search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
[Samba.git] / source3 / rpc_server / srv_pipe.c
blobf79fbe26abff1e3a2b3f3a21480196afc09d13b1
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_dcerpc.h"
34 #include "../librpc/rpc/rpc_common.h"
35 #include "dcesrv_auth_generic.h"
36 #include "rpc_server.h"
37 #include "rpc_dce.h"
38 #include "smbd/smbd.h"
39 #include "auth.h"
40 #include "ntdomain.h"
41 #include "rpc_server/srv_pipe.h"
42 #include "rpc_server/rpc_contexts.h"
43 #include "lib/param/param.h"
44 #include "librpc/ndr/ndr_table.h"
45 #include "auth/gensec/gensec.h"
46 #include "librpc/ndr/ndr_dcerpc.h"
47 #include "lib/tsocket/tsocket.h"
48 #include "../librpc/gen_ndr/ndr_samr.h"
49 #include "../librpc/gen_ndr/ndr_lsa.h"
50 #include "../librpc/gen_ndr/ndr_netlogon.h"
51 #include "../librpc/gen_ndr/ndr_epmapper.h"
52 #include "../librpc/gen_ndr/ndr_echo.h"
53 #include "../librpc/gen_ndr/ndr_winspool.h"
54
55 #undef DBGC_CLASS
56 #define DBGC_CLASS DBGC_RPC_SRV
57
58 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p);
59
60 /**
61 * Dump everything from the start of the end up of the provided data
62 * into a file, but only at debug level >= 50
63 **/
64 static void dump_pdu_region(const char *name, int v,
65 DATA_BLOB *data, size_t start, size_t end)
66 {
67 int fd, i;
68 char *fname = NULL;
69 ssize_t sz;
70
71 if (DEBUGLEVEL < 50) return;
72
73 if (start > data->length || end > data->length || start > end) return;
74
75 for (i = 1; i < 100; i++) {
76 if (v != -1) {
77 fname = talloc_asprintf(talloc_tos(),
78 "/tmp/%s_%d.%d.prs",
79 name, v, i);
80 } else {
81 fname = talloc_asprintf(talloc_tos(),
82 "/tmp/%s_%d.prs",
83 name, i);
84 }
85 if (!fname) {
86 return;
87 }
88 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
89 if (fd != -1 || errno != EEXIST) break;
90 }
91 if (fd != -1) {
92 sz = write(fd, data->data + start, end - start);
93 i = close(fd);
94 if ((sz != end - start) || (i != 0) ) {
95 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
96 fname, (unsigned long)sz,
97 (unsigned long)end - start, i));
98 } else {
99 DEBUG(0,("created %s\n", fname));
100 }
101 }
102 TALLOC_FREE(fname);
103 }
104
105 static DATA_BLOB generic_session_key(void)
106 {
107 return data_blob_const("SystemLibraryDTC", 16);
108 }
109
110 /*******************************************************************
111 Generate the next PDU to be returned from the data.
112 ********************************************************************/
113
114 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
115 struct pipe_auth_data *auth,
116 uint32_t call_id,
117 DATA_BLOB *rdata,
118 size_t data_sent_length,
119 DATA_BLOB *frag,
120 size_t *pdu_size)
121 {
122 union dcerpc_payload u;
123 uint8_t pfc_flags;
124 size_t data_left;
125 size_t data_to_send;
126 size_t frag_len;
127 size_t pad_len = 0;
128 size_t auth_len = 0;
129 NTSTATUS status;
130
131 ZERO_STRUCT(u.response);
132
133 /* Set up rpc packet pfc flags. */
134 if (data_sent_length == 0) {
135 pfc_flags = DCERPC_PFC_FLAG_FIRST;
136 } else {
137 pfc_flags = 0;
138 }
139
140 /* Work out how much we can fit in a single PDU. */
141 data_left = rdata->length - data_sent_length;
142
143 /* Ensure there really is data left to send. */
144 if (!data_left) {
145 DEBUG(0, ("No data left to send !\n"));
146 return NT_STATUS_BUFFER_TOO_SMALL;
147 }
148
149 status = dcerpc_guess_sizes(auth,
150 DCERPC_RESPONSE_LENGTH,
151 data_left,
152 RPC_MAX_PDU_FRAG_LEN,
153 &data_to_send, &frag_len,
154 &auth_len, &pad_len);
155 if (!NT_STATUS_IS_OK(status)) {
156 return status;
157 }
158
159 /* Set up the alloc hint. This should be the data left to send. */
160 u.response.alloc_hint = data_left;
161
162 /* Work out if this PDU will be the last. */
163 if (data_sent_length + data_to_send >= rdata->length) {
164 pfc_flags |= DCERPC_PFC_FLAG_LAST;
165 }
166
167 /* Prepare data to be NDR encoded. */
168 u.response.stub_and_verifier =
169 data_blob_const(rdata->data + data_sent_length, data_to_send);
170
171 /* Store the packet in the data stream. */
172 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
173 pfc_flags, auth_len, call_id,
174 &u, frag);
175 if (!NT_STATUS_IS_OK(status)) {
176 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
177 return status;
178 }
179
180 if (auth_len) {
181 /* Set the proper length on the pdu, including padding.
