diff options
| author | Stefan Metzmacher <metze@samba.org> | 2015-06-19 15:52:11 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2015-07-11 21:59:25 +0200 |
| commit | c17dd15bb8b7933d86525943dd14f86190311a99 (patch) | |
| tree | c364d93506c47726d918f09047893f623e787188 | |
| parent | 843c95324a95ae3bf9680a61b357e5b08c4b42df (diff) | |
| download | samba-c17dd15bb8b7933d86525943dd14f86190311a99.tar.gz | |
s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit b2e042ad9652e2dfb39640de43e09030efc41d3d)
| -rw-r--r-- | source3/librpc/rpc/dcerpc.h | 2 | ||||
| -rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 22 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 1 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 1 |
4 files changed, 10 insertions, 16 deletions
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h index b3ae3b4e5c4..60b91d6dfa7 100644 --- a/source3/librpc/rpc/dcerpc.h +++ b/source3/librpc/rpc/dcerpc.h @@ -76,7 +76,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, bool bigendian); NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, size_t header_len, size_t data_left, - size_t max_xmit_frag, size_t pad_alignment, + size_t max_xmit_frag, size_t *data_to_send, size_t *frag_len, size_t *auth_len, size_t *pad_len); NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth, diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index aec275e422e..b48f45c5573 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -256,7 +256,6 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, * @param header_len The length of the packet header * @param data_left The data left in the send buffer * @param max_xmit_frag The max fragment size. -* @param pad_alignment The NDR padding size. * @param data_to_send [out] The max data we will send in the pdu * @param frag_len [out] The total length of the fragment * @param auth_len [out] The length of the auth trailer @@ -266,7 +265,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx, */ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, size_t header_len, size_t data_left, - size_t max_xmit_frag, size_t pad_alignment, + size_t max_xmit_frag, size_t *data_to_send, size_t *frag_len, size_t *auth_len, size_t *pad_len) { @@ -309,7 +308,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, case DCERPC_AUTH_TYPE_KRB5: gensec_security = talloc_get_type_abort(auth->auth_ctx, struct gensec_security); - *auth_len = gensec_sig_size(gensec_security, max_len); + mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT); + *auth_len = gensec_sig_size(gensec_security, max_len - mod_len); + if (*auth_len == 0) { + return NT_STATUS_INTERNAL_ERROR; + } break; case DCERPC_AUTH_TYPE_SCHANNEL: @@ -322,19 +325,12 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth, } max_len -= *auth_len; + mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT); + max_len -= mod_len; *data_to_send = MIN(max_len, data_left); - mod_len = (header_len + *data_to_send) % pad_alignment; - if (mod_len) { - *pad_len = pad_alignment - mod_len; - } else { - *pad_len = 0; - } - - if (*data_to_send + *pad_len > max_len) { - *data_to_send -= pad_alignment; - } + *pad_len = DCERPC_AUTH_PAD_LENGTH(*data_to_send); *frag_len = header_len + *data_to_send + *pad_len + DCERPC_AUTH_TRAILER_LENGTH + *auth_len; diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 385ae25289b..78b1c5c7a30 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1282,7 +1282,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state, status = dcerpc_guess_sizes(state->cli->auth, DCERPC_REQUEST_LENGTH, data_left, state->cli->max_xmit_frag, - CLIENT_NDR_PADDING_SIZE, &data_sent_thistime, &frag_len, &auth_len, &pad_len); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 7daff04f2ac..9df41b46d82 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -141,7 +141,6 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx, DCERPC_RESPONSE_LENGTH, data_left, RPC_MAX_PDU_FRAG_LEN, - SERVER_NDR_PADDING_SIZE, &data_to_send, &frag_len, &auth_len, &pad_len); if (!NT_STATUS_IS_OK(status)) { |