]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - src/patches/samba/CVE-2015-5370-v3-6.patch
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
squid 3.5.28: latest patches (01-02)
[people/pmueller/ipfire-2.x.git] / src / patches / samba / CVE-2015-5370-v3-6.patch
CommitLineData
77ecb239
AF		 1From 8368c32cb69da82c8df36404ec8042c3046866ca Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Thu, 16 Jul 2015 22:46:05 +0200
4Subject: [PATCH 01/40] CVE-2015-5370: dcerpc.idl: add
5 DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
11
12Signed-off-by: Stefan Metzmacher <metze@samba.org>
13Reviewed-by: Günther Deschner <gd@samba.org>
14---
15 librpc/idl/dcerpc.idl | 2 ++
16 1 file changed, 2 insertions(+)
17
18diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
19index 75ef2ec..bbb42d1 100644
20--- a/librpc/idl/dcerpc.idl
21+++ b/librpc/idl/dcerpc.idl
22@@ -475,9 +475,11 @@ interface dcerpc
23 const uint8 DCERPC_PFC_OFFSET = 3;
24 const uint8 DCERPC_DREP_OFFSET = 4;
25 const uint8 DCERPC_FRAG_LEN_OFFSET = 8;
26+ const uint32 DCERPC_FRAG_MAX_SIZE = 5840;
27 const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
28 const uint8 DCERPC_CALL_ID_OFFSET = 12;
29 const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
30+ const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
31
32 /* little-endian flag */
33 const uint8 DCERPC_DREP_LE = 0x10;
34--
352.8.1
36
37
38From e3043ba5aafdb0605ab14b11917d497b59d82bec Mon Sep 17 00:00:00 2001
39From: Stefan Metzmacher <metze@samba.org>
40Date: Sun, 28 Jun 2015 01:19:57 +0200
41Subject: [PATCH 02/40] CVE-2015-5370: librpc/rpc: simplify and harden
42 dcerpc_pull_auth_trailer()
43MIME-Version: 1.0
44Content-Type: text/plain; charset=UTF-8
45Content-Transfer-Encoding: 8bit
46
47BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
48
49Signed-off-by: Stefan Metzmacher <metze@samba.org>
50Reviewed-by: Günther Deschner <gd@samba.org>
51---
52 librpc/rpc/dcerpc_util.c | 63 ++++++++++++++++++++++++++++++++++++------------
53 librpc/rpc/rpc_common.h | 4 +--
54 2 files changed, 49 insertions(+), 18 deletions(-)
55
56diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
57index 97ef798..f936ef4 100644
58--- a/librpc/rpc/dcerpc_util.c
59+++ b/librpc/rpc/dcerpc_util.c
60@@ -92,31 +92,44 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
61 *
62 * @return - A NTSTATUS error code.
63 */
64-NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
65+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
66 TALLOC_CTX *mem_ctx,
67- DATA_BLOB *pkt_trailer,
68+ const DATA_BLOB *pkt_trailer,
69 struct dcerpc_auth *auth,
70- uint32_t *auth_length,
71+ uint32_t *_auth_length,
72 bool auth_data_only)
73 {
74 struct ndr_pull *ndr;
75 enum ndr_err_code ndr_err;
76- uint32_t data_and_pad;
77+ uint16_t data_and_pad;
78+ uint16_t auth_length;
79+ uint32_t tmp_length;
80
81- data_and_pad = pkt_trailer->length
82- - (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length);
83+ ZERO_STRUCTP(auth);
84+ if (_auth_length != NULL) {
85+ *_auth_length = 0;
86+ }
87
88- /* paranoia check for pad size. This would be caught anyway by
89- the ndr_pull_advance() a few lines down, but it scared
90- Jeremy enough for him to call me, so we might as well check
91- it now, just to prevent someone posting a bogus YouTube
92- video in the future.
93- */
94- if (data_and_pad > pkt_trailer->length) {
95- return NT_STATUS_INFO_LENGTH_MISMATCH;
96+ /* Paranoia checks for auth_length. The caller should check this... */
97+ if (pkt->auth_length > pkt->frag_length) {
98+ return NT_STATUS_INTERNAL_ERROR;
99+ }
100+ tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
101+ tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
102+ tmp_length += pkt->auth_length;
103+ if (tmp_length > pkt->frag_length) {
104+ return NT_STATUS_INTERNAL_ERROR;
105+ }
106+ if (pkt_trailer->length > UINT16_MAX) {
107+ return NT_STATUS_INTERNAL_ERROR;
108 }
109
110- *auth_length = pkt_trailer->length - data_and_pad;
111+ auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
112+ if (pkt_trailer->length < auth_length) {
113+ return NT_STATUS_RPC_PROTOCOL_ERROR;
114+ }
115+
116+ data_and_pad = pkt_trailer->length - auth_length;
117
118 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
119 if (!ndr) {
120@@ -136,14 +149,28 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
121 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
122 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
123 talloc_free(ndr);
124+ ZERO_STRUCTP(auth);
125 return ndr_map_error2ntstatus(ndr_err);
126 }
127
128+ if (data_and_pad < auth->auth_pad_length) {
129+ DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
130+ "Calculated %u got %u\n",
131+ (unsigned)data_and_pad,
132+ (unsigned)auth->auth_pad_length));
133+ talloc_free(ndr);
134+ ZERO_STRUCTP(auth);
135+ return NT_STATUS_RPC_PROTOCOL_ERROR;
136+ }
137+
138 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
139- DEBUG(1, (__location__ ": WARNING: pad length mismatch. "
140+ DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
141 "Calculated %u got %u\n",
142 (unsigned)data_and_pad,
143 (unsigned)auth->auth_pad_length));
144+ talloc_free(ndr);
145+ ZERO_STRUCTP(auth);
146+ return NT_STATUS_RPC_PROTOCOL_ERROR;
147 }
148
149 DEBUG(6,(__location__ ": auth_pad_length %u\n",
150@@ -152,6 +179,10 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
151 talloc_steal(mem_ctx, auth->credentials.data);
152 talloc_free(ndr);
153
154+ if (_auth_length != NULL) {
155+ *_auth_length = auth_length;
156+ }
157+
158 return NT_STATUS_OK;
159 }
160
161diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
162index fe8129d..98a2e95 100644
163--- a/librpc/rpc/rpc_common.h
164+++ b/librpc/rpc/rpc_common.h
165@@ -158,9 +158,9 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
166 *
167 * @return - A NTSTATUS error code.
168 */
169-NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
170+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
171 TALLOC_CTX *mem_ctx,
172- DATA_BLOB *pkt_trailer,
173+ const DATA_BLOB *pkt_trailer,
174 struct dcerpc_auth *auth,
175 uint32_t *auth_length,
176 bool auth_data_only);
177--
1782.8.1
179
180
181From 397300d996299400842938131691fbbeb88c2c82 Mon Sep 17 00:00:00 2001
182From: Stefan Metzmacher <metze@samba.org>
183Date: Mon, 29 Jun 2015 10:24:45 +0200
184Subject: [PATCH 03/40] CVE-2015-5370: s3:librpc/rpc: don't call
185 dcerpc_pull_auth_trailer() if auth_length is 0
186MIME-Version: 1.0
187Content-Type: text/plain; charset=UTF-8
188Content-Transfer-Encoding: 8bit
189
190All other paranoia checks are done within dcerpc_pull_auth_trailer()
191now.
192
193BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
194
195Signed-off-by: Stefan Metzmacher <metze@samba.org>
196Reviewed-by: Günther Deschner <gd@samba.org>
197---
198 source3/librpc/rpc/dcerpc_helpers.c | 12 ++----------
199 1 file changed, 2 insertions(+), 10 deletions(-)
200
201diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
202index 24f2f52..76f2acc 100644
203--- a/source3/librpc/rpc/dcerpc_helpers.c
204+++ b/source3/librpc/rpc/dcerpc_helpers.c
205@@ -899,16 +899,8 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
206 return NT_STATUS_INVALID_PARAMETER;
207 }
208
209- /* Paranioa checks for auth_length. */
210- if (pkt->auth_length > pkt->frag_length) {
211- return NT_STATUS_INFO_LENGTH_MISMATCH;
212- }
213- if (((unsigned int)pkt->auth_length
214- + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
215- ((unsigned int)pkt->auth_length
216- + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
217- /* Integer wrap attempt. */
218- return NT_STATUS_INFO_LENGTH_MISMATCH;
219+ if (pkt->auth_length == 0) {
220+ return NT_STATUS_INVALID_PARAMETER;
221 }
222
223 status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
224--
2252.8.1
226
227
228From faa20091b4a456a5e29f852561f6f5e9863860e0 Mon Sep 17 00:00:00 2001
229From: Stefan Metzmacher <metze@samba.org>
230Date: Fri, 26 Jun 2015 08:10:46 +0200
231Subject: [PATCH 04/40] CVE-2015-5370: librpc/rpc: add a
232 dcerpc_verify_ncacn_packet_header() helper function
233MIME-Version: 1.0
234Content-Type: text/plain; charset=UTF-8
235Content-Transfer-Encoding: 8bit
236
237BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
238
239Signed-off-by: Stefan Metzmacher <metze@samba.org>
240Reviewed-by: Günther Deschner <gd@samba.org>
241(cherry picked from commit 8266be48f455a5e541d0f7f62a1c8c38e0835976)
242---
243 librpc/rpc/dcerpc_util.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
244 librpc/rpc/rpc_common.h | 5 ++++
245 2 files changed, 78 insertions(+)
246
247diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
248index f936ef4..2f599d5 100644
249--- a/librpc/rpc/dcerpc_util.c
250+++ b/librpc/rpc/dcerpc_util.c
251@@ -186,6 +186,79 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
252 return NT_STATUS_OK;
253 }
254
255+/**
256+* @brief Verify the fields in ncacn_packet header.
257+*
258+* @param pkt - The ncacn_packet strcuture
259+* @param ptype - The expected PDU type
260+* @param max_auth_info - The maximum size of a possible auth trailer
261+* @param required_flags - The required flags for the pdu.
262+* @param optional_flags - The possible optional flags for the pdu.
263+*
264+* @return - A NTSTATUS error code.
265+*/
266+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
267+ enum dcerpc_pkt_type ptype,
268+ size_t max_auth_info,
269+ uint8_t required_flags,
270+ uint8_t optional_flags)
271+{
272+ if (pkt->rpc_vers != 5) {
273+ return NT_STATUS_RPC_PROTOCOL_ERROR;
274+ }
275+
276+ if (pkt->rpc_vers_minor != 0) {
277+ return NT_STATUS_RPC_PROTOCOL_ERROR;
278+ }
279+
280+ if (pkt->auth_length > pkt->frag_length) {
281+ return NT_STATUS_RPC_PROTOCOL_ERROR;
282+ }
283+
284+ if (pkt->ptype != ptype) {
285+ return NT_STATUS_RPC_PROTOCOL_ERROR;
286+ }
287+
288+ if (max_auth_info > UINT16_MAX) {
289+ return NT_STATUS_INTERNAL_ERROR;
290+ }
291+
292+ if (pkt->auth_length > 0) {
293+ size_t max_auth_length;
294+
295+ if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
296+ return NT_STATUS_RPC_PROTOCOL_ERROR;
297+ }
298+ max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
299+
300+ if (pkt->auth_length > max_auth_length) {
301+ return NT_STATUS_RPC_PROTOCOL_ERROR;
302+ }
303+ }
304+
305+ if ((pkt->pfc_flags & required_flags) != required_flags) {
306+ return NT_STATUS_RPC_PROTOCOL_ERROR;
307+ }
308+ if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
309+ return NT_STATUS_RPC_PROTOCOL_ERROR;
310+ }
311+
312+ if (pkt->drep[0] & ~DCERPC_DREP_LE) {
313+ return NT_STATUS_RPC_PROTOCOL_ERROR;
314+ }
315+ if (pkt->drep[1] != 0) {
316+ return NT_STATUS_RPC_PROTOCOL_ERROR;
317+ }
318+ if (pkt->drep[2] != 0) {
319+ return NT_STATUS_RPC_PROTOCOL_ERROR;
320+ }
321+ if (pkt->drep[3] != 0) {
322+ return NT_STATUS_RPC_PROTOCOL_ERROR;
323+ }
324+
325+ return NT_STATUS_OK;
326+}
327+
328 struct dcerpc_read_ncacn_packet_state {
329 #if 0
330 struct {
331diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
332index 98a2e95..b3ae5b2 100644
333--- a/librpc/rpc/rpc_common.h
334+++ b/librpc/rpc/rpc_common.h
335@@ -164,6 +164,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
336 struct dcerpc_auth *auth,
337 uint32_t *auth_length,
338 bool auth_data_only);
339+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
340+ enum dcerpc_pkt_type ptype,
341+ size_t max_auth_info,
342+ uint8_t required_flags,
343+ uint8_t optional_flags);
344 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
345 struct tevent_context *ev,
346 struct tstream_context *stream);
347--
3482.8.1
349
350
351From c176174588c1119a11066b6188ac50cd3c9603f4 Mon Sep 17 00:00:00 2001
352From: Stefan Metzmacher <metze@samba.org>
353Date: Tue, 7 Jul 2015 13:05:01 +0200
354Subject: [PATCH 05/40] CVE-2015-5370: s3:rpc_client: move AS/U hack to the top
355 of cli_pipe_validate_current_pdu()
356MIME-Version: 1.0
357Content-Type: text/plain; charset=UTF-8
358Content-Transfer-Encoding: 8bit
359
360BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
361
362Signed-off-by: Stefan Metzmacher <metze@samba.org>
363Reviewed-by: Günther Deschner <gd@samba.org>
364(cherry picked from commit 665b874b6022bfcdec3f13a9f5a844e5d1784aba)
365---
366 source3/rpc_client/cli_pipe.c | 24 +++++++++++++-----------
367 1 file changed, 13 insertions(+), 11 deletions(-)
368
369diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
370index 5ddabb7..295b88f 100644
371--- a/source3/rpc_client/cli_pipe.c
372+++ b/source3/rpc_client/cli_pipe.c
373@@ -414,6 +414,19 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
374 */
375 *rdata = *pdu;
376
377+ if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
378+ !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
379+ /*
380+ * TODO: do we still need this hack which was introduced
381+ * in commit a42afcdcc7ab9aa9ed193ae36d3dbb10843447f0.
382+ *
383+ * I don't even know what AS/U might be...
