The branch, master has been updated
via 5277fc4 s3-rpc_server: Fix handling of fragmented rpc requests.
via 1351feb s4-torture: add some tests for pre-allocated buffers in
enumprinterdrivers call.
via b905523 s4-torture: add test_EnumPrinterDrivers_buffers function.
from cf0934c s3: smbd: Fileserving share access checks.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7
Author: Andreas Schneider <a...@cryptomilk.org>
Date: Thu Mar 20 14:45:01 2014 +0100
s3-rpc_server: Fix handling of fragmented rpc requests.
We need to call pipe_init_outgoing_data() as the first thing in
process_complete_pdu(). Otherwise the caller may use uninitialized
memory and tries to write a response into the socket.
The problem happens only if a real socket is used, which means
in all cases for master and only with external rpc daemons in v4-0
and v4-1.
The problem looks like this in the logs.
[2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
Processing packet type 0
[2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
Checking request auth.
[2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)]
../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
Sending 1 fragments in a total of 0 bytes
[2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)]
../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
Sending PDU number: 0, PDU Length: 4294967228
[2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)]
../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
Writev failed!
[2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)]
../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
Fatal error(Message too long). Terminating client(127.0.0.1)
connection!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andreas Schneider <a...@cryptomilk.org>
Reviewed-by: Guenther Deschner <g...@samba.org
Autobuild-User(master): Günther Deschner <g...@samba.org>
Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
commit 1351febcc854a4e4a599fc4c73dec83256e588c7
Author: Günther Deschner <g...@samba.org>
Date: Thu Mar 20 15:57:10 2014 +0100
s4-torture: add some tests for pre-allocated buffers in enumprinterdrivers
call.
Guenther
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b905523c3289ada6f03bf086f38a041c4cad265b
Author: Günther Deschner <g...@samba.org>
Date: Thu Mar 20 15:56:13 2014 +0100
s4-torture: add test_EnumPrinterDrivers_buffers function.
This will allow to test the enumdriver call with pre-allocated buffer.
Guenther
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_server/srv_pipe.c | 20 ++++++---------
source4/torture/rpc/spoolss.c | 52 ++++++++++++++++++++++++++++++++--------
2 files changed, 49 insertions(+), 23 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 36864d2..67c9a68 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1547,9 +1547,6 @@ static bool process_request_pdu(struct pipes_struct *p,
struct ncacn_packet *pkt
* Ok - we finally have a complete RPC stream.
* Call the rpc command to process it.
*/
- if (!pipe_init_outgoing_data(p)) {
- return false;
- }
return api_pipe_request(p, pkt);
}
@@ -1563,6 +1560,10 @@ void process_complete_pdu(struct pipes_struct *p, struct
ncacn_packet *pkt)
DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
+ if (!pipe_init_outgoing_data(p)) {
+ goto done;
+ }
+
switch (pkt->ptype) {
case DCERPC_PKT_REQUEST:
reply = process_request_pdu(p, pkt);
@@ -1595,9 +1596,7 @@ void process_complete_pdu(struct pipes_struct *p, struct
ncacn_packet *pkt)
/*
* We assume that a pipe bind is only in one pdu.
*/
- if (pipe_init_outgoing_data(p)) {
- reply = api_pipe_bind_req(p, pkt);
- }
+ reply = api_pipe_bind_req(p, pkt);
break;
case DCERPC_PKT_BIND_ACK:
@@ -1612,9 +1611,7 @@ void process_complete_pdu(struct pipes_struct *p, struct
ncacn_packet *pkt)
/*
* We assume that a pipe bind is only in one pdu.
*/
- if (pipe_init_outgoing_data(p)) {
- reply = api_pipe_alter_context(p, pkt);
- }
+ reply = api_pipe_alter_context(p, pkt);
break;
case DCERPC_PKT_ALTER_RESP:
@@ -1626,9 +1623,7 @@ void process_complete_pdu(struct pipes_struct *p, struct
ncacn_packet *pkt)
/*
* The third packet in an auth exchange.