182 * Only needed if an auth trailer will be appended. */
183 dcerpc_set_frag_length(frag, frag->length
184 + pad_len
185 + DCERPC_AUTH_TRAILER_LENGTH
186 + auth_len);
187 }
188
189 if (auth_len) {
190 status = dcerpc_add_auth_footer(auth, pad_len, frag);
191 if (!NT_STATUS_IS_OK(status)) {
192 data_blob_free(frag);
193 return status;
194 }
195 }
196
197 *pdu_size = data_to_send;
198 return NT_STATUS_OK;
199 }
200
201 /*******************************************************************
202 Generate the next PDU to be returned from the data in p->rdata.
203 ********************************************************************/
204
205 bool create_next_pdu(struct pipes_struct *p)
206 {
207 size_t pdu_size = 0;
208 NTSTATUS status;
209
210 /*
211 * If we're in the fault state, keep returning fault PDU's until
212 * the pipe gets closed. JRA.
213 */
214 if (p->fault_state) {
215 setup_fault_pdu(p, NT_STATUS(p->fault_state));
216 return true;
217 }
218
219 status = create_next_packet(p->mem_ctx, &p->auth,
220 p->call_id, &p->out_data.rdata,
221 p->out_data.data_sent_length,
222 &p->out_data.frag, &pdu_size);
223 if (!NT_STATUS_IS_OK(status)) {
224 DEBUG(0, ("Failed to create packet with error %s, "
225 "(auth level %u / type %u)\n",
226 nt_errstr(status),
227 (unsigned int)p->auth.auth_level,
228 (unsigned int)p->auth.auth_type));
229 return false;
230 }
231
232 /* Setup the counts for this PDU. */
233 p->out_data.data_sent_length += pdu_size;
234 p->out_data.current_pdu_sent = 0;
235 return true;
236 }
237
238
239 static bool pipe_init_outgoing_data(struct pipes_struct *p);
240
241 /*******************************************************************
242 Marshall a bind_nak pdu.
243 *******************************************************************/
244
245 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
246 {
247 NTSTATUS status;
248 union dcerpc_payload u;
249
250 /* Free any memory in the current return data buffer. */
251 pipe_init_outgoing_data(p);
252
253 /*
254 * Initialize a bind_nak header.
255 */
256
257 ZERO_STRUCT(u);
258
259 u.bind_nak.reject_reason = 0;
260
261 /*
262 * Marshall directly into the outgoing PDU space. We
263 * must do this as we need to set to the bind response
264 * header and are never sending more than one PDU here.
265 */
266
267 status = dcerpc_push_ncacn_packet(p->mem_ctx,
268 DCERPC_PKT_BIND_NAK,
269 DCERPC_PFC_FLAG_FIRST |
270 DCERPC_PFC_FLAG_LAST,
271 0,
272 pkt->call_id,
273 &u,
274 &p->out_data.frag);
275 if (!NT_STATUS_IS_OK(status)) {
276 return False;
277 }
278
279 p->out_data.data_sent_length = 0;
280 p->out_data.current_pdu_sent = 0;
281
282 set_incoming_fault(p);
283 TALLOC_FREE(p->auth.auth_ctx);
284 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
285 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
286 p->pipe_bound = False;
287 p->allow_bind = false;
288 p->allow_alter = false;
289 p->allow_auth3 = false;
290
291 return True;
292 }
293
294 /*******************************************************************
295 Marshall a fault pdu.
296 *******************************************************************/
297
298 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
299 {
300 NTSTATUS status;
301 union dcerpc_payload u;
302
303 /* Free any memory in the current return data buffer. */
304 pipe_init_outgoing_data(p);
305
306 /*
307 * Initialize a fault header.
308 */
309
310 ZERO_STRUCT(u);
311
312 u.fault.status = NT_STATUS_V(fault_status);
313
314 /*
315 * Marshall directly into the outgoing PDU space. We
316 * must do this as we need to set to the bind response
317 * header and are never sending more than one PDU here.
318 */
319
320 status = dcerpc_push_ncacn_packet(p->mem_ctx,
321 DCERPC_PKT_FAULT,
322 DCERPC_PFC_FLAG_FIRST |
323 DCERPC_PFC_FLAG_LAST |
324 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
325 0,
326 p->call_id,
327 &u,
328 &p->out_data.frag);
329 if (!NT_STATUS_IS_OK(status)) {
330 return False;
331 }
332
333 p->out_data.data_sent_length = 0;
334 p->out_data.current_pdu_sent = 0;
335
336 return True;
