Author: jra Date: 2005-09-22 18:41:17 +0000 (Thu, 22 Sep 2005) New Revision: 10428
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10428 Log: It doesn't help in encrypted RPC streams if you forget to remove the auth_footer from the stream... :-). Thanks to Volker for catching this "Doh!" Homer Simpson bug :-). Jeremy. Modified: trunk/source/rpc_client/cli_pipe.c Changeset: Modified: trunk/source/rpc_client/cli_pipe.c =================================================================== --- trunk/source/rpc_client/cli_pipe.c 2005-09-22 18:37:03 UTC (rev 10427) +++ trunk/source/rpc_client/cli_pipe.c 2005-09-22 18:41:17 UTC (rev 10428) @@ -440,6 +440,19 @@ { NTSTATUS ret = NT_STATUS_OK; + /* Paranioa checks for auth_len. */ + if (prhdr->auth_len) { + if (prhdr->auth_len > prhdr->frag_len) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (prhdr->auth_len + RPC_HDR_AUTH_LEN < prhdr->auth_len || + prhdr->auth_len + RPC_HDR_AUTH_LEN < RPC_HDR_AUTH_LEN) { + /* Integer wrap attempt. */ + return NT_STATUS_INVALID_PARAMETER; + } + } + /* * Now we have a complete RPC request PDU fragment, try and verify any auth data. */ @@ -543,11 +556,26 @@ /* Point the return values at the NDR data. Remember to remove any ss padding. */ *ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN; + if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) { return NT_STATUS_BUFFER_TOO_SMALL; } + *pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len; + /* Remember to remove the auth footer. */ + if (prhdr->auth_len) { + /* We've already done integer wrap tests on auth_len in + cli_pipe_validate_rpc_response(). */ + if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) { + return NT_STATUS_BUFFER_TOO_SMALL; + } + *pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len); + } + + DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n", + current_pdu_len, *pdata_len, ss_padding_len )); + /* * If this is the first reply, and the allocation hint is reasonably, try and * set up the return_data parse_struct to the correct size. @@ -809,6 +837,9 @@ ret = cli_pipe_validate_current_pdu(cli, &rhdr, ¤t_pdu, expected_pkt_type, &ret_data, &ret_data_len, rbuf); + DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n", + prs_data_size(¤t_pdu), current_rbuf_offset )); + if (!NT_STATUS_IS_OK(ret)) { goto err; }