipe_p */ -+ p->auth.auth_context_id = 0; - } - - ZERO_STRUCT(u.bind_ack); -@@ -1218,12 +1222,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p, - } - - if (auth_resp.length) { -- - status = dcerpc_push_dcerpc_auth(pkt, - auth_type, - auth_info.auth_level, -- 0, -- 1, /* auth_context_id */ -+ 0, /* pad_len */ -+ p->auth.auth_context_id, - &auth_resp, - &auth_blob); - if (!NT_STATUS_IS_OK(status)) { -@@ -1646,7 +1649,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - auth_info.auth_type, - auth_info.auth_level, - pad_len, -- 1, /* auth_context_id */ -+ p->auth.auth_context_id, - &auth_resp, - &auth_blob); - if (!NT_STATUS_IS_OK(status)) { --- -2.8.1 - - -From 8d1fb1fcf58b08cbf27579382ea648aefb9e7dc6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 36/40] CVE-2015-5370: s3:librpc/rpc: make use of - auth->auth_context_id in dcerpc_add_auth_footer() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 61faaa63e7e610308c72ae4c41a5c7b5b7312685) ---- - source3/librpc/rpc/dcerpc_helpers.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index e4d0e3a..977a372 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -741,7 +741,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, - auth->auth_type, - auth->auth_level, - pad_len, -- 1 /* context id. */, -+ auth->auth_context_id, - &auth_blob, - &auth_info); - if (!NT_STATUS_IS_OK(status)) { --- -2.8.1 - - -From 2a44cfc65f7dc1ccfd2d6a5abe5d26e94a085aa9 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 37/40] CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in - dcerpc_check_auth() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 0cf3151c843e2c779b534743b455e630d89e2ba9) ---- - source3/librpc/rpc/dcerpc_helpers.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index 977a372..b00cf1bf 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -881,6 +881,10 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, - return NT_STATUS_INVALID_PARAMETER; - } - -+ if (auth_info.auth_context_id != auth->auth_context_id) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ - pkt_trailer->length -= auth_length; - data = data_blob_const(raw_pkt->data + header_size, - pkt_trailer->length); --- -2.8.1 - - -From 68dcc277d5af506706d3fdac43891e43ccb4ceea Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 7 Jul 2015 22:51:18 +0200 -Subject: [PATCH 38/40] CVE-2015-5370: s3:rpc_client: verify auth_context_id in - rpc_pipe_bind_step_one_done() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 93a0f92b8ebecb38f92d3b2c9a946b486ee91d3c) ---- - source3/rpc_client/cli_pipe.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 755d676..ee33e80 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -2052,6 +2052,14 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) - return; - } - -+ if (auth.auth_context_id != pauth->auth_context_id) { -+ DEBUG(0, (__location__ " Auth context id %u mismatch expected %u.\n", -+ (unsigned)auth.auth_context_id, -+ (unsigned)pauth->auth_context_id)); -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); -+ return; -+ } -+ - break; - } - --- -2.8.1 - - -From 8787dd5053974c1f42ae85a310e9522795f4ccfe Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 8 Jul 2015 00:01:37 +0200 -Subject: [PATCH 39/40] CVE-2015-5370: s3:rpc_server: verify auth_context_id in - api_pipe_{bind_auth3,alter_context} -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 3ef461d8304ee36184cd7a3963676eedff4ef1eb) ---- - source3/rpc_server/srv_pipe.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index d6c4118..26c4ee0 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -1364,6 +1364,14 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) - goto err; - } - -+ if (auth_info.auth_context_id != p->auth.auth_context_id) { -+ DEBUG(0, ("Auth context id mismatch! Client sent %u, " -+ "but auth was started as level %u!\n", -+ (unsigned)auth_info.auth_context_id, -+ (unsigned)p->auth.auth_context_id)); -+ goto err; -+ } -+ - switch (auth_info.auth_type) { - case DCERPC_AUTH_TYPE_NTLMSSP: - ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx, -@@ -1545,6 +1553,14 @@ static bool api_pipe_alter_context(struct pipes_struct *p, - goto err_exit; - } - -+ if (auth_info.auth_context_id != p->auth.auth_context_id) { -+ DEBUG(0, ("Auth context id mismatch! Client sent %u, " -+ "but auth was started as level %u!\n", -+ (unsigned)auth_info.auth_context_id, -+ (unsigned)p->auth.auth_context_id)); -+ goto err_exit; -+ } -+ - switch (auth_info.auth_type) { - case DCERPC_AUTH_TYPE_SPNEGO: - spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx, --- -2.8.1 - - -From bf0040fb860527cb0c54ab0ef301153bdad650c0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 22 Dec 2015 21:23:14 +0100 -Subject: [PATCH 40/40] CVE-2015-5370: s3:rpc_client: disconnect connection on - protocol errors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit 024d3b263a2879cee4fb7794d70f253c948cc043) ---- - source3/rpc_client/cli_pipe.c | 67 +++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 64 insertions(+), 3 deletions(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index ee33e80..a3810f0 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -953,6 +953,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - - state->pkt = talloc(state, struct ncacn_packet); - if (!state->pkt) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); - tevent_req_nterror(req, NT_STATUS_NO_MEMORY); - return; - } -@@ -962,6 +968,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - state->pkt, - !state->endianess); - if (!NT_STATUS_IS_OK(status)) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); - tevent_req_nterror(req, status); - return; - } -@@ -979,6 +991,28 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - (unsigned)state->reply_pdu_offset, - nt_errstr(status))); - -+ if (state->pkt->ptype != DCERPC_PKT_FAULT && !NT_STATUS_IS_OK(status)) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ } - if (!NT_STATUS_IS_OK(status)) { - tevent_req_nterror(req, status); - return; -@@ -1003,12 +1037,24 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - "%s\n", - state->endianess?"little":"big", - state->pkt->drep[0]?"little":"big")); -- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); - return; - } - - if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) { -- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); - return; - } - -@@ -1016,6 +1062,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) { - if (!data_blob_realloc(NULL, &state->reply_pdu, - state->reply_pdu_offset + rdata.length)) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); - tevent_req_nterror(req, NT_STATUS_NO_MEMORY); - return; - } -@@ -1045,6 +1097,14 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) - subreq = get_complete_frag_send(state, state->ev, state->cli, - state->call_id, - &state->incoming_frag); -+ if (subreq == NULL) { -+ /* -+ * TODO: do a real async disconnect ... -+ * -+ * For now do it sync... -+ */ -+ TALLOC_FREE(state->cli->transport); -+ } - if (tevent_req_nomem(subreq, req)) { - return; - } -@@ -2574,8 +2634,9 @@ static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx, - /* - * TODO: do a real async disconnect ... - * -- * For now the caller needs to free rpc_cli -+ * For now we do it sync... - */ -+ TALLOC_FREE(hs->rpc_cli->transport); - hs->rpc_cli = NULL; - - tevent_req_done(req); --- -2.8.1 -