337 }
338
339 /*******************************************************************
340 Ensure a bind request has the correct abstract & transfer interface.
341 Used to reject unknown binds from Win2k.
342 *******************************************************************/
343
344 static bool check_bind_req(struct pipes_struct *p,
345 struct ndr_syntax_id* abstract,
346 struct ndr_syntax_id* transfer,
347 uint32_t context_id)
348 {
349 struct pipe_rpc_fns *context_fns;
350 bool ok;
351 const char *interface_name = NULL;
352
353 DEBUG(3,("check_bind_req for %s context_id=%u\n",
354 ndr_interface_name(&abstract->uuid,
355 abstract->if_version),
356 (unsigned)context_id));
357
358 ok = ndr_syntax_id_equal(transfer, &ndr_transfer_syntax_ndr);
359 if (!ok) {
360 DEBUG(1,("check_bind_req unknown transfer syntax for "
361 "%s context_id=%u\n",
362 ndr_interface_name(&abstract->uuid,
363 abstract->if_version),
364 (unsigned)context_id));
365 return false;
366 }
367
368 for (context_fns = p->contexts;
369 context_fns != NULL;
370 context_fns = context_fns->next)
371 {
372 if (context_fns->context_id != context_id) {
373 continue;
374 }
375
376 ok = ndr_syntax_id_equal(&context_fns->syntax,
377 abstract);
378 if (ok) {
379 return true;
380 }
381
382 DEBUG(1,("check_bind_req: changing abstract syntax for "
383 "%s context_id=%u into %s not supported\n",
384 ndr_interface_name(&context_fns->syntax.uuid,
385 context_fns->syntax.if_version),
386 (unsigned)context_id,
387 ndr_interface_name(&abstract->uuid,
388 abstract->if_version)));
389 return false;
390 }
391
392 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
393 if (!rpc_srv_pipe_exists_by_id(abstract)) {
394 return false;
395 }
396
397 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
398 rpc_srv_get_pipe_cli_name(abstract),
399 rpc_srv_get_pipe_srv_name(abstract)));
400
401 ok = init_pipe_handles(p, abstract);
402 if (!ok) {
403 DEBUG(1, ("Failed to init pipe handles!\n"));
404 return false;
405 }
406
407 context_fns = talloc_zero(p, struct pipe_rpc_fns);
408 if (context_fns == NULL) {
409 DEBUG(0,("check_bind_req: talloc() failed!\n"));
410 return false;
411 }
412
413 interface_name = ndr_interface_name(&abstract->uuid,
414 abstract->if_version);
415 SMB_ASSERT(interface_name != NULL);
416
417 context_fns->next = context_fns->prev = NULL;
418 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
419 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
420 context_fns->context_id = context_id;
421 context_fns->syntax = *abstract;
422
423 context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
424 /*
425 * for the samr, lsarpc and netlogon interfaces we don't allow "connect"
426 * auth_level by default.
427 */
428 ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
429 if (ok) {
430 context_fns->allow_connect = false;
431 }
432 ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
433 if (ok) {
434 context_fns->allow_connect = false;
435 }
436 ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
437 if (ok) {
438 context_fns->allow_connect = false;
439 }
440 /*
441 * for the epmapper and echo interfaces we allow "connect"
442 * auth_level by default.
443 */
444 ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
445 if (ok) {
446 context_fns->allow_connect = true;
447 }
448 ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
449 if (ok) {
450 context_fns->allow_connect = true;
451 }
452 /*
453 * every interface can be modified to allow "connect" auth_level by
454 * using a parametric option like:
455 * allow dcerpc auth level connect:<interface>
456 * e.g.
457 * allow dcerpc auth level connect:samr = yes
458 */
459 context_fns->allow_connect = lp_parm_bool(-1,
460 "allow dcerpc auth level connect",
461 interface_name, context_fns->allow_connect);
462
463 ok = ndr_syntax_id_equal(abstract, &ndr_table_iremotewinspool.syntax_id);
464 if (ok) {
465 context_fns->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
466 }
467
468 /* add to the list of open contexts */
469
470 DLIST_ADD( p->contexts, context_fns );
471
472 return True;
473 }
474
475 /**
476 * Is a named pipe known?
477 * @param[in] pipename Just the filename
478 * @result Do we want to serve this?
479 */
480 bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
481 {
482 NTSTATUS status;
483
484 if (strchr(pipename, '/')) {
485 DEBUG(1, ("Refusing open on pipe %s\n", pipename));
486 return false;
487 }
488
489 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
490 DEBUG(10, ("refusing spoolss access\n"));
491 return false;
492 }
493
494 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
495 return true;
496 }
497
498 status = smb_probe_module("rpc", pipename);
499 if (!NT_STATUS_IS_OK(status)) {
500 DEBUG(10, ("is_known_pipename: %s unknown\n", pipename));
501 return false;
502 }
503 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
504
505 /*
506 * Scan the list again for the interface id
507 */
508 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
509 return true;
510 }
511
512 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
513 pipename));
514
515 return false;
