The branch, master has been updated via 5277fc4 s3-rpc_server: Fix handling of fragmented rpc requests. via 1351feb s4-torture: add some tests for pre-allocated buffers in enumprinterdrivers call. via b905523 s4-torture: add test_EnumPrinterDrivers_buffers function. from cf0934c s3: smbd: Fileserving share access checks.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7 Author: Andreas Schneider <a...@cryptomilk.org> Date: Thu Mar 20 14:45:01 2014 +0100 s3-rpc_server: Fix handling of fragmented rpc requests. We need to call pipe_init_outgoing_data() as the first thing in process_complete_pdu(). Otherwise the caller may use uninitialized memory and tries to write a response into the socket. The problem happens only if a real socket is used, which means in all cases for master and only with external rpc daemons in v4-0 and v4-1. The problem looks like this in the logs. [2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu) Processing packet type 0 [2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request) Checking request auth. [2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process) Sending 1 fragments in a total of 0 bytes [2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process) Sending PDU number: 0, PDU Length: 4294967228 [2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done) Writev failed! [2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done) Fatal error(Message too long). Terminating client(127.0.0.1) connection! BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andreas Schneider <a...@cryptomilk.org> Reviewed-by: Guenther Deschner <g...@samba.org Autobuild-User(master): Günther Deschner <g...@samba.org> Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104 commit 1351febcc854a4e4a599fc4c73dec83256e588c7 Author: Günther Deschner <g...@samba.org> Date: Thu Mar 20 15:57:10 2014 +0100 s4-torture: add some tests for pre-allocated buffers in enumprinterdrivers call. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b905523c3289ada6f03bf086f38a041c4cad265b Author: Günther Deschner <g...@samba.org> Date: Thu Mar 20 15:56:13 2014 +0100 s4-torture: add test_EnumPrinterDrivers_buffers function. This will allow to test the enumdriver call with pre-allocated buffer. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/rpc_server/srv_pipe.c | 20 ++++++--------- source4/torture/rpc/spoolss.c | 52 ++++++++++++++++++++++++++++++++-------- 2 files changed, 49 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 36864d2..67c9a68 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -1547,9 +1547,6 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt * Ok - we finally have a complete RPC stream. * Call the rpc command to process it. */ - if (!pipe_init_outgoing_data(p)) { - return false; - } return api_pipe_request(p, pkt); } @@ -1563,6 +1560,10 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype)); + if (!pipe_init_outgoing_data(p)) { + goto done; + } + switch (pkt->ptype) { case DCERPC_PKT_REQUEST: reply = process_request_pdu(p, pkt); @@ -1595,9 +1596,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) /* * We assume that a pipe bind is only in one pdu. */ - if (pipe_init_outgoing_data(p)) { - reply = api_pipe_bind_req(p, pkt); - } + reply = api_pipe_bind_req(p, pkt); break; case DCERPC_PKT_BIND_ACK: @@ -1612,9 +1611,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) /* * We assume that a pipe bind is only in one pdu. */ - if (pipe_init_outgoing_data(p)) { - reply = api_pipe_alter_context(p, pkt); - } + reply = api_pipe_alter_context(p, pkt); break; case DCERPC_PKT_ALTER_RESP: @@ -1626,9 +1623,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) /* * The third packet in an auth exchange. */ - if (pipe_init_outgoing_data(p)) { - reply = api_pipe_bind_auth3(p, pkt); - } + reply = api_pipe_bind_auth3(p, pkt); break; case DCERPC_PKT_SHUTDOWN: @@ -1676,6 +1671,7 @@ void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt) break; } +done: if (!reply) { DEBUG(3,("DCE/RPC fault sent!")); set_incoming_fault(p); diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c index 3d99470..ccc842a 100644 --- a/source4/torture/rpc/spoolss.c +++ b/source4/torture/rpc/spoolss.c @@ -513,30 +513,36 @@ static bool test_GetPrinterDriverDirectory(struct torture_context *tctx, return true; } -static bool test_EnumPrinterDrivers_args(struct torture_context *tctx, - struct dcerpc_binding_handle *b, - const char *server_name, - const char *environment, - uint32_t level, - uint32_t *count_p, - union spoolss_DriverInfo **info_p) +static bool test_EnumPrinterDrivers_buffers(struct torture_context *tctx, + struct dcerpc_binding_handle *b, + const char *server_name, + const char *environment, + uint32_t level, + uint32_t offered, + uint32_t *count_p, + union spoolss_DriverInfo **info_p) { struct spoolss_EnumPrinterDrivers r; uint32_t needed; uint32_t count; union spoolss_DriverInfo *info; + DATA_BLOB buffer; + + if (offered > 0) { + buffer = data_blob_talloc_zero(tctx, offered); + } r.in.server = server_name; r.in.environment = environment; r.in.level = level; - r.in.buffer = NULL; - r.in.offered = 0; + r.in.buffer = offered ? &buffer : NULL; + r.in.offered = offered; r.out.needed = &needed; r.out.count = &count; r.out.info = &info; - torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u\n", - r.in.environment, r.in.level); + torture_comment(tctx, "Testing EnumPrinterDrivers(%s) level %u, offered: %u\n", + r.in.environment, r.in.level, r.in.offered); torture_assert_ntstatus_ok(tctx, dcerpc_spoolss_EnumPrinterDrivers_r(b, tctx, &r), @@ -567,6 +573,20 @@ static bool test_EnumPrinterDrivers_args(struct torture_context *tctx, } + +static bool test_EnumPrinterDrivers_args(struct torture_context *tctx, + struct dcerpc_binding_handle *b, + const char *server_name, + const char *environment, + uint32_t level, + uint32_t *count_p, + union spoolss_DriverInfo **info_p) +{ + return test_EnumPrinterDrivers_buffers(tctx, b, server_name, + environment, level, 0, + count_p, info_p); +} + static bool test_EnumPrinterDrivers_findone(struct torture_context *tctx, struct dcerpc_binding_handle *b, const char *server_name, @@ -642,6 +662,7 @@ static bool test_EnumPrinterDrivers(struct torture_context *tctx, struct dcerpc_pipe *p = ctx->spoolss_pipe; struct dcerpc_binding_handle *b = p->binding_handle; uint16_t levels[] = { 1, 2, 3, 4, 5, 6, 8 }; + uint16_t buffer_sizes[] = { 0, 1024, 6040, 0xffff }; int i, j, a; /* FIXME: gd, come back and fix "" as server, and handle @@ -655,6 +676,15 @@ static bool test_EnumPrinterDrivers(struct torture_context *tctx, for (a=0;a<ARRAY_SIZE(environments);a++) { + for (i=0;i<ARRAY_SIZE(buffer_sizes);i++) { + torture_assert(tctx, + test_EnumPrinterDrivers_buffers(tctx, b, server_name, + environments[a], 3, + buffer_sizes[i], + NULL, NULL), + "failed to enumerate drivers"); + } + for (i=0;i<ARRAY_SIZE(levels);i++) { int level = levels[i]; uint32_t count; -- Samba Shared Repository