384+ */
385+ DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
386+ "fragment first/last ON.\n"));
387+ pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
388+ }
389+
390 /* Ensure we have the correct type. */
391 switch (pkt->ptype) {
392 case DCERPC_PKT_ALTER_RESP:
393@@ -518,17 +531,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
394 return NT_STATUS_RPC_PROTOCOL_ERROR;
395 }
396
397- /* Do this just before return - we don't want to modify any rpc header
398- data before now as we may have needed to do cryptographic actions on
399- it before. */
400-
401- if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
402- !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
403- DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
404- "fragment first/last ON.\n"));
405- pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
406- }
407-
408 return NT_STATUS_OK;
409 }
410
411--
4122.8.1
413
414
415From b9ae0068be4dfc6f7d09144c353689ab01955b93 Mon Sep 17 00:00:00 2001
416From: Stefan Metzmacher <metze@samba.org>
417Date: Tue, 7 Jul 2015 13:05:01 +0200
418Subject: [PATCH 06/40] CVE-2015-5370: s3:rpc_client: remove useless
419 frag_length check in rpc_api_pipe_got_pdu()
420MIME-Version: 1.0
421Content-Type: text/plain; charset=UTF-8
422Content-Transfer-Encoding: 8bit
423
424dcerpc_pull_ncacn_packet() already verifies this.
425
426BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
427
428Signed-off-by: Stefan Metzmacher <metze@samba.org>
429Reviewed-by: Günther Deschner <gd@samba.org>
430(cherry picked from commit 9a3f045244b12ff9f77d2664396137c390042297)
431---
432 source3/rpc_client/cli_pipe.c | 8 --------
433 1 file changed, 8 deletions(-)
434
435diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
436index 295b88f..2787fbc 100644
437--- a/source3/rpc_client/cli_pipe.c
438+++ b/source3/rpc_client/cli_pipe.c
439@@ -898,14 +898,6 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
440 return;
441 }
442
443- if (state->incoming_frag.length != state->pkt->frag_length) {
444- DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
445- (unsigned int)state->incoming_frag.length,
446- (unsigned int)state->pkt->frag_length));
447- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
448- return;
449- }
450-
451 status = cli_pipe_validate_current_pdu(state,
452 state->cli, state->pkt,
453 &state->incoming_frag,
454--
4552.8.1
456
457
458From 05688274f03e6086e3ba4d7b4cb4409f9c4d9cb1 Mon Sep 17 00:00:00 2001
459From: Stefan Metzmacher <metze@samba.org>
460Date: Fri, 26 Jun 2015 08:10:46 +0200
461Subject: [PATCH 07/40] CVE-2015-5370: s4:rpc_server: no authentication is
462 indicated by pkt->auth_length == 0
463MIME-Version: 1.0
464Content-Type: text/plain; charset=UTF-8
465Content-Transfer-Encoding: 8bit
466
467pkt->u.*.auth_info.length is not the correct thing to check.
468
469BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
470
471Signed-off-by: Stefan Metzmacher <metze@samba.org>
472Reviewed-by: Günther Deschner <gd@samba.org>
473(packported from commit c0236de09e542dbb168969d8ae9f0c150a75198e)
474---
475 source4/rpc_server/dcesrv_auth.c | 23 ++++++++++++++---------
476 1 file changed, 14 insertions(+), 9 deletions(-)
477
478diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
479index 1e6aa24..61f2176 100644
480--- a/source4/rpc_server/dcesrv_auth.c
481+++ b/source4/rpc_server/dcesrv_auth.c
482@@ -46,7 +46,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
483 NTSTATUS status;
484 uint32_t auth_length;
485
486- if (pkt->u.bind.auth_info.length == 0) {
487+ if (pkt->auth_length == 0) {
488 dce_conn->auth_state.auth_info = NULL;
489 return true;
490 }
491@@ -108,7 +108,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
492 struct dcesrv_connection *dce_conn = call->conn;
493 NTSTATUS status;
494
495- if (!call->conn->auth_state.gensec_security) {
496+ if (call->pkt.auth_length == 0) {
497 return NT_STATUS_OK;
498 }
499
500@@ -155,10 +155,16 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
501 NTSTATUS status;
502 uint32_t auth_length;
503
504- /* We can't work without an existing gensec state, and an new blob to feed it */
505- if (!dce_conn->auth_state.auth_info ||
506- !dce_conn->auth_state.gensec_security ||
507- pkt->u.auth3.auth_info.length == 0) {
508+ if (pkt->auth_length == 0) {
509+ return false;
510+ }
511+
512+ if (!dce_conn->auth_state.auth_info) {
513+ return false;
514+ }
515+
516+ /* We can't work without an existing gensec state */
517+ if (!dce_conn->auth_state.gensec_security) {
518 return false;
519 }
520
521@@ -203,7 +209,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
522 uint32_t auth_length;
523
524 /* on a pure interface change there is no auth blob */
525- if (pkt->u.alter.auth_info.length == 0) {
526+ if (pkt->auth_length == 0) {
527 return true;
528 }
529
530@@ -238,8 +244,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack
531
532 /* on a pure interface change there is no auth_info structure
533 setup */
534- if (!call->conn->auth_state.auth_info ||
535- dce_conn->auth_state.auth_info->credentials.length == 0) {
536+ if (call->pkt.auth_length == 0) {
537 return NT_STATUS_OK;
538 }
539
540--
5412.8.1
542
543
544From 57230961cee9e82ab060b54b5fb8c2b19f672111 Mon Sep 17 00:00:00 2001
545From: Stefan Metzmacher <metze@samba.org>
546Date: Sat, 27 Jun 2015 10:31:48 +0200
547Subject: [PATCH 08/40] CVE-2015-5370: s4:librpc/rpc: check pkt->auth_length
548 before calling dcerpc_pull_auth_trailer
549
550BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
551
552Signed-off-by: Ralph Boehme <slow@samba.org>
553(backported from 630dcb55ad7a3a89bcd8643c98a5cdbfb8735ef7)
554---
555 source4/librpc/rpc/dcerpc.c | 13 ++++++++++---
556 source4/rpc_server/dcesrv_auth.c | 5 +++++
557 2 files changed, 15 insertions(+), 3 deletions(-)
558
559diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
560index 742d710..cfbccd6 100644
561--- a/source4/librpc/rpc/dcerpc.c
562+++ b/source4/librpc/rpc/dcerpc.c
563@@ -701,6 +701,14 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
564 return NT_STATUS_INVALID_LEVEL;
565 }
566
567+ if (pkt->auth_length == 0) {
568+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
569+ }
570+
571+ if (c->security_state.generic_state == NULL) {
572+ return NT_STATUS_INTERNAL_ERROR;
573+ }
574+
575 status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
576 &pkt->u.response.stub_and_verifier,
577 &auth, &auth_length, false);
578@@ -1074,7 +1082,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *req,
579 }
580
581 /* the bind_ack might contain a reply set of credentials */
582- if (conn->security_state.auth_info && pkt->u.bind_ack.auth_info.length) {
583+ if (conn->security_state.auth_info && pkt->auth_length) {
584 NTSTATUS status;
585 uint32_t auth_length;
586 status = dcerpc_pull_auth_trailer(pkt, conn, &pkt->u.bind_ack.auth_info,
587@@ -1847,8 +1855,7 @@ static void dcerpc_alter_recv_handler(struct rpc_request *req,
588 }
589
590 /* the alter_resp might contain a reply set of credentials */
591- if (recv_pipe->conn->security_state.auth_info &&
592- pkt->u.alter_resp.auth_info.length) {
593+ if (recv_pipe->conn->security_state.auth_info && pkt->auth_length) {
594 struct dcecli_connection *conn = recv_pipe->conn;
595 NTSTATUS status;
596 uint32_t auth_length;
597diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
598index 61f2176..3051c1c 100644
599--- a/source4/rpc_server/dcesrv_auth.c
600+++ b/source4/rpc_server/dcesrv_auth.c
601@@ -320,6 +320,11 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
602 return false;
603 }
604
605+ if (pkt->auth_length == 0) {
606+ DEBUG(1,("dcesrv_auth_request: unexpected auth_length of 0\n"));
607+ return false;
608+ }
609+
610 status = dcerpc_pull_auth_trailer(pkt, call,
611 &pkt->u.request.stub_and_verifier,
612 &auth, &auth_length, false);
613--
6142.8.1
615
616
617From c35b0e37f7d37459f55d67a5037c08bea4d33acf Mon Sep 17 00:00:00 2001
618From: Stefan Metzmacher <metze@samba.org>
619Date: Sun, 28 Jun 2015 01:19:57 +0200
620Subject: [PATCH 09/40] CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length
621 == 0 in dcerpc_pull_auth_trailer()
622MIME-Version: 1.0
623Content-Type: text/plain; charset=UTF-8
624Content-Transfer-Encoding: 8bit
625
626All callers should have already checked that.
627
628BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
629
630Signed-off-by: Stefan Metzmacher <metze@samba.org>
631Reviewed-by: Günther Deschner <gd@samba.org>
632(cherry picked from commit 1ed83c7657a3b405db1928db06c29f41d2738186)
633---
634 librpc/rpc/dcerpc_util.c | 5 +++++
635 1 file changed, 5 insertions(+)
636
637diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
638index 2f599d5..89b7597 100644
639--- a/librpc/rpc/dcerpc_util.c
640+++ b/librpc/rpc/dcerpc_util.c
641@@ -111,6 +111,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
642 }
643
644 /* Paranoia checks for auth_length. The caller should check this... */
645+ if (pkt->auth_length == 0) {
646+ return NT_STATUS_INTERNAL_ERROR;
647+ }
648+
649+ /* Paranoia checks for auth_length. The caller should check this... */
650 if (pkt->auth_length > pkt->frag_length) {
651 return NT_STATUS_INTERNAL_ERROR;
652 }
653--
6542.8.1
655
656
657From 2341eb0cf8395b1fed628ee6779207d916827a5d Mon Sep 17 00:00:00 2001
658From: Stefan Metzmacher <metze@samba.org>
659Date: Thu, 9 Jul 2015 07:59:24 +0200
660Subject: [PATCH 10/40] CVE-2015-5370: s3:librpc/rpc: remove auth trailer and
661 possible padding within dcerpc_check_auth()
662MIME-Version: 1.0
663Content-Type: text/plain; charset=UTF-8
664Content-Transfer-Encoding: 8bit
665
666This simplifies the callers a lot.
667
668BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
669
670Signed-off-by: Stefan Metzmacher <metze@samba.org>
671Reviewed-by: Günther Deschner <gd@samba.org>
672(cherry picked from commit df3cdf072d1c1e6fd0a58e0374348758f5c65a49)
673---
674 source3/librpc/rpc/dcerpc.h | 5 ++---
675 source3/librpc/rpc/dcerpc_helpers.c | 31 ++++++++++++++++++++-----------
676 source3/rpc_client/cli_pipe.c | 33 ++++++++++-----------------------
677 source3/rpc_server/srv_pipe.c | 17 +----------------
678 4 files changed, 33 insertions(+), 53 deletions(-)
679
680diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
681index d14d8e0..e7cca9e 100644
682--- a/source3/librpc/rpc/dcerpc.h
683+++ b/source3/librpc/rpc/dcerpc.h
684@@ -85,9 +85,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
685 NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
686 struct ncacn_packet *pkt,
687 DATA_BLOB *pkt_trailer,
688- size_t header_size,
689- DATA_BLOB *raw_pkt,
690- size_t *pad_len);
691+ uint8_t header_size,
692+ DATA_BLOB *raw_pkt);
693
694 /* The following definitions come from librpc/rpc/rpc_common.c */
695
696diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
697index 76f2acc..d871339 100644
698--- a/source3/librpc/rpc/dcerpc_helpers.c
699+++ b/source3/librpc/rpc/dcerpc_helpers.c
700@@ -844,19 +844,18 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
701 *
702 * @param auth The auth data for the connection
703 * @param pkt The actual ncacn_packet
704-* @param pkt_trailer The stub_and_verifier part of the packet
705+* @param pkt_trailer [in][out] The stub_and_verifier part of the packet,
706+* the auth_trailer and padding will be removed.
707 * @param header_size The header size
708 * @param raw_pkt The whole raw packet data blob
709-* @param pad_len [out] The padding length used in the packet
710 *
711 * @return A NTSTATUS error code
712 */
713 NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
714 struct ncacn_packet *pkt,
715 DATA_BLOB *pkt_trailer,
716- size_t header_size,
717- DATA_BLOB *raw_pkt,
718- size_t *pad_len)
719+ uint8_t header_size,
720+ DATA_BLOB *raw_pkt)
721 {
722 struct schannel_state *schannel_auth;
723 struct auth_ntlmssp_state *ntlmssp_ctx;
724@@ -868,6 +867,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
725 DATA_BLOB full_pkt;
726 DATA_BLOB data;
727
728+ /*
729+ * These check should be done in the caller.