516 }
517
518 /*******************************************************************
519 Handle an NTLMSSP bind auth.
520 *******************************************************************/
521
522 static bool pipe_auth_generic_bind(struct pipes_struct *p,
523 struct ncacn_packet *pkt,
524 struct dcerpc_auth *auth_info,
525 const char *service_description,
526 DATA_BLOB *response)
527 {
528 TALLOC_CTX *mem_ctx = pkt;
529 struct gensec_security *gensec_security = NULL;
530 NTSTATUS status;
531
532 status = auth_generic_server_authtype_start(p,
533 auth_info->auth_type,
534 auth_info->auth_level,
535 p->remote_address,
536 p->local_address,
537 service_description,
538 &gensec_security);
539 if (!NT_STATUS_IS_OK(status)) {
540 DEBUG(0, (__location__ ": auth_generic_server_authtype_start[%u/%u] failed: %s\n",
541 auth_info->auth_type, auth_info->auth_level, nt_errstr(status)));
542 return false;
543 }
544
545 p->auth.auth_ctx = gensec_security;
546 p->auth.auth_type = auth_info->auth_type;
547 p->auth.auth_level = auth_info->auth_level;
548 p->auth.auth_context_id = auth_info->auth_context_id;
549
550 if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
551 p->auth.client_hdr_signing = true;
552 p->auth.hdr_signing = gensec_have_feature(gensec_security,
553 GENSEC_FEATURE_SIGN_PKT_HEADER);
554 }
555
556 if (p->auth.hdr_signing) {
557 gensec_want_feature(gensec_security,
558 GENSEC_FEATURE_SIGN_PKT_HEADER);
559 }
560
561 status = auth_generic_server_step(gensec_security, mem_ctx,
562 &auth_info->credentials,
563 response);
564 if (!NT_STATUS_IS_OK(status) &&
565 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
566 {
567 DEBUG(2, (__location__ ": "
568 "auth_generic_server_step[%u/%u] failed: %s\n",
569 auth_info->auth_type, auth_info->auth_level,
570 nt_errstr(status)));
571 return false;
572 }
573
574 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
575 return true;
576 }
577
578 status = pipe_auth_verify_final(p);
579 if (!NT_STATUS_IS_OK(status)) {
580 DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
581 nt_errstr(status)));
582 return false;
583 }
584
585 return true;
586 }
587
588 /*******************************************************************
589 Process an NTLMSSP authentication response.
590 If this function succeeds, the user has been authenticated
591 and their domain, name and calling workstation stored in
592 the pipe struct.
593 *******************************************************************/
594
595 static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
596 struct gensec_security *gensec_security,
597 enum dcerpc_AuthLevel auth_level,
598 struct auth_session_info **session_info)
599 {
600 NTSTATUS status;
601 bool ret;
602
603 DEBUG(5, (__location__ ": checking user details\n"));
604
605 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
606 ensure the underlying NTLMSSP flags are also set. If not we should
607 refuse the bind. */
608
609 status = auth_generic_server_check_flags(gensec_security,
610 (auth_level >=
611 DCERPC_AUTH_LEVEL_PACKET),
612 (auth_level ==
613 DCERPC_AUTH_LEVEL_PRIVACY));
614 if (!NT_STATUS_IS_OK(status)) {
615 DEBUG(0, (__location__ ": Client failed to negotatie proper "
616 "security for rpc connection\n"));
617 return false;
618 }
619
620 TALLOC_FREE(*session_info);
621
622 status = auth_generic_server_get_user_info(gensec_security,
623 mem_ctx, session_info);
624 if (!NT_STATUS_IS_OK(status)) {
625 DEBUG(0, (__location__ ": failed to obtain the server info "
626 "for authenticated user: %s\n", nt_errstr(status)));
627 return false;
628 }
629
630 if ((*session_info)->security_token == NULL) {
631 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
632 return false;
633 }
634
635 if ((*session_info)->unix_token == NULL) {
636 DEBUG(1, ("Auth module failed to provide unix_token\n"));
637 return false;
638 }
639
640 /*
641 * We're an authenticated bind over smb, so the session key needs to
642 * be set to "SystemLibraryDTC". Weird, but this is what Windows
643 * does. See the RPC-SAMBA3SESSIONKEY.
644 */
645
646 ret = session_info_set_session_key((*session_info), generic_session_key());
647 if (!ret) {
648 DEBUG(0, ("Failed to set session key!\n"));
649 return false;
650 }
651
652 return true;
653 }
654
655 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
656 {
657 struct gensec_security *gensec_security;
658 bool ok;
659
660 if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
661 p->pipe_bound = true;
662 return NT_STATUS_OK;
663 }
664
665 gensec_security = p->auth.auth_ctx;
666
667 ok = pipe_auth_generic_verify_final(p, gensec_security,
668 p->auth.auth_level,
669 &p->session_info);
670 if (!ok) {
671 return NT_STATUS_ACCESS_DENIED;
672 }
673
674 p->pipe_bound = true;
675
676 return NT_STATUS_OK;
