Author: jra Date: 2005-08-25 03:04:27 +0000 (Thu, 25 Aug 2005) New Revision: 9606
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9606 Log: Remember to remove the sign/seal padding length from the data stream once we've done the sign/seal calculations. Jeremy. Modified: trunk/source/rpc_server/srv_pipe.c trunk/source/rpc_server/srv_pipe_hnd.c Changeset: Modified: trunk/source/rpc_server/srv_pipe.c =================================================================== --- trunk/source/rpc_server/srv_pipe.c 2005-08-25 02:55:54 UTC (rev 9605) +++ trunk/source/rpc_server/srv_pipe.c 2005-08-25 03:04:27 UTC (rev 9606) @@ -1829,7 +1829,8 @@ Deal with NTLMSSP sign & seal processing on an RPC request. ****************************************************************************/ -BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, NTSTATUS *pstatus) +BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in, + uint32 *p_ss_padding_len, NTSTATUS *pstatus) { RPC_HDR_AUTH auth_info; uint32 auth_len = p->hdr.auth_len; @@ -1888,6 +1889,13 @@ return False; } + /* + * Remember the padding length. We must remove it from the real data + * stream once the sign/seal is done. + */ + + *p_ss_padding_len = auth_info.auth_pad_len; + auth_blob.data = prs_data_p(rpc_in) + prs_offset(rpc_in); auth_blob.length = auth_len; @@ -1937,7 +1945,7 @@ Deal with schannel processing on an RPC request. ****************************************************************************/ -BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in) +BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len) { /* * We always negotiate the following two bits.... @@ -1988,6 +1996,13 @@ return False; } + /* + * Remember the padding length. We must remove it from the real data + * stream once the sign/seal is done. + */ + + *p_ss_padding_len = auth_info.auth_pad_len; + if (!schannel_decode(p->auth.a_u.schannel_auth, p->auth.auth_level, SENDER_IS_INITIATOR, Modified: trunk/source/rpc_server/srv_pipe_hnd.c =================================================================== --- trunk/source/rpc_server/srv_pipe_hnd.c 2005-08-25 02:55:54 UTC (rev 9605) +++ trunk/source/rpc_server/srv_pipe_hnd.c 2005-08-25 03:04:27 UTC (rev 9606) @@ -543,6 +543,7 @@ static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) { + uint32 ss_padding_len = 0; size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len; @@ -573,20 +574,19 @@ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: case PIPE_AUTH_TYPE_NTLMSSP: - { - NTSTATUS status; - if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p,&status)) { - DEBUG(0,("process_request_pdu: failed to do auth processing.\n")); - DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) )); - set_incoming_fault(p); - return False; - } + { + NTSTATUS status; + if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) { + DEBUG(0,("process_request_pdu: failed to do auth processing.\n")); + DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) )); + set_incoming_fault(p); + return False; } - break; + } case PIPE_AUTH_TYPE_SCHANNEL: - if (!api_pipe_schannel_process(p, rpc_in_p)) { + if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) { DEBUG(3,("process_request_pdu: failed to do schannel processing.\n")); set_incoming_fault(p); return False; @@ -599,6 +599,11 @@ return False; } + /* Now we've done the sign/seal we can remove any padding data. */ + if (data_len > ss_padding_len) { + data_len -= ss_padding_len; + } + /* * Check the data length doesn't go over the 15Mb limit. * increased after observing a bug in the Windows NT 4.0 SP6a