730+ */
731+ SMB_ASSERT(raw_pkt->length == pkt->frag_length);
732+ SMB_ASSERT(header_size <= pkt->frag_length);
733+ SMB_ASSERT(pkt_trailer->length < pkt->frag_length);
734+ SMB_ASSERT((pkt_trailer->length + header_size) <= pkt->frag_length);
735+
736 switch (auth->auth_level) {
737 case DCERPC_AUTH_LEVEL_PRIVACY:
738 DEBUG(10, ("Requested Privacy.\n"));
739@@ -881,7 +888,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
740 if (pkt->auth_length != 0) {
741 break;
742 }
743- *pad_len = 0;
744 return NT_STATUS_OK;
745
746 case DCERPC_AUTH_LEVEL_NONE:
747@@ -890,7 +896,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
748 "authenticated connection!\n"));
749 return NT_STATUS_INVALID_PARAMETER;
750 }
751- *pad_len = 0;
752 return NT_STATUS_OK;
753
754 default:
755@@ -909,10 +914,11 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
756 return status;
757 }
758
759+ pkt_trailer->length -= auth_length;
760 data = data_blob_const(raw_pkt->data + header_size,
761- pkt_trailer->length - auth_length);
762- full_pkt = data_blob_const(raw_pkt->data,
763- raw_pkt->length - auth_info.credentials.length);
764+ pkt_trailer->length);
765+ full_pkt = data_blob_const(raw_pkt->data, raw_pkt->length);
766+ full_pkt.length -= auth_info.credentials.length;
767
768 switch (auth->auth_type) {
769 case DCERPC_AUTH_TYPE_NONE:
770@@ -988,10 +994,13 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
771 * pkt_trailer actually has a copy of the raw data, and they
772 * are still both used in later calls */
773 if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
774+ if (pkt_trailer->length != data.length) {
775+ return NT_STATUS_INVALID_PARAMETER;
776+ }
777 memcpy(pkt_trailer->data, data.data, data.length);
778 }
779
780- *pad_len = auth_info.auth_pad_length;
781+ pkt_trailer->length -= auth_info.auth_pad_length;
782 data_blob_free(&auth_info.credentials);
783 return NT_STATUS_OK;
784 }
785diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
786index 2787fbc..776e2bf 100644
787--- a/source3/rpc_client/cli_pipe.c
788+++ b/source3/rpc_client/cli_pipe.c
789@@ -404,9 +404,9 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
790 DATA_BLOB *rdata,
791 DATA_BLOB *reply_pdu)
792 {
793- struct dcerpc_response *r;
794+ const struct dcerpc_response *r = NULL;
795+ DATA_BLOB tmp_stub = data_blob_null;
796 NTSTATUS ret = NT_STATUS_OK;
797- size_t pad_len = 0;
798
799 /*
800 * Point the return values at the real data including the RPC
801@@ -440,37 +440,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
802
803 r = &pkt->u.response;
804
805+ tmp_stub.data = r->stub_and_verifier.data;
806+ tmp_stub.length = r->stub_and_verifier.length;
807+
808 /* Here's where we deal with incoming sign/seal. */
809 ret = dcerpc_check_auth(cli->auth, pkt,
810- &r->stub_and_verifier,
811+ &tmp_stub,
812 DCERPC_RESPONSE_LENGTH,
813- pdu, &pad_len);
814+ pdu);
815 if (!NT_STATUS_IS_OK(ret)) {
816 return ret;
817 }
818
819- if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
820- return NT_STATUS_BUFFER_TOO_SMALL;
821- }
822-
823 /* Point the return values at the NDR data. */
824- rdata->data = r->stub_and_verifier.data;
825-
826- if (pkt->auth_length) {
827- /* We've already done integer wrap tests in
828- * dcerpc_check_auth(). */
829- rdata->length = r->stub_and_verifier.length
830- - pad_len
831- - DCERPC_AUTH_TRAILER_LENGTH
832- - pkt->auth_length;
833- } else {
834- rdata->length = r->stub_and_verifier.length;
835- }
836+ *rdata = tmp_stub;
837
838- DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
839+ DEBUG(10, ("Got pdu len %lu, data_len %lu\n",
840 (long unsigned int)pdu->length,
841- (long unsigned int)rdata->length,
842- (unsigned int)pad_len));
843+ (long unsigned int)rdata->length));
844
845 /*
846 * If this is the first reply, and the allocation hint is
847diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
848index 964b843..0ab7dc6 100644
849--- a/source3/rpc_server/srv_pipe.c
850+++ b/source3/rpc_server/srv_pipe.c
851@@ -1848,7 +1848,6 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
852 {
853 NTSTATUS status;
854 size_t hdr_size = DCERPC_REQUEST_LENGTH;
855- size_t pad_len;
856
857 DEBUG(10, ("Checking request auth.\n"));
858
859@@ -1859,25 +1858,11 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
860 /* in case of sealing this function will unseal the data in place */
861 status = dcerpc_check_auth(auth, pkt,
862 &pkt->u.request.stub_and_verifier,
863- hdr_size, raw_pkt,
864- &pad_len);
865+ hdr_size, raw_pkt);
866 if (!NT_STATUS_IS_OK(status)) {
867 return status;
868 }
869
870-
871- /* remove padding and auth trailer,
872- * this way the caller will get just the data */
873- if (pkt->auth_length) {
874- size_t trail_len = pad_len
875- + DCERPC_AUTH_TRAILER_LENGTH
876- + pkt->auth_length;
877- if (pkt->u.request.stub_and_verifier.length < trail_len) {
878- return NT_STATUS_INFO_LENGTH_MISMATCH;
879- }
880- pkt->u.request.stub_and_verifier.length -= trail_len;
881- }
882-
883 return NT_STATUS_OK;
884 }
885
886--
8872.8.1
888
889
890From 9ecba8f4635aa5dbd42e4838ce124a92395b64ab Mon Sep 17 00:00:00 2001
891From: Stefan Metzmacher <metze@samba.org>
892Date: Thu, 9 Jul 2015 07:59:24 +0200
893Subject: [PATCH 11/40] CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth()
894 auth_{type,level} against the expected values.
895MIME-Version: 1.0
896Content-Type: text/plain; charset=UTF-8
897Content-Transfer-Encoding: 8bit
898
899BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
900
901Signed-off-by: Stefan Metzmacher <metze@samba.org>
902Reviewed-by: Günther Deschner <gd@samba.org>
903(cherry picked from commit 19f489d32c03ff5fafd34fe86a075d782af1989a)
904---
905 source3/librpc/rpc/dcerpc_helpers.c | 8 ++++++++
906 1 file changed, 8 insertions(+)
907
908diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
909index d871339..c07835f 100644
910--- a/source3/librpc/rpc/dcerpc_helpers.c
911+++ b/source3/librpc/rpc/dcerpc_helpers.c
912@@ -914,6 +914,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
913 return status;
914 }
915
916+ if (auth_info.auth_type != auth->auth_type) {
917+ return NT_STATUS_INVALID_PARAMETER;
918+ }
919+
920+ if (auth_info.auth_level != auth->auth_level) {
921+ return NT_STATUS_INVALID_PARAMETER;
922+ }
923+
924 pkt_trailer->length -= auth_length;
925 data = data_blob_const(raw_pkt->data + header_size,
926 pkt_trailer->length);
927--
9282.8.1
929
930
931From 765c10dacf39a3c06c6b12651c205ac270e7fcea Mon Sep 17 00:00:00 2001
932From: Stefan Metzmacher <metze@samba.org>
933Date: Tue, 7 Jul 2015 13:05:01 +0200
934Subject: [PATCH 12/40] CVE-2015-5370: s3:rpc_client: make use of
935 dcerpc_pull_auth_trailer()
936MIME-Version: 1.0
937Content-Type: text/plain; charset=UTF-8
938Content-Transfer-Encoding: 8bit
939
940The does much more validation than dcerpc_pull_dcerpc_auth().
941
942BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
943
944Signed-off-by: Stefan Metzmacher <metze@samba.org>
945Reviewed-by: Günther Deschner <gd@samba.org>
946(cherry picked from commit acea87f158f02c3240abff45c3e54c7d5fa60b29)
947---
948 source3/rpc_client/cli_pipe.c | 20 ++++++--------------
949 1 file changed, 6 insertions(+), 14 deletions(-)
950
951diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
952index 776e2bf..27e37f8 100644
953--- a/source3/rpc_client/cli_pipe.c
954+++ b/source3/rpc_client/cli_pipe.c
955@@ -1938,20 +1938,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
956 rpc_pipe_bind_step_two_trigger(req);
957 return;
958
959- case DCERPC_AUTH_TYPE_NTLMSSP:
960- case DCERPC_AUTH_TYPE_SPNEGO:
961- case DCERPC_AUTH_TYPE_KRB5:
962- /* Paranoid lenght checks */
963- if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
964- + pkt->auth_length) {
965- tevent_req_nterror(req,
966- NT_STATUS_INFO_LENGTH_MISMATCH);
967+ default:
968+ if (pkt->auth_length == 0) {
969+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
970 return;
971 }
972 /* get auth credentials */
973- status = dcerpc_pull_dcerpc_auth(talloc_tos(),
974- &pkt->u.bind_ack.auth_info,
975- &auth, false);
976+ status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
977+ &pkt->u.bind_ack.auth_info,
978+ &auth, NULL, true);
979 if (!NT_STATUS_IS_OK(status)) {
980 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
981 nt_errstr(status)));
982@@ -1959,9 +1954,6 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
983 return;
984 }
985 break;
986-
987- default:
988- goto err_out;
989 }
990
991 /*
992--
9932.8.1
994
995
996From b58616bbcc810b076e5fd9dd976272847f832b06 Mon Sep 17 00:00:00 2001
997From: Stefan Metzmacher <metze@samba.org>
998Date: Tue, 7 Jul 2015 13:05:01 +0200
999Subject: [PATCH 13/40] CVE-2015-5370: s3:rpc_client: make use of
1000 dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
1001MIME-Version: 1.0
1002Content-Type: text/plain; charset=UTF-8
1003Content-Transfer-Encoding: 8bit
1004
1005BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1006
1007Signed-off-by: Stefan Metzmacher <metze@samba.org>
1008Reviewed-by: Günther Deschner <gd@samba.org>
1009(cherry picked from commit 81bbffa14f5f6faa9801a3bf2d564d2762d49bb6)
1010---
1011 source3/rpc_client/cli_pipe.c | 111 ++++++++++++++++++++++++++++++++++++------
1012 1 file changed, 96 insertions(+), 15 deletions(-)
1013
1014diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
1015index 27e37f8..6a22d38 100644
1016--- a/source3/rpc_client/cli_pipe.c
1017+++ b/source3/rpc_client/cli_pipe.c
1018@@ -429,17 +429,89 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
1019
1020 /* Ensure we have the correct type. */
1021 switch (pkt->ptype) {
1022- case DCERPC_PKT_ALTER_RESP:
1023+ case DCERPC_PKT_BIND_NAK:
1024+ DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
1025+ rpccli_pipe_txt(talloc_tos(), cli)));
1026+
1027+ ret = dcerpc_verify_ncacn_packet_header(pkt,
1028+ DCERPC_PKT_BIND_NAK,
1029+ 0, /* max_auth_info */
1030+ DCERPC_PFC_FLAG_FIRST |
1031+ DCERPC_PFC_FLAG_LAST,
1032+ 0); /* optional flags */
1033+ if (!NT_STATUS_IS_OK(ret)) {
1034+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1035+ "RPC packet type - %u, expected %u: %s\n",
1036+ rpccli_pipe_txt(talloc_tos(), cli),
1037+ pkt->ptype, expected_pkt_type,
1038+ nt_errstr(ret)));
1039+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1040+ return ret;
1041+ }
1042+
1043+ /* Use this for now... */
1044+ return NT_STATUS_NETWORK_ACCESS_DENIED;
1045+
1046 case DCERPC_PKT_BIND_ACK:
1047+ ret = dcerpc_verify_ncacn_packet_header(pkt,
1048+ expected_pkt_type,
1049+ pkt->u.bind_ack.auth_info.length,
1050+ DCERPC_PFC_FLAG_FIRST |
1051+ DCERPC_PFC_FLAG_LAST,
1052+ DCERPC_PFC_FLAG_CONC_MPX |
1053+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN);
1054+ if (!NT_STATUS_IS_OK(ret)) {
1055+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1056+ "RPC packet type - %u, expected %u: %s\n",
1057+ rpccli_pipe_txt(talloc_tos(), cli),
1058+ pkt->ptype, expected_pkt_type,
1059+ nt_errstr(ret)));
1060+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1061+ return ret;
1062+ }
1063
1064- /* Client code never receives this kind of packets */
1065 break;
1066
1067+ case DCERPC_PKT_ALTER_RESP:
1068+ ret = dcerpc_verify_ncacn_packet_header(pkt,
1069+ expected_pkt_type,
1070+ pkt->u.alter_resp.auth_info.length,
1071+ DCERPC_PFC_FLAG_FIRST |
1072+ DCERPC_PFC_FLAG_LAST,
1073+ DCERPC_PFC_FLAG_CONC_MPX |
1074+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN);
1075+ if (!NT_STATUS_IS_OK(ret)) {
1076+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1077+ "RPC packet type - %u, expected %u: %s\n",
1078+ rpccli_pipe_txt(talloc_tos(), cli),
1079+ pkt->ptype, expected_pkt_type,
1080+ nt_errstr(ret)));
1081+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1082+ return ret;
1083+ }
1084+
1085+ break;
1086
1087 case DCERPC_PKT_RESPONSE:
1088
1089 r = &pkt->u.response;
1090
1091+ ret = dcerpc_verify_ncacn_packet_header(pkt,
1092+ expected_pkt_type,
1093+ r->stub_and_verifier.length,
1094+ 0, /* required_flags */
1095+ DCERPC_PFC_FLAG_FIRST |
1096+ DCERPC_PFC_FLAG_LAST);
1097+ if (!NT_STATUS_IS_OK(ret)) {
1098+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1099+ "RPC packet type - %u, expected %u: %s\n",
1100+ rpccli_pipe_txt(talloc_tos(), cli),
1101+ pkt->ptype, expected_pkt_type,
1102+ nt_errstr(ret)));
1103+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1104+ return ret;
1105+ }
1106+
1107 tmp_stub.data = r->stub_and_verifier.data;
1108 tmp_stub.length = r->stub_and_verifier.length;
1109
1110@@ -449,6 +521,12 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
1111 DCERPC_RESPONSE_LENGTH,
1112 pdu);
1113 if (!NT_STATUS_IS_OK(ret)) {
1114+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1115+ "RPC packet type - %u, expected %u: %s\n",
1116+ rpccli_pipe_txt(talloc_tos(), cli),
1117+ pkt->ptype, expected_pkt_type,
1118+ nt_errstr(ret)));
1119+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1120 return ret;
1121 }
1122
1123@@ -478,14 +556,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
1124
1125 break;
1126
1127- case DCERPC_PKT_BIND_NAK:
1128- DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
1129- rpccli_pipe_txt(talloc_tos(), cli)));
1130- /* Use this for now... */
1131- return NT_STATUS_NETWORK_ACCESS_DENIED;
1132-
1133 case DCERPC_PKT_FAULT:
1134
1135+ ret = dcerpc_verify_ncacn_packet_header(pkt,
1136+ DCERPC_PKT_FAULT,
1137+ 0, /* max_auth_info */
1138+ DCERPC_PFC_FLAG_FIRST |
1139+ DCERPC_PFC_FLAG_LAST,
1140+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1141+ if (!NT_STATUS_IS_OK(ret)) {
1142+ DEBUG(1, (__location__ ": Connection to %s got an unexpected "
1143+ "RPC packet type - %u, expected %u: %s\n",
1144+ rpccli_pipe_txt(talloc_tos(), cli),
1145+ pkt->ptype, expected_pkt_type,
1146+ nt_errstr(ret)));
1147+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1148+ return ret;
1149+ }
1150+
1151 DEBUG(1, (__location__ ": RPC fault code %s received "
1152 "from %s!\n",
1153 dcerpc_errstr(talloc_tos(),
1154@@ -502,13 +590,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
1155 return NT_STATUS_RPC_PROTOCOL_ERROR;
1156 }
1157
1158- if (pkt->ptype != expected_pkt_type) {
1159- DEBUG(3, (__location__ ": Connection to %s got an unexpected "
1160- "RPC packet type - %u, not %u\n",
1161- rpccli_pipe_txt(talloc_tos(), cli),
1162- pkt->ptype, expected_pkt_type));
1163- return NT_STATUS_RPC_PROTOCOL_ERROR;
1164- }
1165
1166 if (pkt->call_id != call_id) {
1167 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
1168--
11692.8.1
1170
1171
1172From 3e03b1e6d5b20c14d53763f22442bf510a8d6dcd Mon Sep 17 00:00:00 2001
1173From: Stefan Metzmacher <metze@samba.org>
1174Date: Fri, 10 Jul 2015 14:48:38 +0200
1175Subject: [PATCH 14/40] CVE-2015-5370: s3:rpc_client: protect
1176 rpc_api_pipe_got_pdu() against too large payloads
1177MIME-Version: 1.0
1178Content-Type: text/plain; charset=UTF-8
1179Content-Transfer-Encoding: 8bit
1180
1181BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1182
1183Signed-off-by: Stefan Metzmacher <metze@samba.org>
1184Reviewed-by: Günther Deschner <gd@samba.org>
1185(cherry picked from commit 98182969e761429e577064e1a0fd5cbc6b50d7d9)
1186---
1187 source3/rpc_client/cli_pipe.c | 5 +++++
1188 1 file changed, 5 insertions(+)
1189
1190diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
1191index 6a22d38..755b458 100644
1192--- a/source3/rpc_client/cli_pipe.c
1193+++ b/source3/rpc_client/cli_pipe.c
1194@@ -1007,6 +1007,11 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
1195 return;
1196 }
1197
1198+ if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
1199+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1200+ return;
1201+ }
1202+
1203 /* Now copy the data portion out of the pdu into rbuf. */
1204 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
1205 if (!data_blob_realloc(NULL, &state->reply_pdu,
1206--
12072.8.1
1208
1209
1210From fa884c266be5d808d19955f92921417f435b2957 Mon Sep 17 00:00:00 2001
1211From: Stefan Metzmacher <metze@samba.org>
1212Date: Tue, 7 Jul 2015 22:51:18 +0200
1213Subject: [PATCH 15/40] CVE-2015-5370: s3:rpc_client: verify auth_{type,level}
1214 in rpc_pipe_bind_step_one_done()
1215MIME-Version: 1.0
1216Content-Type: text/plain; charset=UTF-8
1217Content-Transfer-Encoding: 8bit
1218
1219BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1220
1221Signed-off-by: Stefan Metzmacher <metze@samba.org>
1222Reviewed-by: Günther Deschner <gd@samba.org>
1223(cherry picked from commit df51c22bea7fbf906613ceb160f16f298b2e3106)
1224---
1225 source3/rpc_client/cli_pipe.c | 15 +++++++++++++++
1226 1 file changed, 15 insertions(+)
1227
1228diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
1229index 755b458..1c4ff01 100644
1230--- a/source3/rpc_client/cli_pipe.c
1231+++ b/source3/rpc_client/cli_pipe.c
1232@@ -2039,6 +2039,21 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1233 tevent_req_nterror(req, status);
1234 return;
1235 }
1236+
1237+ if (auth.auth_type != pauth->auth_type) {
1238+ DEBUG(0, (__location__ " Auth type %u mismatch expected %u.\n",
1239+ auth.auth_type, pauth->auth_type));
1240+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
1241+ return;
1242+ }
1243+
1244+ if (auth.auth_level != pauth->auth_level) {
1245+ DEBUG(0, (__location__ " Auth level %u mismatch expected %u.\n",
1246+ auth.auth_level, pauth->auth_level));
1247+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
1248+ return;
1249+ }
1250+
1251 break;
1252 }
1253
1254--
12552.8.1
1256
1257
1258From 6d2767ad8b084590c572e90d1985ca6d7d36b188 Mon Sep 17 00:00:00 2001
1259From: Stefan Metzmacher <metze@samba.org>
1260Date: Tue, 7 Jul 2015 13:05:01 +0200
1261Subject: [PATCH 16/40] CVE-2015-5370: s3:rpc_server: make use of
1262 dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
1263MIME-Version: 1.0
1264Content-Type: text/plain; charset=UTF-8
1265Content-Transfer-Encoding: 8bit
1266
1267BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1268
1269Signed-off-by: Stefan Metzmacher <metze@samba.org>
1270Reviewed-by: Günther Deschner <gd@samba.org>
1271(cherry picked from commit 2a92546590a78760d2fe0e63067a3888dbce53be)
1272---
1273 source3/rpc_server/srv_pipe.c | 62 +++++++++----------------------------------
1274 1 file changed, 13 insertions(+), 49 deletions(-)
1275
1276diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1277index 0ab7dc6..40b1b8e 100644
1278--- a/source3/rpc_server/srv_pipe.c
1279+++ b/source3/rpc_server/srv_pipe.c
1280@@ -1012,25 +1012,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1281 * Check if this is an authenticated bind request.