677 }
678
679 /*******************************************************************
680 Respond to a pipe bind request.
681 *******************************************************************/
682
683 static bool api_pipe_bind_req(struct pipes_struct *p,
684 struct ncacn_packet *pkt)
685 {
686 struct dcerpc_auth auth_info = {0};
687 uint16_t assoc_gid;
688 NTSTATUS status;
689 struct ndr_syntax_id id;
690 uint8_t pfc_flags = 0;
691 union dcerpc_payload u;
692 struct dcerpc_ack_ctx bind_ack_ctx;
693 DATA_BLOB auth_resp = data_blob_null;
694 DATA_BLOB auth_blob = data_blob_null;
695 const struct ndr_interface_table *table;
696 const char *secondary_address = NULL;
697
698 if (!p->allow_bind) {
699 DEBUG(2,("Pipe not in allow bind state\n"));
700 return setup_bind_nak(p, pkt);
701 }
702 p->allow_bind = false;
703
704 status = dcerpc_verify_ncacn_packet_header(pkt,
705 DCERPC_PKT_BIND,
706 pkt->u.bind.auth_info.length,
707 0, /* required flags */
708 DCERPC_PFC_FLAG_FIRST |
709 DCERPC_PFC_FLAG_LAST |
710 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
711 0x08 | /* this is not defined, but should be ignored */
712 DCERPC_PFC_FLAG_CONC_MPX |
713 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
714 DCERPC_PFC_FLAG_MAYBE |
715 DCERPC_PFC_FLAG_OBJECT_UUID);
716 if (!NT_STATUS_IS_OK(status)) {
717 DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
718 nt_errstr(status)));
719 NDR_PRINT_DEBUG(ncacn_packet, pkt);
720 goto err_exit;
721 }
722
723 if (pkt->u.bind.num_contexts == 0) {
724 DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
725 goto err_exit;
726 }
727
728 if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
729 DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
730 goto err_exit;
731 }
732
733 /*
734 * Try and find the correct pipe name to ensure
735 * that this is a pipe name we support.
736 */
737 id = pkt->u.bind.ctx_list[0].abstract_syntax;
738
739 table = ndr_table_by_uuid(&id.uuid);
740 if (table == NULL) {
741 DEBUG(0,("unknown interface\n"));
742 return false;
743 }
744
745 if (rpc_srv_pipe_exists_by_id(&id)) {
746 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
747 rpc_srv_get_pipe_cli_name(&id),
748 rpc_srv_get_pipe_srv_name(&id)));
749 } else {
750 status = smb_probe_module(
751 "rpc", dcerpc_default_transport_endpoint(pkt,
752 NCACN_NP, table));
753
754 if (NT_STATUS_IS_ERR(status)) {
755 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
756 "%s in bind request.\n",
757 ndr_interface_name(&id.uuid,
758 id.if_version)));
759
760 return setup_bind_nak(p, pkt);
761 }
762
763 if (rpc_srv_get_pipe_interface_by_cli_name(
764 dcerpc_default_transport_endpoint(pkt,
765 NCACN_NP, table),
766 &id)) {
767 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
768 rpc_srv_get_pipe_cli_name(&id),
769 rpc_srv_get_pipe_srv_name(&id)));
770 } else {
771 DEBUG(0, ("module %s doesn't provide functions for "
772 "pipe %s!\n",
773 ndr_interface_name(&id.uuid,
774 id.if_version),
775 ndr_interface_name(&id.uuid,
776 id.if_version)));
777 return setup_bind_nak(p, pkt);
778 }
779 }
780
781 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
782
783 if (pkt->u.bind.assoc_group_id != 0) {
784 assoc_gid = pkt->u.bind.assoc_group_id;
785 } else {
786 assoc_gid = 0x53f0;
787 }
788
789 /*
790 * Create the bind response struct.
791 */
792
793 /* If the requested abstract synt uuid doesn't match our client pipe,
794 reject the bind_ack & set the transfer interface synt to all 0's,
795 ver 0 (observed when NT5 attempts to bind to abstract interfaces
796 unknown to NT4)
797 Needed when adding entries to a DACL from NT5 - SK */
798
799 if (check_bind_req(p,
800 &pkt->u.bind.ctx_list[0].abstract_syntax,
801 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
802 pkt->u.bind.ctx_list[0].context_id)) {
803
804 bind_ack_ctx.result = 0;
805 bind_ack_ctx.reason.value = 0;
806 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
807 } else {
808 /* Rejection reason: abstract syntax not supported */
809 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
810 bind_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX;
811 bind_ack_ctx.syntax = ndr_syntax_id_null;
812 }
813
814 /*
815 * Check if this is an authenticated bind request.
816 */
817 if (pkt->auth_length) {
818 /*
819 * Decode the authentication verifier.