*/
- if (pipe_init_outgoing_data(p)) {
- reply = api_pipe_bind_auth3(p, pkt);
- }
+ reply = api_pipe_bind_auth3(p, pkt);
break;
case DCERPC_PKT_SHUTDOWN:
@@ -1676,6 +1671,7 @@ void process_complete_pdu(struct pipes_struct *p, struct
ncacn_packet *pkt)
break;
}
+done:
if (!reply) {
DEBUG(3,("DCE/RPC fault sent!"));
set_incoming_fault(p);
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 3d99470..ccc842a 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -513,30 +513,36 @@ static bool test_GetPrinterDriverDirectory(struct
torture_context *tctx,
return true;
}
-static bool test_EnumPrinterDrivers_args(struct torture_context *tctx,
- struct dcerpc_binding_handle *b,
- const char *server_name,
- const char *environment,
- uint32_t level,
- uint32_t *count_p,
- union spoolss_DriverInfo **info_p)
+static bool test_EnumPrinterDrivers_buffers(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ const char *server_name,
+ const char *environment,
+ uint32_t level,
+ uint32_t offered,
+ uint32_t *count_p,
+ union spoolss_DriverInfo **info_p)
{
struct spoolss_EnumPrinterDrivers r;
uint32_t needed;
uint32_t count;
union spoolss_DriverInfo *info;
+ DATA_BLOB buffer;
+
+ if (offered > 0) {
+ buffer = data_blob_talloc_zero(tctx, offered);
+ }
r.in.server = server_name;
r.in.environment = environment;
r.in.level = level;
- r.in.buffer = NULL;
- r.in.offered = 0;
+ r.in.buffer = offered ? &buffer : NULL;
+ r.in.offered = offered;
r.out.needed = &needed;
r.out.count = &count;
r.out.info = &info;
- torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u\n",
- r.in.environment, r.in.level);
+ torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u,
offered: %u\n",
+ r.in.environment, r.in.level, r.in.offered);
torture_assert_ntstatus_ok(tctx,
dcerpc_spoolss_EnumPrinterDrivers_r(b, tctx, &r),
@@ -567,6 +573,20 @@ static bool test_EnumPrinterDrivers_args(struct
torture_context *tctx,
}
+
+static bool test_EnumPrinterDrivers_args(struct torture_context *tctx,
+ struct dcerpc_binding_handle *b,
+ const char *server_name,
+ const char *environment,
+ uint32_t level,
+ uint32_t *count_p,
+ union spoolss_DriverInfo **info_p)
+{
+ return test_EnumPrinterDrivers_buffers(tctx, b, server_name,
+ environment, level, 0,
+ count_p, info_p);
+}
+
static bool test_EnumPrinterDrivers_findone(struct torture_context *tctx,
struct dcerpc_binding_handle *b,
const char *server_name,
@@ -642,6 +662,7 @@ static bool test_EnumPrinterDrivers(struct torture_context
*tctx,
struct dcerpc_pipe *p = ctx->spoolss_pipe;
struct dcerpc_binding_handle *b = p->binding_handle;
uint16_t levels[] = { 1, 2, 3, 4, 5, 6, 8 };
+ uint16_t buffer_sizes[] = { 0, 1024, 6040, 0xffff };
int i, j, a;
/* FIXME: gd, come back and fix "" as server, and handle
@@ -655,6 +676,15 @@ static bool test_EnumPrinterDrivers(struct torture_context
*tctx,
for (a=0;a<ARRAY_SIZE(environments);a++) {
+ for (i=0;i<ARRAY_SIZE(buffer_sizes);i++) {
+ torture_assert(tctx,
+ test_EnumPrinterDrivers_buffers(tctx, b, server_name,
+ environments[a], 3,
+ buffer_sizes[i],
+ NULL, NULL),
+ "failed to enumerate drivers");
+ }
+
for (i=0;i<ARRAY_SIZE(levels);i++) {
int level = levels[i];
uint32_t count;
--
Samba Shared Repository
