rpc_client: .

jra Thu, 22 Sep 2005 11:41:31 -0700

Author: jra
Date: 2005-09-22 18:41:17 +0000 (Thu, 22 Sep 2005)
New Revision: 10428


WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10428

Log:
It doesn't help in encrypted RPC streams if you forget to remove
the auth_footer from the stream... :-). Thanks to Volker for catching
this "Doh!" Homer Simpson bug :-).
Jeremy.

Modified:
   trunk/source/rpc_client/cli_pipe.c


Changeset:
Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c  2005-09-22 18:37:03 UTC (rev 10427)
+++ trunk/source/rpc_client/cli_pipe.c  2005-09-22 18:41:17 UTC (rev 10428)
@@ -440,6 +440,19 @@
 {
        NTSTATUS ret = NT_STATUS_OK;
 
+       /* Paranioa checks for auth_len. */
+       if (prhdr->auth_len) {
+               if (prhdr->auth_len > prhdr->frag_len) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
+               if (prhdr->auth_len + RPC_HDR_AUTH_LEN < prhdr->auth_len ||
+                               prhdr->auth_len + RPC_HDR_AUTH_LEN < 
RPC_HDR_AUTH_LEN) {
+                       /* Integer wrap attempt. */
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+       }
+
        /*
         * Now we have a complete RPC request PDU fragment, try and verify any 
auth data.
         */
@@ -543,11 +556,26 @@
 
                        /* Point the return values at the NDR data. Remember to 
remove any ss padding. */
                        *ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + 
RPC_HDR_RESP_LEN;
+
                        if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN 
+ ss_padding_len) {
                                return NT_STATUS_BUFFER_TOO_SMALL;
                        }
+
                        *pdata_len = current_pdu_len - RPC_HEADER_LEN - 
RPC_HDR_RESP_LEN - ss_padding_len;
 
+                       /* Remember to remove the auth footer. */
+                       if (prhdr->auth_len) {
+                               /* We've already done integer wrap tests on 
auth_len in
+                                       cli_pipe_validate_rpc_response(). */
+                               if (*pdata_len < RPC_HDR_AUTH_LEN + 
prhdr->auth_len) {
+                                       return NT_STATUS_BUFFER_TOO_SMALL;
+                               }
+                               *pdata_len -= (RPC_HDR_AUTH_LEN + 
prhdr->auth_len);
+                       }
+
+                       DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len 
%u, data_len %u, ss_len %u\n",
+                               current_pdu_len, *pdata_len, ss_padding_len ));
+
                        /*
                         * If this is the first reply, and the allocation hint 
is reasonably, try and
                         * set up the return_data parse_struct to the correct 
size.
@@ -809,6 +837,9 @@
                ret = cli_pipe_validate_current_pdu(cli, &rhdr, &current_pdu, 
expected_pkt_type,
                                &ret_data, &ret_data_len, rbuf);
 
+               DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
+                       prs_data_size(&current_pdu), current_rbuf_offset ));
+
                if (!NT_STATUS_IS_OK(ret)) {
                        goto err;
                }

svn commit: samba r10428 - in trunk/source/rpc_client: .

Reply via email to