1282 */
1283 if (pkt->auth_length) {
1284- /* Quick length check. Won't catch a bad auth footer,
1285- * prevents overrun. */
1286-
1287- if (pkt->frag_length < RPC_HEADER_LEN +
1288- DCERPC_AUTH_TRAILER_LENGTH +
1289- pkt->auth_length) {
1290- DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1291- "too long for fragment %u.\n",
1292- (unsigned int)pkt->auth_length,
1293- (unsigned int)pkt->frag_length));
1294- goto err_exit;
1295- }
1296-
1297 /*
1298 * Decode the authentication verifier.
1299 */
1300- status = dcerpc_pull_dcerpc_auth(pkt,
1301- &pkt->u.bind.auth_info,
1302- &auth_info, p->endian);
1303+ status = dcerpc_pull_auth_trailer(pkt, pkt,
1304+ &pkt->u.bind.auth_info,
1305+ &auth_info, NULL, true);
1306 if (!NT_STATUS_IS_OK(status)) {
1307 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1308 goto err_exit;
1309@@ -1233,23 +1220,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1310 goto err;
1311 }
1312
1313- /* Ensure there's enough data for an authenticated request. */
1314- if (pkt->frag_length < RPC_HEADER_LEN
1315- + DCERPC_AUTH_TRAILER_LENGTH
1316- + pkt->auth_length) {
1317- DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1318- "%u is too large.\n",
1319- (unsigned int)pkt->auth_length));
1320- goto err;
1321- }
1322-
1323 /*
1324 * Decode the authentication verifier response.
1325 */
1326
1327- status = dcerpc_pull_dcerpc_auth(pkt,
1328- &pkt->u.auth3.auth_info,
1329- &auth_info, p->endian);
1330+ status = dcerpc_pull_auth_trailer(pkt, pkt,
1331+ &pkt->u.auth3.auth_info,
1332+ &auth_info, NULL, true);
1333 if (!NT_STATUS_IS_OK(status)) {
1334 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1335 goto err;
1336@@ -1382,34 +1359,21 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1337 * Check if this is an authenticated alter context request.
1338 */
1339 if (pkt->auth_length) {
1340- /* Quick length check. Won't catch a bad auth footer,
1341- * prevents overrun. */
1342-
1343- if (pkt->frag_length < RPC_HEADER_LEN +
1344- DCERPC_AUTH_TRAILER_LENGTH +
1345- pkt->auth_length) {
1346- DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1347- "too long for fragment %u.\n",
1348- (unsigned int)pkt->auth_length,
1349- (unsigned int)pkt->frag_length ));
1350+ /* We can only finish if the pipe is unbound for now */
1351+ if (p->pipe_bound) {
1352+ DEBUG(0, (__location__ ": Pipe already bound, "
1353+ "Altering Context not yet supported!\n"));
1354 goto err_exit;
1355 }
1356
1357- status = dcerpc_pull_dcerpc_auth(pkt,
1358- &pkt->u.bind.auth_info,
1359- &auth_info, p->endian);
1360+ status = dcerpc_pull_auth_trailer(pkt, pkt,
1361+ &pkt->u.bind.auth_info,
1362+ &auth_info, NULL, true);
1363 if (!NT_STATUS_IS_OK(status)) {
1364 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1365 goto err_exit;
1366 }
1367
1368- /* We can only finish if the pipe is unbound for now */
1369- if (p->pipe_bound) {
1370- DEBUG(0, (__location__ ": Pipe already bound, "
1371- "Altering Context not yet supported!\n"));
1372- goto err_exit;
1373- }
1374-
1375 if (auth_info.auth_type != p->auth.auth_type) {
1376 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1377 "but auth was started as type %d!\n",
1378--
13792.8.1
1380
1381
1382From 7400ac11282d540d4f5f80d0f58ec99beabb7d8e Mon Sep 17 00:00:00 2001
1383From: Stefan Metzmacher <metze@samba.org>
1384Date: Wed, 23 Dec 2015 12:38:55 +0100
1385Subject: [PATCH 17/40] CVE-2015-5370: s3:rpc_server: let a failing
1386 sec_verification_trailer mark the connection as broken
1387
1388BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1389
1390Signed-off-by: Stefan Metzmacher <metze@samba.org>
1391(cherry picked from commit 189c0fbb7a3405f0893f23e5b8d755d259f98eaf)
1392---
1393 source3/rpc_server/srv_pipe.c | 1 +
1394 1 file changed, 1 insertion(+)
1395
1396diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1397index 40b1b8e..da9b91c 100644
1398--- a/source3/rpc_server/srv_pipe.c
1399+++ b/source3/rpc_server/srv_pipe.c
1400@@ -1663,6 +1663,7 @@ static bool api_pipe_request(struct pipes_struct *p,
1401
1402 if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
1403 DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
1404+ set_incoming_fault(p);
1405 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1406 data_blob_free(&p->out_data.rdata);
1407 TALLOC_FREE(frame);
1408--
14092.8.1
1410
1411
1412From 55da4653f5986989e46be6320f96590f8ebb4ef7 Mon Sep 17 00:00:00 2001
1413From: Stefan Metzmacher <metze@samba.org>
1414Date: Tue, 7 Jul 2015 13:05:01 +0200
1415Subject: [PATCH 18/40] CVE-2015-5370: s3:rpc_server: don't ignore failures of
1416 dcerpc_push_ncacn_packet()
1417MIME-Version: 1.0
1418Content-Type: text/plain; charset=UTF-8
1419Content-Transfer-Encoding: 8bit
1420
1421BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1422
1423Signed-off-by: Stefan Metzmacher <metze@samba.org>
1424Reviewed-by: Günther Deschner <gd@samba.org>
1425(cherry picked from commit 25bf597124f217c55b5ca71a5ea9cb0ea83943e5)
1426---
1427 source3/rpc_server/srv_pipe.c | 2 ++
1428 1 file changed, 2 insertions(+)
1429
1430diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1431index da9b91c..71b4665 100644
1432--- a/source3/rpc_server/srv_pipe.c
1433+++ b/source3/rpc_server/srv_pipe.c
1434@@ -1152,6 +1152,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1435 if (!NT_STATUS_IS_OK(status)) {
1436 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1437 nt_errstr(status)));
1438+ goto err_exit;
1439 }
1440
1441 if (auth_resp.length) {
1442@@ -1469,6 +1470,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1443 if (!NT_STATUS_IS_OK(status)) {
1444 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1445 nt_errstr(status)));
1446+ goto err_exit;
1447 }
1448
1449 if (auth_resp.length) {
1450--
14512.8.1
1452
1453
1454From 893c840a1aac6711a081eb8e25f2c2a6078fc373 Mon Sep 17 00:00:00 2001
1455From: Stefan Metzmacher <metze@samba.org>
1456Date: Tue, 7 Jul 2015 13:05:01 +0200
1457Subject: [PATCH 19/40] CVE-2015-5370: s3:rpc_server: don't allow auth3 if the
1458 authentication was already finished
1459MIME-Version: 1.0
1460Content-Type: text/plain; charset=UTF-8
1461Content-Transfer-Encoding: 8bit
1462
1463BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1464
1465Signed-off-by: Stefan Metzmacher <metze@samba.org>
1466Reviewed-by: Günther Deschner <gd@samba.org>
1467(cherry picked from commit 69280e6acef7c3941407d4308b659c5e90ed702d)
1468---
1469 source3/rpc_server/srv_pipe.c | 9 ++++++++-
1470 1 file changed, 8 insertions(+), 1 deletion(-)
1471
1472diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1473index 71b4665..4e5b50d4 100644
1474--- a/source3/rpc_server/srv_pipe.c
1475+++ b/source3/rpc_server/srv_pipe.c
1476@@ -1216,8 +1216,15 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1477
1478 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1479
1480+ /* We can only finish if the pipe is unbound for now */
1481+ if (p->pipe_bound) {
1482+ DEBUG(0, (__location__ ": Pipe already bound, "
1483+ "AUTH3 not supported!\n"));
1484+ goto err;
1485+ }
1486+
1487 if (pkt->auth_length == 0) {
1488- DEBUG(0, ("No auth field sent for bind request!\n"));
1489+ DEBUG(1, ("No auth field sent for auth3 request!\n"));
1490 goto err;
1491 }
1492
1493--
14942.8.1
1495
1496
1497From a66baed0c65b7acb4d76ef9ea3ae1248a6b5773a Mon Sep 17 00:00:00 2001
1498From: Stefan Metzmacher <metze@samba.org>
1499Date: Tue, 14 Jul 2015 16:18:45 +0200
1500Subject: [PATCH 20/40] CVE-2015-5370: s3:rpc_server: let a failing auth3 mark
1501 the authentication as invalid
1502MIME-Version: 1.0
1503Content-Type: text/plain; charset=UTF-8
1504Content-Transfer-Encoding: 8bit
1505
1506BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1507
1508Signed-off-by: Stefan Metzmacher <metze@samba.org>
1509Reviewed-by: Günther Deschner <gd@samba.org>
1510(cherry picked from commit 8c96ef7b4fbd925607b26d351b14ad9a95febd88)
1511---
1512 source3/rpc_server/srv_pipe.c | 2 +-
1513 1 file changed, 1 insertion(+), 1 deletion(-)
1514
1515diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1516index 4e5b50d4..d28ba8e 100644
1517--- a/source3/rpc_server/srv_pipe.c
1518+++ b/source3/rpc_server/srv_pipe.c
1519@@ -1304,7 +1304,7 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1520 return true;
1521
1522 err:
1523-
1524+ p->pipe_bound = false;
1525 TALLOC_FREE(p->auth.auth_ctx);
1526 return false;
1527 }
1528--
15292.8.1
1530
1531
1532From e47becdf2c03d68662ab998c4608adb371ca2f08 Mon Sep 17 00:00:00 2001
1533From: Stefan Metzmacher <metze@samba.org>
1534Date: Tue, 7 Jul 2015 13:05:01 +0200
1535Subject: [PATCH 21/40] CVE-2015-5370: s3:rpc_server: make sure auth_level
1536 isn't changed by alter_context or auth3
1537MIME-Version: 1.0
1538Content-Type: text/plain; charset=UTF-8
1539Content-Transfer-Encoding: 8bit
1540
1541BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1542
1543Signed-off-by: Stefan Metzmacher <metze@samba.org>
1544Reviewed-by: Günther Deschner <gd@samba.org>
1545(cherry picked from commit 63d21d2546a1064be73582a499ec15b0e11e2708)
1546---
1547 source3/rpc_server/srv_pipe.c | 13 +++++++++++++
1548 1 file changed, 13 insertions(+)
1549
1550diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1551index d28ba8e..1b81a4c 100644
1552--- a/source3/rpc_server/srv_pipe.c
1553+++ b/source3/rpc_server/srv_pipe.c
1554@@ -1252,6 +1252,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1555 goto err;
1556 }
1557
1558+ if (auth_info.auth_level != p->auth.auth_level) {
1559+ DEBUG(1, ("Auth level mismatch! Client sent %d, "
1560+ "but auth was started as level %d!\n",
1561+ auth_info.auth_level, p->auth.auth_level));
1562+ goto err;
1563+ }
1564+
1565 switch (auth_info.auth_type) {
1566 case DCERPC_AUTH_TYPE_NTLMSSP:
1567 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1568@@ -1389,6 +1396,12 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1569 goto err_exit;
1570 }
1571
1572+ if (auth_info.auth_level != p->auth.auth_level) {
1573+ DEBUG(0, ("Auth level mismatch! Client sent %d, "
1574+ "but auth was started as level %d!\n",
1575+ auth_info.auth_level, p->auth.auth_level));
1576+ goto err_exit;
1577+ }
1578
1579 switch (auth_info.auth_type) {
1580 case DCERPC_AUTH_TYPE_SPNEGO:
1581--
15822.8.1
1583
1584
1585From 687a4801391c946a62d07a7bdad096a97da0d432 Mon Sep 17 00:00:00 2001
1586From: Jeremy Allison <jra@samba.org>
1587Date: Tue, 7 Jul 2015 09:15:39 +0200
1588Subject: [PATCH 22/40] CVE-2015-5370: s3:rpc_server: ensure that the message
1589 ordering doesn't violate the spec
1590MIME-Version: 1.0
1591Content-Type: text/plain; charset=UTF-8
1592Content-Transfer-Encoding: 8bit
1593
1594The first pdu is always a BIND.