820 */
821 status = dcerpc_pull_auth_trailer(pkt, pkt,
822 &pkt->u.bind.auth_info,
823 &auth_info, NULL, true);
824 if (!NT_STATUS_IS_OK(status)) {
825 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
826 goto err_exit;
827 }
828
829 if (!pipe_auth_generic_bind(p, pkt,
830 &auth_info,
831 table->name,
832 &auth_resp)) {
833 goto err_exit;
834 }
835 } else {
836 TALLOC_CTX *frame = talloc_stackframe();
837 struct auth4_context *auth4_context;
838 const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
839 if (p->transport == NCACN_NP) {
840 transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
841 }
842
843 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
844 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
845 p->auth.auth_context_id = 0;
846
847 status = make_auth4_context(frame, &auth4_context);
848 if (!NT_STATUS_IS_OK(status)) {
849 DEBUG(0, ("Unable to make auth context for authz log.\n"));
850 TALLOC_FREE(frame);
851 goto err_exit;
852 }
853
854 /*
855 * Log the authorization to this RPC interface. This
856 * covered ncacn_np pass-through auth, and anonymous
857 * DCE/RPC (eg epmapper, netlogon etc)
858 */
859 log_successful_authz_event(auth4_context->msg_ctx,
860 auth4_context->lp_ctx,
861 p->remote_address,
862 p->local_address,
863 table->name,
864 derpc_transport_string_by_transport(p->transport),
865 transport_protection,
866 p->session_info);
867 TALLOC_FREE(frame);
868 }
869
870 ZERO_STRUCT(u.bind_ack);
871 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
872 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
873 u.bind_ack.assoc_group_id = assoc_gid;
874
875 switch (p->transport) {
876 case NCACN_IP_TCP:
877 secondary_address = talloc_asprintf(pkt, "%d",
878 tsocket_address_inet_port(p->local_address));
879 break;
880 case NCACN_NP:
881 default:
882 /* name has to be \PIPE\xxxxx */
883 secondary_address =
884 talloc_asprintf(pkt, "\\PIPE\\%s",
885 rpc_srv_get_pipe_srv_name(&id));
886 break;
887 }
888
889 if (secondary_address == NULL) {
890 DEBUG(0, ("Out of memory!\n"));
891 goto err_exit;
892 }
893
894 u.bind_ack.secondary_address = secondary_address;
895 u.bind_ack.secondary_address_size =
896 strlen(u.bind_ack.secondary_address) + 1;
897
898 u.bind_ack.num_results = 1;
899 u.bind_ack.ctx_list = &bind_ack_ctx;
900
901 /* NOTE: We leave the auth_info empty so we can calculate the padding
902 * later and then append the auth_info --simo */
903
904 /*
905 * Marshall directly into the outgoing PDU space. We
906 * must do this as we need to set to the bind response
907 * header and are never sending more than one PDU here.
908 */
909
910 pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
911
912 if (p->auth.hdr_signing) {
913 pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
914 }
915
916 status = dcerpc_push_ncacn_packet(p->mem_ctx,
917 DCERPC_PKT_BIND_ACK,
918 pfc_flags,
919 auth_resp.length,
920 pkt->call_id,
921 &u,
922 &p->out_data.frag);
923 if (!NT_STATUS_IS_OK(status)) {
924 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
925 nt_errstr(status)));
926 goto err_exit;
927 }
928
929 if (auth_resp.length) {
930 status = dcerpc_push_dcerpc_auth(pkt,
931 p->auth.auth_type,
932 p->auth.auth_level,
933 0, /* pad_len */
934 p->auth.auth_context_id,
935 &auth_resp,
936 &auth_blob);
937 if (!NT_STATUS_IS_OK(status)) {
938 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
939 goto err_exit;
940 }
941 }
942
943 /* Now that we have the auth len store it into the right place in
944 * the dcerpc header */
945 dcerpc_set_frag_length(&p->out_data.frag,
946 p->out_data.frag.length + auth_blob.length);
947
948 if (auth_blob.length) {
949
950 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
951 auth_blob.data, auth_blob.length)) {
952 DEBUG(0, ("Append of auth info failed.\n"));
953 goto err_exit;
954 }
955 }
956
957 /*
958 * Setup the lengths for the initial reply.
959 */
960
961 p->out_data.data_sent_length = 0;
962 p->out_data.current_pdu_sent = 0;
963
964 TALLOC_FREE(auth_blob.data);
965
966 if (bind_ack_ctx.result == 0) {
967 p->allow_alter = true;
968 p->allow_auth3 = true;
969 if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
970 status = pipe_auth_verify_final(p);
971 if (!NT_STATUS_IS_OK(status)) {
972 DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
973 nt_errstr(status)));
974 goto err_exit;
975 }
976 }
977 } else {
978 goto err_exit;
979 }
980
981 return True;
982
983 err_exit:
984
985 data_blob_free(&p->out_data.frag);
986 TALLOC_FREE(auth_blob.data);
987 return setup_bind_nak(p, pkt);
