From: Stefan Metzmacher Date: Thu, 5 Aug 2021 09:24:26 +0000 (+0200) Subject: CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() X-Git-Tag: samba-4.13.14~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7636fb7215f83a5d8cc501ff46eed0954e10040;p=thirdparty%2Fsamba.git CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() This will make it easier to reuse. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source4/torture/rpc/drsuapi.c b/source4/torture/rpc/drsuapi.c index 2ae2ba031e9..862c5f592b7 100644 --- a/source4/torture/rpc/drsuapi.c +++ b/source4/torture/rpc/drsuapi.c @@ -28,12 +28,14 @@ #define TEST_MACHINE_NAME "torturetest" -bool test_DsBind(struct dcerpc_pipe *p, - struct torture_context *tctx, - struct DsPrivate *priv) +static bool test_DsBind(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *bind_handle, + struct drsuapi_DsBindInfo28 *srv_info28) { NTSTATUS status; struct drsuapi_DsBind r; + struct GUID bind_guid; struct drsuapi_DsBindInfo28 *bind_info28; struct drsuapi_DsBindInfoCtr bind_info_ctr; @@ -70,19 +72,20 @@ bool test_DsBind(struct dcerpc_pipe *p, bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7; bind_info28->supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT; - GUID_from_string(DRSUAPI_DS_BIND_GUID, &priv->bind_guid); + GUID_from_string(DRSUAPI_DS_BIND_GUID, &bind_guid); - r.in.bind_guid = &priv->bind_guid; + r.in.bind_guid = &bind_guid; r.in.bind_info = &bind_info_ctr; - r.out.bind_handle = &priv->bind_handle; + r.out.bind_handle = bind_handle; torture_comment(tctx, "Testing DsBind\n"); status = dcerpc_drsuapi_DsBind_r(p->binding_handle, tctx, &r); torture_drsuapi_assert_call(tctx, p, status, &r, "dcerpc_drsuapi_DsBind"); - /* cache server supported extensions, i.e. bind_info */ - priv->srv_bind_info = r.out.bind_info->info.info28; + if (srv_info28 != NULL) { + *srv_info28 = r.out.bind_info->info.info28; + } return true; } @@ -786,7 +789,10 @@ bool torture_drsuapi_tcase_setup_common(struct torture_context *tctx, struct DsP &machine_credentials); torture_assert(tctx, priv->join, "Failed to join as BDC"); - if (!test_DsBind(priv->drs_pipe, tctx, priv)) { + if (!test_DsBind(priv->drs_pipe, tctx, + &priv->bind_handle, + &priv->srv_bind_info)) + { /* clean up */ torture_drsuapi_tcase_teardown_common(tctx, priv); torture_fail(tctx, "Failed execute test_DsBind()"); diff --git a/source4/torture/rpc/drsuapi.h b/source4/torture/rpc/drsuapi.h index f1a5bba05b8..e81b2fe3746 100644 --- a/source4/torture/rpc/drsuapi.h +++ b/source4/torture/rpc/drsuapi.h @@ -29,7 +29,6 @@ struct DsPrivate { struct dcerpc_pipe *drs_pipe; struct policy_handle bind_handle; - struct GUID bind_guid; struct drsuapi_DsBindInfo28 srv_bind_info; const char *domain_obj_dn; diff --git a/source4/torture/rpc/drsuapi_cracknames.c b/source4/torture/rpc/drsuapi_cracknames.c index a0daa608748..352334a0eba 100644 --- a/source4/torture/rpc/drsuapi_cracknames.c +++ b/source4/torture/rpc/drsuapi_cracknames.c @@ -801,7 +801,7 @@ bool test_DsCrackNames(struct torture_context *tctx, .format_offered = DRSUAPI_DS_NAME_FORMAT_GUID, .format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779, .comment = "BIND GUID (ie, not in the directory)", - .str = GUID_string2(mem_ctx, &priv->bind_guid), + .str = DRSUAPI_DS_BIND_GUID, .status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND }, {