1595
1596REQUEST pdus are only allowed once the authentication
1597is finished.
1598
1599A simple anonymous authentication is finished after the BIND.
1600Real authentication may need additional ALTER or AUTH3 exchanges.
1601
1602Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
1603
1604BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1605
1606Signed-off-by: Jeremy Allison <jra@samba.org>
1607Signed-off-by: Stefan Metzmacher <metze@samba.org>
1608Reviewed-by: Günther Deschner <gd@samba.org>
1609(cherry picked from commit 0239bfa562ee303c4ac204375b3c66ca287f6cb0)
1610---
1611 source3/include/ntdomain.h | 7 ++++++
1612 source3/rpc_server/rpc_ncacn_np.c | 1 +
1613 source3/rpc_server/rpc_server.c | 1 +
1614 source3/rpc_server/srv_pipe.c | 51 ++++++++++++++++++++++++++++++++++-----
1615 4 files changed, 54 insertions(+), 6 deletions(-)
1616
1617diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
1618index 650f1d0..b3c5451 100644
1619--- a/source3/include/ntdomain.h
1620+++ b/source3/include/ntdomain.h
1621@@ -139,6 +139,13 @@ struct pipes_struct {
1622 bool pipe_bound;
1623
1624 /*
1625+ * States we can be in.
1626+ */
1627+ bool allow_alter;
1628+ bool allow_bind;
1629+ bool allow_auth3;
1630+
1631+ /*
1632 * Set the DCERPC_FAULT to return.
1633 */
1634
1635diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
1636index efdee27..f2e9d10 100644
1637--- a/source3/rpc_server/rpc_ncacn_np.c
1638+++ b/source3/rpc_server/rpc_ncacn_np.c
1639@@ -171,6 +171,7 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
1640
1641 p->syntax = *syntax;
1642 p->transport = NCALRPC;
1643+ p->allow_bind = true;
1644
1645 DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
1646 get_pipe_name_from_syntax(talloc_tos(), syntax), pipes_open));
1647diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
1648index 8ec55bb..376d26a 100644
1649--- a/source3/rpc_server/rpc_server.c
1650+++ b/source3/rpc_server/rpc_server.c
1651@@ -102,6 +102,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
1652 p->syntax = id;
1653 p->transport = transport;
1654 p->ncalrpc_as_system = ncalrpc_as_system;
1655+ p->allow_bind = true;
1656
1657 p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
1658 if (!p->mem_ctx) {
1659diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1660index 1b81a4c..41111aa 100644
1661--- a/source3/rpc_server/srv_pipe.c
1662+++ b/source3/rpc_server/srv_pipe.c
1663@@ -279,6 +279,9 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
1664 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1665 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1666 p->pipe_bound = False;
1667+ p->allow_bind = false;
1668+ p->allow_alter = false;
1669+ p->allow_auth3 = false;
1670
1671 return True;
1672 }
1673@@ -828,6 +831,11 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
1674 void *mech_ctx;
1675 NTSTATUS status;
1676
1677+ if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
1678+ p->pipe_bound = true;
1679+ return NT_STATUS_OK;
1680+ }
1681+
1682 switch (p->auth.auth_type) {
1683 case DCERPC_AUTH_TYPE_NTLMSSP:
1684 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1685@@ -919,13 +927,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1686 DATA_BLOB auth_resp = data_blob_null;
1687 DATA_BLOB auth_blob = data_blob_null;
1688
1689- /* No rebinds on a bound pipe - use alter context. */
1690- if (p->pipe_bound) {
1691- DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1692- "pipe %s.\n",
1693- get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1694+ if (!p->allow_bind) {
1695+ DEBUG(2,("Pipe not in allow bind state\n"));
1696 return setup_bind_nak(p, pkt);
1697 }
1698+ p->allow_bind = false;
1699
1700 if (pkt->u.bind.num_contexts == 0) {
1701 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1702@@ -1192,6 +1198,22 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1703 p->out_data.current_pdu_sent = 0;
1704
1705 TALLOC_FREE(auth_blob.data);
1706+
1707+ if (bind_ack_ctx.result == 0) {
1708+ p->allow_alter = true;
1709+ p->allow_auth3 = true;
1710+ if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
1711+ status = pipe_auth_verify_final(p);
1712+ if (!NT_STATUS_IS_OK(status)) {
1713+ DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
1714+ nt_errstr(status)));
1715+ goto err_exit;
1716+ }
1717+ }
1718+ } else {
1719+ goto err_exit;
1720+ }
1721+
1722 return True;
1723
1724 err_exit:
1725@@ -1216,6 +1238,11 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1726
1727 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1728
1729+ if (!p->allow_auth3) {
1730+ DEBUG(1, ("Pipe not in allow auth3 state.\n"));
1731+ goto err;
1732+ }
1733+
1734 /* We can only finish if the pipe is unbound for now */
1735 if (p->pipe_bound) {
1736 DEBUG(0, (__location__ ": Pipe already bound, "
1737@@ -1312,6 +1339,10 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1738
1739 err:
1740 p->pipe_bound = false;
1741+ p->allow_bind = false;
1742+ p->allow_alter = false;
1743+ p->allow_auth3 = false;
1744+
1745 TALLOC_FREE(p->auth.auth_ctx);
1746 return false;
1747 }
1748@@ -1338,6 +1369,11 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1749
1750 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1751
1752+ if (!p->allow_alter) {
1753+ DEBUG(1, ("Pipe not in allow alter state.\n"));
1754+ goto err_exit;
1755+ }
1756+
1757 if (pkt->u.bind.assoc_group_id != 0) {
1758 assoc_gid = pkt->u.bind.assoc_group_id;
1759 } else {
1760@@ -1363,7 +1399,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1761 bind_ack_ctx.reason = 0;
1762 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1763 } else {
1764- p->pipe_bound = False;
1765 /* Rejection reason: abstract syntax not supported */
1766 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1767 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1768@@ -1826,6 +1861,10 @@ void set_incoming_fault(struct pipes_struct *p)
1769 p->in_data.pdu.length = 0;
1770 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
1771
1772+ p->allow_alter = false;
1773+ p->allow_auth3 = false;
1774+ p->pipe_bound = false;
1775+
1776 DEBUG(10, ("Setting fault state\n"));
1777 }
1778
1779--
17802.8.1
1781
1782
1783From 45701966d49ec1003f19c137a548c26915f75a99 Mon Sep 17 00:00:00 2001
1784From: Stefan Metzmacher <metze@samba.org>
1785Date: Tue, 7 Jul 2015 16:06:59 +0200
1786Subject: [PATCH 23/40] CVE-2015-5370: s3:rpc_server: use 'alter' instead of
1787 'bind' for variables in api_pipe_alter_context()
1788MIME-Version: 1.0
1789Content-Type: text/plain; charset=UTF-8
1790Content-Transfer-Encoding: 8bit
1791
1792BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1793
1794Signed-off-by: Stefan Metzmacher <metze@samba.org>
1795Reviewed-by: Günther Deschner <gd@samba.org>
1796(cherry picked from commit cdefee174d2f8920323e9e62966df4f4ced49ed3)
1797---
1798 source3/rpc_server/srv_pipe.c | 32 ++++++++++++++++----------------
1799 1 file changed, 16 insertions(+), 16 deletions(-)
1800
1801diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1802index 41111aa..382d94a 100644
1803--- a/source3/rpc_server/srv_pipe.c
1804+++ b/source3/rpc_server/srv_pipe.c
1805@@ -1359,7 +1359,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1806 uint16 assoc_gid;
1807 NTSTATUS status;
1808 union dcerpc_payload u;
1809- struct dcerpc_ack_ctx bind_ack_ctx;
1810+ struct dcerpc_ack_ctx alter_ack_ctx;
1811 DATA_BLOB auth_resp = data_blob_null;
1812 DATA_BLOB auth_blob = data_blob_null;
1813 int pad_len = 0;
1814@@ -1374,8 +1374,8 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1815 goto err_exit;
1816 }
1817
1818- if (pkt->u.bind.assoc_group_id != 0) {
1819- assoc_gid = pkt->u.bind.assoc_group_id;
1820+ if (pkt->u.alter.assoc_group_id != 0) {
1821+ assoc_gid = pkt->u.alter.assoc_group_id;
1822 } else {
1823 assoc_gid = 0x53f0;
1824 }
1825@@ -1385,24 +1385,24 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1826 */
1827
1828 /* If the requested abstract synt uuid doesn't match our client pipe,
1829- reject the bind_ack & set the transfer interface synt to all 0's,
1830+ reject the alter_ack & set the transfer interface synt to all 0's,
1831 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1832 unknown to NT4)
1833 Needed when adding entries to a DACL from NT5 - SK */
1834
1835 if (check_bind_req(p,
1836- &pkt->u.bind.ctx_list[0].abstract_syntax,
1837- &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1838- pkt->u.bind.ctx_list[0].context_id)) {
1839+ &pkt->u.alter.ctx_list[0].abstract_syntax,
1840+ &pkt->u.alter.ctx_list[0].transfer_syntaxes[0],
1841+ pkt->u.alter.ctx_list[0].context_id)) {
1842
1843- bind_ack_ctx.result = 0;
1844- bind_ack_ctx.reason = 0;
1845- bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1846+ alter_ack_ctx.result = 0;
1847+ alter_ack_ctx.reason = 0;
1848+ alter_ack_ctx.syntax = pkt->u.alter.ctx_list[0].transfer_syntaxes[0];
1849 } else {
1850 /* Rejection reason: abstract syntax not supported */
1851- bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1852- bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1853- bind_ack_ctx.syntax = null_ndr_syntax_id;
1854+ alter_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1855+ alter_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1856+ alter_ack_ctx.syntax = null_ndr_syntax_id;
1857 }
1858
1859 /*
1860@@ -1417,7 +1417,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1861 }
1862
1863 status = dcerpc_pull_auth_trailer(pkt, pkt,
1864- &pkt->u.bind.auth_info,
1865+ &pkt->u.alter.auth_info,
1866 &auth_info, NULL, true);
1867 if (!NT_STATUS_IS_OK(status)) {
1868 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1869@@ -1503,7 +1503,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1870 u.alter_resp.secondary_address_size = 1;
1871
1872 u.alter_resp.num_results = 1;
1873- u.alter_resp.ctx_list = &bind_ack_ctx;
1874+ u.alter_resp.ctx_list = &alter_ack_ctx;
1875
1876 /* NOTE: We leave the auth_info empty so we can calculate the padding
1877 * later and then append the auth_info --simo */
1878@@ -1523,7 +1523,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1879 &u,
1880 &p->out_data.frag);
1881 if (!NT_STATUS_IS_OK(status)) {
1882- DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1883+ DEBUG(0, ("Failed to marshall alter_resp packet. (%s)\n",
1884 nt_errstr(status)));
1885 goto err_exit;
1886 }
1887--
18882.8.1
1889
1890
1891From 62b936e134a53662601b0f614f95dbca5ff7a369 Mon Sep 17 00:00:00 2001
1892From: Stefan Metzmacher <metze@samba.org>
1893Date: Tue, 7 Jul 2015 16:06:59 +0200
1894Subject: [PATCH 24/40] CVE-2015-5370: s3:rpc_server: verify presentation
1895 context arrays
1896MIME-Version: 1.0
1897Content-Type: text/plain; charset=UTF-8
1898Content-Transfer-Encoding: 8bit
1899
1900BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1901
1902Signed-off-by: Stefan Metzmacher <metze@samba.org>
1903Reviewed-by: Günther Deschner <gd@samba.org>
1904(cherry picked from commit 1e6b4abac14840e4cee1afc5d4811b0f0277eade)
1905---
1906 source3/rpc_server/srv_pipe.c | 17 ++++++++++++++++-
1907 1 file changed, 16 insertions(+), 1 deletion(-)
1908
1909diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1910index 382d94a..335af2a 100644
1911--- a/source3/rpc_server/srv_pipe.c
1912+++ b/source3/rpc_server/srv_pipe.c
1913@@ -934,7 +934,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1914 p->allow_bind = false;
1915
1916 if (pkt->u.bind.num_contexts == 0) {
1917- DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1918+ DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
1919+ goto err_exit;
1920+ }
1921+
1922+ if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
1923+ DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
1924 goto err_exit;
1925 }
1926
1927@@ -1374,6 +1379,16 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
1928 goto err_exit;
1929 }
1930
1931+ if (pkt->u.alter.num_contexts == 0) {
1932+ DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
1933+ goto err_exit;
1934+ }
1935+
1936+ if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
1937+ DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
1938+ goto err_exit;
1939+ }
1940+
1941 if (pkt->u.alter.assoc_group_id != 0) {
1942 assoc_gid = pkt->u.alter.assoc_group_id;
1943 } else {
1944--
19452.8.1
1946
1947
1948From 585e8aefafcb5f8c501cdf4454b375ebda82f7a6 Mon Sep 17 00:00:00 2001
1949From: Stefan Metzmacher <metze@samba.org>