988 }
989
990 /*******************************************************************
991 This is the "stage3" response after a bind request and reply.
992 *******************************************************************/
993
994 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
995 {
996 struct dcerpc_auth auth_info;
997 DATA_BLOB response = data_blob_null;
998 struct gensec_security *gensec_security;
999 NTSTATUS status;
1000
1001 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1002
1003 if (!p->allow_auth3) {
1004 DEBUG(1, ("Pipe not in allow auth3 state.\n"));
1005 goto err;
1006 }
1007
1008 status = dcerpc_verify_ncacn_packet_header(pkt,
1009 DCERPC_PKT_AUTH3,
1010 pkt->u.auth3.auth_info.length,
1011 0, /* required flags */
1012 DCERPC_PFC_FLAG_FIRST |
1013 DCERPC_PFC_FLAG_LAST |
1014 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1015 0x08 | /* this is not defined, but should be ignored */
1016 DCERPC_PFC_FLAG_CONC_MPX |
1017 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1018 DCERPC_PFC_FLAG_MAYBE |
1019 DCERPC_PFC_FLAG_OBJECT_UUID);
1020 if (!NT_STATUS_IS_OK(status)) {
1021 DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
1022 nt_errstr(status)));
1023 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1024 goto err;
1025 }
1026
1027 /* We can only finish if the pipe is unbound for now */
1028 if (p->pipe_bound) {
1029 DEBUG(0, (__location__ ": Pipe already bound, "
1030 "AUTH3 not supported!\n"));
1031 goto err;
1032 }
1033
1034 if (pkt->auth_length == 0) {
1035 DEBUG(1, ("No auth field sent for auth3 request!\n"));
1036 goto err;
1037 }
1038
1039 /*
1040 * Decode the authentication verifier response.
1041 */
1042
1043 status = dcerpc_pull_auth_trailer(pkt, pkt,
1044 &pkt->u.auth3.auth_info,
1045 &auth_info, NULL, true);
1046 if (!NT_STATUS_IS_OK(status)) {
1047 DEBUG(1, ("Failed to unmarshall dcerpc_auth.\n"));
1048 goto err;
1049 }
1050
1051 /* We must NEVER look at auth_info->auth_pad_len here,
1052 * as old Samba client code gets it wrong and sends it
1053 * as zero. JRA.
1054 */
1055
1056 if (auth_info.auth_type != p->auth.auth_type) {
1057 DEBUG(1, ("Auth type mismatch! Client sent %d, "
1058 "but auth was started as type %d!\n",
1059 auth_info.auth_type, p->auth.auth_type));
1060 goto err;
1061 }
1062
1063 if (auth_info.auth_level != p->auth.auth_level) {
1064 DEBUG(1, ("Auth level mismatch! Client sent %d, "
1065 "but auth was started as level %d!\n",
1066 auth_info.auth_level, p->auth.auth_level));
1067 goto err;
1068 }
1069
1070 if (auth_info.auth_context_id != p->auth.auth_context_id) {
1071 DEBUG(0, ("Auth context id mismatch! Client sent %u, "
1072 "but auth was started as level %u!\n",
1073 (unsigned)auth_info.auth_context_id,
1074 (unsigned)p->auth.auth_context_id));
1075 goto err;
1076 }
1077
1078 gensec_security = p->auth.auth_ctx;
1079
1080 status = auth_generic_server_step(gensec_security,
1081 pkt, &auth_info.credentials,
1082 &response);
1083
1084 if (NT_STATUS_EQUAL(status,
1085 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1086 response.length) {
1087 DEBUG(1, (__location__ ": This was supposed to be the final "
1088 "leg, but crypto machinery claims a response is "
1089 "needed, aborting auth!\n"));
1090 data_blob_free(&response);
1091 goto err;
1092 }
1093 if (!NT_STATUS_IS_OK(status)) {
1094 DEBUG(2, ("Auth failed (%s)\n", nt_errstr(status)));
1095 goto err;
1096 }
1097
1098 /* Now verify auth was indeed successful and extract server info */
1099 status = pipe_auth_verify_final(p);
1100 if (!NT_STATUS_IS_OK(status)) {
1101 DEBUG(2, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1102 goto err;
1103 }
1104
1105 return true;
1106
1107 err:
1108 p->pipe_bound = false;
1109 p->allow_bind = false;
1110 p->allow_alter = false;
1111 p->allow_auth3 = false;
1112
1113 TALLOC_FREE(p->auth.auth_ctx);
1114 return false;
1115 }
1116
1117 /****************************************************************************