1950Date: Tue, 7 Jul 2015 16:06:59 +0200
1951Subject: [PATCH 25/40] CVE-2015-5370: s3:rpc_server: make use of
1952 dcerpc_verify_ncacn_packet_header() to verify incoming pdus
1953MIME-Version: 1.0
1954Content-Type: text/plain; charset=UTF-8
1955Content-Transfer-Encoding: 8bit
1956
1957BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
1958
1959Signed-off-by: Stefan Metzmacher <metze@samba.org>
1960Reviewed-by: Günther Deschner <gd@samba.org>
1961(cherry picked from commit e39fdceb25fc75b6f8c77c097bf8dbd2f4286618)
1962---
1963 source3/rpc_server/srv_pipe.c | 81 +++++++++++++++++++++++++++++++++++++++++++
1964 1 file changed, 81 insertions(+)
1965
1966diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
1967index 335af2a..2f404b4 100644
1968--- a/source3/rpc_server/srv_pipe.c
1969+++ b/source3/rpc_server/srv_pipe.c
1970@@ -42,6 +42,7 @@
1971 #include "auth.h"
1972 #include "ntdomain.h"
1973 #include "rpc_server/srv_pipe.h"
1974+#include "../librpc/gen_ndr/ndr_dcerpc.h"
1975 #include "../librpc/ndr/ndr_dcerpc.h"
1976 #include "../librpc/gen_ndr/ndr_samr.h"
1977 #include "../librpc/gen_ndr/ndr_lsa.h"
1978@@ -933,6 +934,25 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
1979 }
1980 p->allow_bind = false;
1981
1982+ status = dcerpc_verify_ncacn_packet_header(pkt,
1983+ DCERPC_PKT_BIND,
1984+ pkt->u.bind.auth_info.length,
1985+ 0, /* required flags */
1986+ DCERPC_PFC_FLAG_FIRST |
1987+ DCERPC_PFC_FLAG_LAST |
1988+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1989+ 0x08 | /* this is not defined, but should be ignored */
1990+ DCERPC_PFC_FLAG_CONC_MPX |
1991+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1992+ DCERPC_PFC_FLAG_MAYBE |
1993+ DCERPC_PFC_FLAG_OBJECT_UUID);
1994+ if (!NT_STATUS_IS_OK(status)) {
1995+ DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
1996+ nt_errstr(status)));
1997+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
1998+ goto err_exit;
1999+ }
2000+
2001 if (pkt->u.bind.num_contexts == 0) {
2002 DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
2003 goto err_exit;
2004@@ -1248,6 +1268,25 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
2005 goto err;
2006 }
2007
2008+ status = dcerpc_verify_ncacn_packet_header(pkt,
2009+ DCERPC_PKT_AUTH3,
2010+ pkt->u.auth3.auth_info.length,
2011+ 0, /* required flags */
2012+ DCERPC_PFC_FLAG_FIRST |
2013+ DCERPC_PFC_FLAG_LAST |
2014+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
2015+ 0x08 | /* this is not defined, but should be ignored */
2016+ DCERPC_PFC_FLAG_CONC_MPX |
2017+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2018+ DCERPC_PFC_FLAG_MAYBE |
2019+ DCERPC_PFC_FLAG_OBJECT_UUID);
2020+ if (!NT_STATUS_IS_OK(status)) {
2021+ DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
2022+ nt_errstr(status)));
2023+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
2024+ goto err;
2025+ }
2026+
2027 /* We can only finish if the pipe is unbound for now */
2028 if (p->pipe_bound) {
2029 DEBUG(0, (__location__ ": Pipe already bound, "
2030@@ -1379,6 +1418,25 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
2031 goto err_exit;
2032 }
2033
2034+ status = dcerpc_verify_ncacn_packet_header(pkt,
2035+ DCERPC_PKT_ALTER,
2036+ pkt->u.alter.auth_info.length,
2037+ 0, /* required flags */
2038+ DCERPC_PFC_FLAG_FIRST |
2039+ DCERPC_PFC_FLAG_LAST |
2040+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
2041+ 0x08 | /* this is not defined, but should be ignored */
2042+ DCERPC_PFC_FLAG_CONC_MPX |
2043+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2044+ DCERPC_PFC_FLAG_MAYBE |
2045+ DCERPC_PFC_FLAG_OBJECT_UUID);
2046+ if (!NT_STATUS_IS_OK(status)) {
2047+ DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
2048+ nt_errstr(status)));
2049+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
2050+ goto err_exit;
2051+ }
2052+
2053 if (pkt->u.alter.num_contexts == 0) {
2054 DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
2055 goto err_exit;
2056@@ -1923,6 +1981,29 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
2057 return False;
2058 }
2059
2060+ /*
2061+ * We don't ignore DCERPC_PFC_FLAG_PENDING_CANCEL.
2062+ * TODO: we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later.
2063+ */
2064+ status = dcerpc_verify_ncacn_packet_header(pkt,
2065+ DCERPC_PKT_REQUEST,
2066+ pkt->u.request.stub_and_verifier.length,
2067+ 0, /* required_flags */
2068+ DCERPC_PFC_FLAG_FIRST |
2069+ DCERPC_PFC_FLAG_LAST |
2070+ 0x08 | /* this is not defined, but should be ignored */
2071+ DCERPC_PFC_FLAG_CONC_MPX |
2072+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2073+ DCERPC_PFC_FLAG_MAYBE |
2074+ DCERPC_PFC_FLAG_OBJECT_UUID);
2075+ if (!NT_STATUS_IS_OK(status)) {
2076+ DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
2077+ nt_errstr(status)));
2078+ NDR_PRINT_DEBUG(ncacn_packet, pkt);
2079+ set_incoming_fault(p);
2080+ return false;
2081+ }
2082+
2083 /* Store the opnum */
2084 p->opnum = pkt->u.request.opnum;
2085
2086--
20872.8.1
2088
2089
2090From b16b1a5f331adc3bb2f3d0bee586ec084935a202 Mon Sep 17 00:00:00 2001
2091From: Stefan Metzmacher <metze@samba.org>
2092Date: Wed, 23 Dec 2015 12:40:58 +0100
2093Subject: [PATCH 26/40] CVE-2015-5370: s3:rpc_server: disconnect the connection
2094 after a fatal FAULT pdu
2095MIME-Version: 1.0
2096Content-Type: text/plain; charset=UTF-8
2097Content-Transfer-Encoding: 8bit
2098
2099BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2100
2101Signed-off-by: Stefan Metzmacher <metze@samba.org>
2102Reviewed-by: Günther Deschner <gd@samba.org>
2103(cherry picked from commit 664d7ace0e68b42d2de99583757e0a985647eb4b)
2104---
2105 source3/rpc_server/rpc_server.c | 12 ++++++++++++
2106 1 file changed, 12 insertions(+)
2107
2108diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
2109index 376d26a..3ba83e0 100644
2110--- a/source3/rpc_server/rpc_server.c
2111+++ b/source3/rpc_server/rpc_server.c
2112@@ -664,6 +664,12 @@ static void named_pipe_packet_done(struct tevent_req *subreq)
2113 goto fail;
2114 }
2115
2116+ if (npc->p->fault_state != 0) {
2117+ DEBUG(2, ("Disconnect after fault\n"));
2118+ sys_errno = EINVAL;
2119+ goto fail;
2120+ }
2121+
2122 /* clear out any data that may have been left around */
2123 npc->count = 0;
2124 TALLOC_FREE(npc->iov);
2125@@ -1392,6 +1398,12 @@ static void dcerpc_ncacn_packet_done(struct tevent_req *subreq)
2126 goto fail;
2127 }
2128
2129+ if (ncacn_conn->p->fault_state != 0) {
2130+ DEBUG(2, ("Disconnect after fault\n"));
2131+ sys_errno = EINVAL;
2132+ goto fail;
2133+ }
2134+
2135 /* clear out any data that may have been left around */
2136 ncacn_conn->count = 0;
2137 TALLOC_FREE(ncacn_conn->iov);
2138--
21392.8.1
2140
2141
2142From 642d2b7090e46a87bc94cabf29eccb09e329c125 Mon Sep 17 00:00:00 2001
2143From: Stefan Metzmacher <metze@samba.org>
2144Date: Wed, 23 Dec 2015 12:38:55 +0100
2145Subject: [PATCH 27/40] CVE-2015-5370: s3:rpc_server: let a failing BIND mark
2146 the connection as broken
2147MIME-Version: 1.0
2148Content-Type: text/plain; charset=UTF-8
2149Content-Transfer-Encoding: 8bit
2150
2151BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2152
2153Signed-off-by: Stefan Metzmacher <metze@samba.org>
2154Reviewed-by: Günther Deschner <gd@samba.org>
2155(cherry picked from commit 8d97085efd8782e48d0f1162e3f56756acb99472)
2156---
2157 source3/rpc_server/srv_pipe.c | 1 +
2158 1 file changed, 1 insertion(+)
2159
2160diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2161index 2f404b4..6275190 100644
2162--- a/source3/rpc_server/srv_pipe.c
2163+++ b/source3/rpc_server/srv_pipe.c
2164@@ -276,6 +276,7 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
2165 p->out_data.data_sent_length = 0;
2166 p->out_data.current_pdu_sent = 0;
2167
2168+ set_incoming_fault(p);
2169 TALLOC_FREE(p->auth.auth_ctx);
2170 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
2171 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
2172--
21732.8.1
2174
2175
2176From f4aa07176636982d9be3c0ce2452fc43a8781d47 Mon Sep 17 00:00:00 2001
2177From: Stefan Metzmacher <metze@samba.org>
2178Date: Wed, 23 Dec 2015 12:38:55 +0100
2179Subject: [PATCH 28/40] CVE-2015-5370: s3:rpc_server: use
2180 DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
2181MIME-Version: 1.0
2182Content-Type: text/plain; charset=UTF-8
2183Content-Transfer-Encoding: 8bit
2184
2185BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2186
2187Signed-off-by: Stefan Metzmacher <metze@samba.org>
2188Reviewed-by: Günther Deschner <gd@samba.org>
2189(cherry picked from commit d30363f08efb81b22055d4445977c96df3737adf)
2190---
2191 source3/rpc_server/srv_pipe.c | 4 ++--
2192 1 file changed, 2 insertions(+), 2 deletions(-)
2193
2194diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2195index 6275190..3fb8855 100644
2196--- a/source3/rpc_server/srv_pipe.c
2197+++ b/source3/rpc_server/srv_pipe.c
2198@@ -1933,7 +1933,7 @@ void set_incoming_fault(struct pipes_struct *p)
2199 data_blob_free(&p->in_data.data);
2200 p->in_data.pdu_needed_len = 0;
2201 p->in_data.pdu.length = 0;
2202- p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2203+ p->fault_state = DCERPC_NCA_S_PROTO_ERROR;
2204
2205 p->allow_alter = false;
2206 p->allow_auth3 = false;
2207@@ -2254,7 +2254,7 @@ done:
2208 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2209 &p->syntax)));
2210 set_incoming_fault(p);
2211- setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2212+ setup_fault_pdu(p, NT_STATUS(DCERPC_NCA_S_PROTO_ERROR));
2213 TALLOC_FREE(pkt);
2214 } else {
2215 /*
2216--
22172.8.1
2218
2219
2220From ef175975f587d73092461c36b10e4c9cf1805727 Mon Sep 17 00:00:00 2001
2221From: Stefan Metzmacher <metze@samba.org>
2222Date: Sat, 11 Jul 2015 10:58:07 +0200
2223Subject: [PATCH 29/40] CVE-2015-5370: s3:librpc/rpc: remove unused
2224 dcerpc_pull_dcerpc_auth()
2225MIME-Version: 1.0
2226Content-Type: text/plain; charset=UTF-8
2227Content-Transfer-Encoding: 8bit
2228
2229BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2230
2231Signed-off-by: Stefan Metzmacher <metze@samba.org>
2232Reviewed-by: Günther Deschner <gd@samba.org>
2233(cherry picked from commit 02aef978ff8f16009a52c2d981d414d019bc8dd9)
2234---
2235 source3/librpc/rpc/dcerpc.h | 4 ----
2236 source3/librpc/rpc/dcerpc_helpers.c | 41 -------------------------------------
2237 2 files changed, 45 deletions(-)
2238
2239diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
2240index e7cca9e..9452e85 100644
2241--- a/source3/librpc/rpc/dcerpc.h
2242+++ b/source3/librpc/rpc/dcerpc.h
2243@@ -71,10 +71,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
2244 uint32_t auth_context_id,
2245 const DATA_BLOB *credentials,
2246 DATA_BLOB *blob);
2247-NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
2248- const DATA_BLOB *blob,
2249- struct dcerpc_auth *r,
2250- bool bigendian);
2251 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
2252 size_t header_len, size_t data_left,
2253 size_t max_xmit_frag, size_t pad_alignment,
2254diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
2255index c07835f..e4d0e3a 100644
2256--- a/source3/librpc/rpc/dcerpc_helpers.c
2257+++ b/source3/librpc/rpc/dcerpc_helpers.c
2258@@ -210,47 +210,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
2259 }
2260
2261 /**
2262-* @brief Decodes a dcerpc_auth blob
2263-*
2264-* @param mem_ctx The memory context on which to allocate the packet
2265-* elements
2266-* @param blob The blob of data to decode
2267-* @param r An empty dcerpc_auth structure, must not be NULL
2268-*
2269-* @return a NTSTATUS error code
2270-*/
2271-NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
2272- const DATA_BLOB *blob,
2273- struct dcerpc_auth *r,
2274- bool bigendian)
2275-{
2276- enum ndr_err_code ndr_err;
2277- struct ndr_pull *ndr;
2278-
2279- ndr = ndr_pull_init_blob(blob, mem_ctx);
2280- if (!ndr) {
2281- return NT_STATUS_NO_MEMORY;
2282- }
2283- if (bigendian) {
2284- ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
2285- }
2286-
2287- ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
2288-
2289- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2290- talloc_free(ndr);
2291- return ndr_map_error2ntstatus(ndr_err);
2292- }
2293- talloc_free(ndr);
2294-
2295- if (DEBUGLEVEL >= 10) {
2296- NDR_PRINT_DEBUG(dcerpc_auth, r);
2297- }
2298-
2299- return NT_STATUS_OK;
2300-}
2301-
2302-/**
2303 * @brief Calculate how much data we can in a packet, including calculating
2304 * auth token and pad lengths.
2305 *
2306--
23072.8.1
2308
2309
2310From 49d0e60d28d3b615d4ee368cd3f260b3a6386858 Mon Sep 17 00:00:00 2001
2311From: Stefan Metzmacher <metze@samba.org>
2312Date: Tue, 7 Jul 2015 13:05:01 +0200
2313Subject: [PATCH 30/40] CVE-2015-5370: s3:rpc_server: check the transfer syntax
2314 in check_bind_req() first
2315MIME-Version: 1.0
2316Content-Type: text/plain; charset=UTF-8
2317Content-Transfer-Encoding: 8bit
2318
2319BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2320
2321Signed-off-by: Stefan Metzmacher <metze@samba.org>
2322Reviewed-by: Günther Deschner <gd@samba.org>
2323(cherry picked from commit 9464684010461947fa98d8ee084069e9cf362625)
2324---
2325 source3/rpc_server/srv_pipe.c | 20 ++++++++++++++------
2326 1 file changed, 14 insertions(+), 6 deletions(-)
2327
2328diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2329index 3fb8855..0e6b073 100644
2330--- a/source3/rpc_server/srv_pipe.c
2331+++ b/source3/rpc_server/srv_pipe.c
2332@@ -351,16 +351,24 @@ static bool check_bind_req(struct pipes_struct *p,
2333 DEBUG(3,("check_bind_req for %s\n",
2334 get_pipe_name_from_syntax(talloc_tos(), abstract)));
2335
2336+ ok = ndr_syntax_id_equal(transfer, &ndr_transfer_syntax);
2337+ if (!ok) {
2338+ DEBUG(1,("check_bind_req unknown transfer syntax for "
2339+ "%s context_id=%u\n",
2340+ get_pipe_name_from_syntax(talloc_tos(), abstract),
2341+ (unsigned)context_id));
2342+ return false;
2343+ }
2344+
2345 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
2346- if (rpc_srv_pipe_exists_by_id(abstract) &&
2347- ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
2348- DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
2349- rpc_srv_get_pipe_cli_name(abstract),
2350- rpc_srv_get_pipe_srv_name(abstract)));
2351- } else {
2352+ if (!rpc_srv_pipe_exists_by_id(abstract)) {
2353 return false;
2354 }
2355
2356+ DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
2357+ rpc_srv_get_pipe_cli_name(abstract),
2358+ rpc_srv_get_pipe_srv_name(abstract)));
2359+
2360 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
2361 if (context_fns == NULL) {
2362 DEBUG(0,("check_bind_req: malloc() failed!\n"));
2363--
23642.8.1
2365
2366
2367From 7ee6698f706e51568f53347f422ac6671cdba9a4 Mon Sep 17 00:00:00 2001
2368From: Stefan Metzmacher <metze@samba.org>
2369Date: Tue, 7 Jul 2015 13:05:01 +0200
2370Subject: [PATCH 31/40] CVE-2015-5370: s3:rpc_server: don't allow an existing
2371 context to be changed in check_bind_req()
2372MIME-Version: 1.0
2373Content-Type: text/plain; charset=UTF-8
2374Content-Transfer-Encoding: 8bit
2375
2376An alter context can't change the syntax of an existing context,
2377a new context_id will be used for that.
2378
2379BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2380
2381Signed-off-by: Stefan Metzmacher <metze@samba.org>
2382Reviewed-by: Günther Deschner <gd@samba.org>
2383(cherry picked from commit a995740d4e7fbd8fbb5c8c6280b73eaceae53574)
2384---
2385 source3/rpc_server/srv_pipe.c | 22 ++++++++++++++++++++++
2386 1 file changed, 22 insertions(+)
2387
2388diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2389index 0e6b073..4263a91 100644
2390--- a/source3/rpc_server/srv_pipe.c
2391+++ b/source3/rpc_server/srv_pipe.c
2392@@ -360,6 +360,28 @@ static bool check_bind_req(struct pipes_struct *p,
2393 return false;
2394 }
2395
2396+ for (context_fns = p->contexts;
2397+ context_fns != NULL;
2398+ context_fns = context_fns->next)
2399+ {
2400+ if (context_fns->context_id != context_id) {
2401+ continue;
2402+ }
2403+
2404+ ok = ndr_syntax_id_equal(&context_fns->syntax,
2405+ abstract);
2406+ if (ok) {
2407+ return true;
2408+ }
2409+
2410+ DEBUG(1,("check_bind_req: changing abstract syntax for "
2411+ "%s context_id=%u into %s not supported\n",
2412+ get_pipe_name_from_syntax(talloc_tos(), &context_fns->syntax),
2413+ (unsigned)context_id,
2414+ get_pipe_name_from_syntax(talloc_tos(), abstract)));
2415+ return false;
2416+ }
2417+
2418 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
2419 if (!rpc_srv_pipe_exists_by_id(abstract)) {
2420 return false;
2421--
24222.8.1
2423
2424
2425From 79a238d0c868c7e182f49637b66f544dc1dd86da Mon Sep 17 00:00:00 2001
2426From: Stefan Metzmacher <metze@samba.org>
2427Date: Wed, 8 Jul 2015 00:01:37 +0200
2428Subject: [PATCH 32/40] CVE-2015-5370: s3:rpc_client: pass struct
2429 pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
2430MIME-Version: 1.0
2431Content-Type: text/plain; charset=UTF-8
2432Content-Transfer-Encoding: 8bit
2433
2434BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2435
2436Signed-off-by: Stefan Metzmacher <metze@samba.org>
2437Reviewed-by: Günther Deschner <gd@samba.org>
2438(cherry picked from commit f556d9245c13d018d4e772f06d013ebe558703d9)
2439---
2440 source3/rpc_client/cli_pipe.c | 26 ++++++++++----------------
2441 1 file changed, 10 insertions(+), 16 deletions(-)
2442
2443diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2444index 1c4ff01..3af3d8f 100644
2445--- a/source3/rpc_client/cli_pipe.c
2446+++ b/source3/rpc_client/cli_pipe.c
2447@@ -1816,9 +1816,8 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r,
2448
2449 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
2450 struct rpc_pipe_client *cli,
2451- uint32 rpc_call_id,
2452- enum dcerpc_AuthType auth_type,
2453- enum dcerpc_AuthLevel auth_level,
2454+ struct pipe_auth_data *auth,
2455+ uint32_t rpc_call_id,
2456 DATA_BLOB *pauth_blob,
2457 DATA_BLOB *rpc_out)
2458 {
2459@@ -1828,8 +1827,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
2460 u.auth3._pad = 0;
2461
2462 status = dcerpc_push_dcerpc_auth(mem_ctx,
2463- auth_type,
2464- auth_level,
2465+ auth->auth_type,
2466+ auth->auth_level,
2467 0, /* auth_pad_length */
2468 1, /* auth_context_id */
2469 pauth_blob,
2470@@ -1861,9 +1860,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
2471 ********************************************************************/
2472
2473 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
2474- enum dcerpc_AuthType auth_type,
2475- enum dcerpc_AuthLevel auth_level,
2476- uint32 rpc_call_id,
2477+ struct pipe_auth_data *auth,
2478+ uint32_t rpc_call_id,
2479 const struct ndr_syntax_id *abstract,
2480 const struct ndr_syntax_id *transfer,
2481 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
2482@@ -1873,8 +1871,8 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
2483 NTSTATUS status;
2484
2485 status = dcerpc_push_dcerpc_auth(mem_ctx,
2486- auth_type,
2487- auth_level,
2488+ auth->auth_type,
2489+ auth->auth_level,
2490 0, /* auth_pad_length */
2491 1, /* auth_context_id */
2492 pauth_blob,
2493@@ -2300,9 +2298,7 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
2494 /* Now prepare the alter context pdu. */
2495 data_blob_free(&state->rpc_out);
2496
2497- status = create_rpc_alter_context(state,
2498- auth->auth_type,
2499- auth->auth_level,
2500+ status = create_rpc_alter_context(state, auth,
2501 state->rpc_call_id,
2502 &state->cli->abstract_syntax,
2503 &state->cli->transfer_syntax,
2504@@ -2335,10 +2331,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
2505 /* Now prepare the auth3 context pdu. */
2506 data_blob_free(&state->rpc_out);
2507
2508- status = create_rpc_bind_auth3(state, state->cli,
2509+ status = create_rpc_bind_auth3(state, state->cli, auth,
2510 state->rpc_call_id,
2511- auth->auth_type,
2512- auth->auth_level,
2513 auth_token,
2514 &state->rpc_out);
2515 if (!NT_STATUS_IS_OK(status)) {
2516--
25172.8.1
2518
2519
2520From 18a50ed6ead11287ff72cb38f100d0f2641c3e7d Mon Sep 17 00:00:00 2001
2521From: Stefan Metzmacher <metze@samba.org>
2522Date: Wed, 8 Jul 2015 00:01:37 +0200
2523Subject: [PATCH 33/40] CVE-2015-5370: s3:librpc/rpc: add auth_context_id to
2524 struct pipe_auth_data
2525MIME-Version: 1.0
2526Content-Type: text/plain; charset=UTF-8
2527Content-Transfer-Encoding: 8bit
2528
2529BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2530
2531Signed-off-by: Stefan Metzmacher <metze@samba.org>
2532Reviewed-by: Günther Deschner <gd@samba.org>
2533(cherry picked from commit cbf20b43d7b40e3b6ccf044f6f51a5adff1f5e6d)
2534---
2535 source3/librpc/rpc/dcerpc.h | 1 +
2536 1 file changed, 1 insertion(+)
2537
2538diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
2539index 9452e85..c25b0f5 100644
2540--- a/source3/librpc/rpc/dcerpc.h
2541+++ b/source3/librpc/rpc/dcerpc.h
2542@@ -42,6 +42,7 @@ struct pipe_auth_data {
2543 bool verified_bitmask1;
2544
2545 void *auth_ctx;
2546+ uint32_t auth_context_id;
2547
2548 /* Only the client code uses these 3 for now */
2549 char *domain;
2550--
25512.8.1
2552
2553
2554From 7dbaaca2a638406331d4653e1afdc18f7c8502f6 Mon Sep 17 00:00:00 2001
2555From: Stefan Metzmacher <metze@samba.org>
2556Date: Wed, 8 Jul 2015 00:01:37 +0200
2557Subject: [PATCH 34/40] CVE-2015-5370: s3:rpc_client: make use of
2558 pipe_auth_data->auth_context_id
2559MIME-Version: 1.0
2560Content-Type: text/plain; charset=UTF-8
2561Content-Transfer-Encoding: 8bit
2562
2563This is better than using hardcoded values.
2564We need to use auth_context_id = 1 for authenticated
2565connections, as old Samba server (before this patchset)
2566will use a hardcoded value of 1.
2567
2568BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2569
2570Signed-off-by: Stefan Metzmacher <metze@samba.org>
2571Reviewed-by: Günther Deschner <gd@samba.org>
2572(cherry picked from commit ae68d3f325c3880144b80385779c9445897646e6)
2573---
2574 source3/rpc_client/cli_pipe.c | 13 ++++++++++---
2575 1 file changed, 10 insertions(+), 3 deletions(-)
2576
2577diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2578index 3af3d8f..755d676 100644
2579--- a/source3/rpc_client/cli_pipe.c
2580+++ b/source3/rpc_client/cli_pipe.c
2581@@ -1314,7 +1314,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
2582 auth->auth_type,
2583 auth->auth_level,
2584 0, /* auth_pad_length */
2585- 1, /* auth_context_id */
2586+ auth->auth_context_id,
2587 &auth_token,
2588 &auth_info);
2589 if (!NT_STATUS_IS_OK(ret)) {
2590@@ -1830,7 +1830,7 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
2591 auth->auth_type,
2592 auth->auth_level,
2593 0, /* auth_pad_length */
2594- 1, /* auth_context_id */
2595+ auth->auth_context_id,
2596 pauth_blob,
2597 &u.auth3.auth_info);
2598 if (!NT_STATUS_IS_OK(status)) {
2599@@ -1874,7 +1874,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
2600 auth->auth_type,
2601 auth->auth_level,
2602 0, /* auth_pad_length */
2603- 1, /* auth_context_id */
2604+ auth->auth_context_id,
2605 pauth_blob,
2606 &auth_info);
2607 if (!NT_STATUS_IS_OK(status)) {
2608@@ -2704,6 +2704,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
2609
2610 result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
2611 result->auth_level = DCERPC_AUTH_LEVEL_CONNECT;
2612+ result->auth_context_id = 1;
2613
2614 result->user_name = talloc_strdup(result, "");
2615 result->domain = talloc_strdup(result, "");
2616@@ -2728,6 +2729,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2617
2618 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2619 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2620+ result->auth_context_id = 0;
2621
2622 result->user_name = talloc_strdup(result, "");
2623 result->domain = talloc_strdup(result, "");
2624@@ -2765,6 +2767,7 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2625
2626 result->auth_type = auth_type;
2627 result->auth_level = auth_level;
2628+ result->auth_context_id = 1;
2629
2630 result->user_name = talloc_strdup(result, username);
2631 result->domain = talloc_strdup(result, domain);
2632@@ -2836,6 +2839,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2633
2634 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2635 result->auth_level = auth_level;
2636+ result->auth_context_id = 1;
2637
2638 result->user_name = talloc_strdup(result, "");
2639 result->domain = talloc_strdup(result, domain);
2640@@ -3500,6 +3504,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
2641 }
2642 auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
2643 auth->auth_level = auth_level;
2644+ auth->auth_context_id = 1;
2645
2646 if (!username) {
2647 username = "";
2648@@ -3570,6 +3575,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
2649 }
2650 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
2651 auth->auth_level = auth_level;
2652+ auth->auth_context_id = 1;
2653
2654 if (!username) {
2655 username = "";
2656@@ -3644,6 +3650,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
2657 }
2658 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
2659 auth->auth_level = auth_level;
2660+ auth->auth_context_id = 1;
2661
2662 if (!username) {
2663 username = "";
2664--
26652.8.1
2666
2667
2668From 82cd4e90c70d1ababd5fa1ee61206e37edbf40e4 Mon Sep 17 00:00:00 2001
2669From: Stefan Metzmacher <metze@samba.org>
2670Date: Wed, 8 Jul 2015 00:01:37 +0200
2671Subject: [PATCH 35/40] CVE-2015-5370: s3:rpc_server: make use of
2672 pipe_auth_data->auth_context_id
2673MIME-Version: 1.0
2674Content-Type: text/plain; charset=UTF-8
2675Content-Transfer-Encoding: 8bit
2676
2677This is better than using hardcoded values.
2678We need to use the value the client used in the BIND request.
2679
2680BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2681
2682Signed-off-by: Stefan Metzmacher <metze@samba.org>
2683Reviewed-by: Günther Deschner <gd@samba.org>
2684(cherry picked from commit 2bc617293a5d8652e484af69660b3646f3d48690)
2685---
2686 source3/rpc_server/rpc_ncacn_np.c | 1 +
2687 source3/rpc_server/srv_pipe.c | 11 +++++++----
2688 2 files changed, 8 insertions(+), 4 deletions(-)
2689
2690diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
2691index f2e9d10..c0f24a6 100644
2692--- a/source3/rpc_server/rpc_ncacn_np.c
2693+++ b/source3/rpc_server/rpc_ncacn_np.c
2694@@ -781,6 +781,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx,
2695 }
2696 result->auth->auth_type = DCERPC_AUTH_TYPE_NONE;
2697 result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
2698+ result->auth->auth_context_id = 0;
2699
2700 status = rpccli_anon_bind_data(result, &auth);
2701 if (!NT_STATUS_IS_OK(status)) {
2702diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2703index 4263a91..d6c4118 100644
2704--- a/source3/rpc_server/srv_pipe.c
2705+++ b/source3/rpc_server/srv_pipe.c
2706@@ -534,6 +534,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p,
2707
2708 p->auth.auth_ctx = spnego_ctx;
2709 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
2710+ p->auth.auth_context_id = auth_info->auth_context_id;
2711
2712 DEBUG(10, ("SPNEGO auth started\n"));
2713
2714@@ -644,6 +645,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
2715 /* We're finished with this bind - no more packets. */
2716 p->auth.auth_ctx = schannel_auth;
2717 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2718+ p->auth.auth_context_id = auth_info->auth_context_id;
2719
2720 p->pipe_bound = True;
2721
2722@@ -688,6 +690,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
2723
2724 p->auth.auth_ctx = ntlmssp_state;
2725 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
2726+ p->auth.auth_context_id = auth_info->auth_context_id;
2727
2728 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
2729
2730@@ -1173,6 +1176,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
2731 p->pipe_bound = True;
2732 /* The session key was initialized from the SMB
2733 * session in make_internal_rpc_pipe_p */
2734+ p->auth.auth_context_id = 0;
2735 }
2736
2737 ZERO_STRUCT(u.bind_ack);
2738@@ -1218,12 +1222,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
2739 }
2740
2741 if (auth_resp.length) {
2742-
2743 status = dcerpc_push_dcerpc_auth(pkt,
2744 auth_type,
2745 auth_info.auth_level,
2746- 0,
2747- 1, /* auth_context_id */
2748+ 0, /* pad_len */
2749+ p->auth.auth_context_id,
2750 &auth_resp,
2751 &auth_blob);
2752 if (!NT_STATUS_IS_OK(status)) {
2753@@ -1646,7 +1649,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
2754 auth_info.auth_type,
2755 auth_info.auth_level,
2756 pad_len,
2757- 1, /* auth_context_id */
2758+ p->auth.auth_context_id,
2759 &auth_resp,
2760 &auth_blob);
2761 if (!NT_STATUS_IS_OK(status)) {
2762--
27632.8.1
2764
2765
2766From 8d1fb1fcf58b08cbf27579382ea648aefb9e7dc6 Mon Sep 17 00:00:00 2001
2767From: Stefan Metzmacher <metze@samba.org>
2768Date: Wed, 8 Jul 2015 00:01:37 +0200
2769Subject: [PATCH 36/40] CVE-2015-5370: s3:librpc/rpc: make use of
2770 auth->auth_context_id in dcerpc_add_auth_footer()
2771MIME-Version: 1.0
2772Content-Type: text/plain; charset=UTF-8
2773Content-Transfer-Encoding: 8bit
2774
2775BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2776
2777Signed-off-by: Stefan Metzmacher <metze@samba.org>
2778Reviewed-by: Günther Deschner <gd@samba.org>
2779(cherry picked from commit 61faaa63e7e610308c72ae4c41a5c7b5b7312685)
2780---
2781 source3/librpc/rpc/dcerpc_helpers.c | 2 +-
2782 1 file changed, 1 insertion(+), 1 deletion(-)
2783
2784diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
2785index e4d0e3a..977a372 100644
2786--- a/source3/librpc/rpc/dcerpc_helpers.c
2787+++ b/source3/librpc/rpc/dcerpc_helpers.c
2788@@ -741,7 +741,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
2789 auth->auth_type,
2790 auth->auth_level,
2791 pad_len,
2792- 1 /* context id. */,
2793+ auth->auth_context_id,
2794 &auth_blob,
2795 &auth_info);
2796 if (!NT_STATUS_IS_OK(status)) {
2797--
27982.8.1
2799
2800
2801From 2a44cfc65f7dc1ccfd2d6a5abe5d26e94a085aa9 Mon Sep 17 00:00:00 2001
2802From: Stefan Metzmacher <metze@samba.org>
2803Date: Wed, 8 Jul 2015 00:01:37 +0200
2804Subject: [PATCH 37/40] CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in
2805 dcerpc_check_auth()
2806MIME-Version: 1.0
2807Content-Type: text/plain; charset=UTF-8
2808Content-Transfer-Encoding: 8bit
2809
2810BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2811
2812Signed-off-by: Stefan Metzmacher <metze@samba.org>
2813Reviewed-by: Günther Deschner <gd@samba.org>
2814(cherry picked from commit 0cf3151c843e2c779b534743b455e630d89e2ba9)
2815---
2816 source3/librpc/rpc/dcerpc_helpers.c | 4 ++++
2817 1 file changed, 4 insertions(+)
2818
2819diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
2820index 977a372..b00cf1bf 100644
2821--- a/source3/librpc/rpc/dcerpc_helpers.c
2822+++ b/source3/librpc/rpc/dcerpc_helpers.c
2823@@ -881,6 +881,10 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
2824 return NT_STATUS_INVALID_PARAMETER;
2825 }
2826
2827+ if (auth_info.auth_context_id != auth->auth_context_id) {
2828+ return NT_STATUS_INVALID_PARAMETER;
2829+ }
2830+
2831 pkt_trailer->length -= auth_length;
2832 data = data_blob_const(raw_pkt->data + header_size,
2833 pkt_trailer->length);
2834--
28352.8.1
2836
2837
2838From 68dcc277d5af506706d3fdac43891e43ccb4ceea Mon Sep 17 00:00:00 2001
2839From: Stefan Metzmacher <metze@samba.org>
2840Date: Tue, 7 Jul 2015 22:51:18 +0200
2841Subject: [PATCH 38/40] CVE-2015-5370: s3:rpc_client: verify auth_context_id in
2842 rpc_pipe_bind_step_one_done()
2843MIME-Version: 1.0
2844Content-Type: text/plain; charset=UTF-8
2845Content-Transfer-Encoding: 8bit
2846
2847BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2848
2849Signed-off-by: Stefan Metzmacher <metze@samba.org>
2850Reviewed-by: Günther Deschner <gd@samba.org>
2851(cherry picked from commit 93a0f92b8ebecb38f92d3b2c9a946b486ee91d3c)
2852---
2853 source3/rpc_client/cli_pipe.c | 8 ++++++++
2854 1 file changed, 8 insertions(+)
2855
2856diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2857index 755d676..ee33e80 100644
2858--- a/source3/rpc_client/cli_pipe.c
2859+++ b/source3/rpc_client/cli_pipe.c
2860@@ -2052,6 +2052,14 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
2861 return;
2862 }
2863
2864+ if (auth.auth_context_id != pauth->auth_context_id) {
2865+ DEBUG(0, (__location__ " Auth context id %u mismatch expected %u.\n",
2866+ (unsigned)auth.auth_context_id,
2867+ (unsigned)pauth->auth_context_id));
2868+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
2869+ return;
2870+ }
2871+
2872 break;
2873 }
2874
2875--
28762.8.1
2877
2878
2879From 8787dd5053974c1f42ae85a310e9522795f4ccfe Mon Sep 17 00:00:00 2001
2880From: Stefan Metzmacher <metze@samba.org>
2881Date: Wed, 8 Jul 2015 00:01:37 +0200
2882Subject: [PATCH 39/40] CVE-2015-5370: s3:rpc_server: verify auth_context_id in
2883 api_pipe_{bind_auth3,alter_context}
2884MIME-Version: 1.0
2885Content-Type: text/plain; charset=UTF-8
2886Content-Transfer-Encoding: 8bit
2887
2888BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2889
2890Signed-off-by: Stefan Metzmacher <metze@samba.org>
2891Reviewed-by: Günther Deschner <gd@samba.org>
2892(cherry picked from commit 3ef461d8304ee36184cd7a3963676eedff4ef1eb)
2893---
2894 source3/rpc_server/srv_pipe.c | 16 ++++++++++++++++
2895 1 file changed, 16 insertions(+)
2896
2897diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
2898index d6c4118..26c4ee0 100644
2899--- a/source3/rpc_server/srv_pipe.c
2900+++ b/source3/rpc_server/srv_pipe.c
2901@@ -1364,6 +1364,14 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
2902 goto err;
2903 }
2904
2905+ if (auth_info.auth_context_id != p->auth.auth_context_id) {
2906+ DEBUG(0, ("Auth context id mismatch! Client sent %u, "
2907+ "but auth was started as level %u!\n",
2908+ (unsigned)auth_info.auth_context_id,
2909+ (unsigned)p->auth.auth_context_id));
2910+ goto err;
2911+ }
2912+
2913 switch (auth_info.auth_type) {
2914 case DCERPC_AUTH_TYPE_NTLMSSP:
2915 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
2916@@ -1545,6 +1553,14 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
2917 goto err_exit;
2918 }
2919
2920+ if (auth_info.auth_context_id != p->auth.auth_context_id) {
2921+ DEBUG(0, ("Auth context id mismatch! Client sent %u, "
2922+ "but auth was started as level %u!\n",
2923+ (unsigned)auth_info.auth_context_id,
2924+ (unsigned)p->auth.auth_context_id));
2925+ goto err_exit;
2926+ }
2927+
2928 switch (auth_info.auth_type) {
2929 case DCERPC_AUTH_TYPE_SPNEGO:
2930 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
2931--
29322.8.1
2933
2934
2935From bf0040fb860527cb0c54ab0ef301153bdad650c0 Mon Sep 17 00:00:00 2001
2936From: Stefan Metzmacher <metze@samba.org>
2937Date: Tue, 22 Dec 2015 21:23:14 +0100
2938Subject: [PATCH 40/40] CVE-2015-5370: s3:rpc_client: disconnect connection on
2939 protocol errors
2940MIME-Version: 1.0
2941Content-Type: text/plain; charset=UTF-8
2942Content-Transfer-Encoding: 8bit
2943
2944BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
2945
2946Signed-off-by: Stefan Metzmacher <metze@samba.org>
2947Reviewed-by: Günther Deschner <gd@samba.org>
2948(cherry picked from commit 024d3b263a2879cee4fb7794d70f253c948cc043)
2949---
2950 source3/rpc_client/cli_pipe.c | 67 +++++++++++++++++++++++++++++++++++++++++--
2951 1 file changed, 64 insertions(+), 3 deletions(-)
2952
2953diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2954index ee33e80..a3810f0 100644
2955--- a/source3/rpc_client/cli_pipe.c
2956+++ b/source3/rpc_client/cli_pipe.c
2957@@ -953,6 +953,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
2958
2959 state->pkt = talloc(state, struct ncacn_packet);
2960 if (!state->pkt) {
2961+ /*
2962+ * TODO: do a real async disconnect ...
2963+ *
2964+ * For now do it sync...
2965+ */
2966+ TALLOC_FREE(state->cli->transport);
2967 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
2968 return;
2969 }
2970@@ -962,6 +968,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
2971 state->pkt,
2972 !state->endianess);
2973 if (!NT_STATUS_IS_OK(status)) {
2974+ /*
2975+ * TODO: do a real async disconnect ...
2976+ *
2977+ * For now do it sync...
2978+ */
2979+ TALLOC_FREE(state->cli->transport);
2980 tevent_req_nterror(req, status);
2981 return;
2982 }
2983@@ -979,6 +991,28 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
2984 (unsigned)state->reply_pdu_offset,
2985 nt_errstr(status)));
2986
2987+ if (state->pkt->ptype != DCERPC_PKT_FAULT && !NT_STATUS_IS_OK(status)) {
2988+ /*
2989+ * TODO: do a real async disconnect ...
2990+ *
2991+ * For now do it sync...
2992+ */
2993+ TALLOC_FREE(state->cli->transport);
2994+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
2995+ /*
2996+ * TODO: do a real async disconnect ...
2997+ *
2998+ * For now do it sync...
2999+ */
3000+ TALLOC_FREE(state->cli->transport);
3001+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
3002+ /*
3003+ * TODO: do a real async disconnect ...
3004+ *
3005+ * For now do it sync...
3006+ */
3007+ TALLOC_FREE(state->cli->transport);
3008+ }
3009 if (!NT_STATUS_IS_OK(status)) {
3010 tevent_req_nterror(req, status);
3011 return;
3012@@ -1003,12 +1037,24 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
3013 "%s\n",
3014 state->endianess?"little":"big",
3015 state->pkt->drep[0]?"little":"big"));
3016- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
3017+ /*
3018+ * TODO: do a real async disconnect ...
3019+ *
3020+ * For now do it sync...
3021+ */
3022+ TALLOC_FREE(state->cli->transport);
3023+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
3024 return;
3025 }
3026
3027 if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
3028- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
3029+ /*
3030+ * TODO: do a real async disconnect ...
3031+ *
3032+ * For now do it sync...
3033+ */
3034+ TALLOC_FREE(state->cli->transport);
3035+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
3036 return;
3037 }
3038
3039@@ -1016,6 +1062,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
3040 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
3041 if (!data_blob_realloc(NULL, &state->reply_pdu,
3042 state->reply_pdu_offset + rdata.length)) {
3043+ /*
3044+ * TODO: do a real async disconnect ...
3045+ *
3046+ * For now do it sync...
3047+ */
3048+ TALLOC_FREE(state->cli->transport);
3049 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
3050 return;
3051 }
3052@@ -1045,6 +1097,14 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
3053 subreq = get_complete_frag_send(state, state->ev, state->cli,
3054 state->call_id,
3055 &state->incoming_frag);
3056+ if (subreq == NULL) {
3057+ /*
3058+ * TODO: do a real async disconnect ...
3059+ *
3060+ * For now do it sync...
3061+ */
3062+ TALLOC_FREE(state->cli->transport);
3063+ }
3064 if (tevent_req_nomem(subreq, req)) {
3065 return;
3066 }
3067@@ -2574,8 +2634,9 @@ static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
3068 /*
3069 * TODO: do a real async disconnect ...
3070 *
3071- * For now the caller needs to free rpc_cli
3072+ * For now we do it sync...
3073 */
3074+ TALLOC_FREE(hs->rpc_cli->transport);
3075 hs->rpc_cli = NULL;
3076
3077 tevent_req_done(req);
3078--
30792.8.1
3080
Peter's tree of IPFire 2.x