1118 Deal with an alter context call. Can be third part of 3 leg auth request for
1119 SPNEGO calls.
1120 ****************************************************************************/
1121
1122 static bool api_pipe_alter_context(struct pipes_struct *p,
1123 struct ncacn_packet *pkt)
1124 {
1125 struct dcerpc_auth auth_info = {0};
1126 uint16_t assoc_gid;
1127 NTSTATUS status;
1128 union dcerpc_payload u;
1129 struct dcerpc_ack_ctx alter_ack_ctx;
1130 DATA_BLOB auth_resp = data_blob_null;
1131 DATA_BLOB auth_blob = data_blob_null;
1132 struct gensec_security *gensec_security;
1133
1134 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1135
1136 if (!p->allow_alter) {
1137 DEBUG(1, ("Pipe not in allow alter state.\n"));
1138 goto err_exit;
1139 }
1140
1141 status = dcerpc_verify_ncacn_packet_header(pkt,
1142 DCERPC_PKT_ALTER,
1143 pkt->u.alter.auth_info.length,
1144 0, /* required flags */
1145 DCERPC_PFC_FLAG_FIRST |
1146 DCERPC_PFC_FLAG_LAST |
1147 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1148 0x08 | /* this is not defined, but should be ignored */
1149 DCERPC_PFC_FLAG_CONC_MPX |
1150 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1151 DCERPC_PFC_FLAG_MAYBE |
1152 DCERPC_PFC_FLAG_OBJECT_UUID);
1153 if (!NT_STATUS_IS_OK(status)) {
1154 DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
1155 nt_errstr(status)));
1156 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1157 goto err_exit;
1158 }
1159
1160 if (pkt->u.alter.num_contexts == 0) {
1161 DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
1162 goto err_exit;
1163 }
1164
1165 if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
1166 DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
1167 goto err_exit;
1168 }
1169
1170 if (pkt->u.alter.assoc_group_id != 0) {
1171 assoc_gid = pkt->u.alter.assoc_group_id;
1172 } else {
1173 assoc_gid = 0x53f0;
1174 }
1175
1176 /*
1177 * Create the bind response struct.
1178 */
1179
1180 /* If the requested abstract synt uuid doesn't match our client pipe,
1181 reject the alter_ack & set the transfer interface synt to all 0's,
1182 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1183 unknown to NT4)
1184 Needed when adding entries to a DACL from NT5 - SK */
1185
1186 if (check_bind_req(p,
1187 &pkt->u.alter.ctx_list[0].abstract_syntax,
1188 &pkt->u.alter.ctx_list[0].transfer_syntaxes[0],
1189 pkt->u.alter.ctx_list[0].context_id)) {
1190
1191 alter_ack_ctx.result = 0;
1192 alter_ack_ctx.reason.value = 0;
1193 alter_ack_ctx.syntax = pkt->u.alter.ctx_list[0].transfer_syntaxes[0];
1194 } else {
1195 /* Rejection reason: abstract syntax not supported */
1196 alter_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1197 alter_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX;
1198 alter_ack_ctx.syntax = ndr_syntax_id_null;
1199 }
1200
1201 /*
1202 * Check if this is an authenticated alter context request.
1203 */
1204 if (pkt->auth_length) {
1205 /* We can only finish if the pipe is unbound for now */
1206 if (p->pipe_bound) {
1207 DEBUG(0, (__location__ ": Pipe already bound, "
1208 "Altering Context not yet supported!\n"));
1209 goto err_exit;
1210 }
1211
1212 status = dcerpc_pull_auth_trailer(pkt, pkt,
1213 &pkt->u.alter.auth_info,
1214 &auth_info, NULL, true);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1217 goto err_exit;
1218 }
1219
1220 if (auth_info.auth_type != p->auth.auth_type) {
1221 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1222 "but auth was started as type %d!\n",
1223 auth_info.auth_type, p->auth.auth_type));
1224 goto err_exit;
1225 }
1226
1227 if (auth_info.auth_level != p->auth.auth_level) {
1228 DEBUG(0, ("Auth level mismatch! Client sent %d, "
1229 "but auth was started as level %d!\n",
1230 auth_info.auth_level, p->auth.auth_level));
1231 goto err_exit;
1232 }
1233
1234 if (auth_info.auth_context_id != p->auth.auth_context_id) {
1235 DEBUG(0, ("Auth context id mismatch! Client sent %u, "
1236 "but auth was started as level %u!\n",
1237 (unsigned)auth_info.auth_context_id,
1238 (unsigned)p->auth.auth_context_id));
1239 goto err_exit;
1240 }
1241
1242 gensec_security = p->auth.auth_ctx;
1243 status = auth_generic_server_step(gensec_security,
1244 pkt,
1245 &auth_info.credentials,
1246 &auth_resp);
1247 if (NT_STATUS_IS_OK(status)) {
1248 /* third leg of auth, verify auth info */
1249 status = pipe_auth_verify_final(p);
1250 if (!NT_STATUS_IS_OK(status)) {
1251 DEBUG(0, ("Auth Verify failed (%s)\n",
1252 nt_errstr(status)));
1253 goto err_exit;
1254 }
1255 } else if (NT_STATUS_EQUAL(status,
1256 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1257 DEBUG(10, ("More auth legs required.\n"));
1258 } else {
1259 DEBUG(0, ("Auth step returned an error (%s)\n",
1260 nt_errstr(status)));
1261 goto err_exit;
1262 }
1263 }
1264
1265 ZERO_STRUCT(u.alter_resp);
1266 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1267 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1268 u.alter_resp.assoc_group_id = assoc_gid;
1269
1270 /* secondary address CAN be NULL
1271 * as the specs say it's ignored.
1272 * It MUST be NULL to have the spoolss working.
1273 */
1274 u.alter_resp.secondary_address = "";
1275 u.alter_resp.secondary_address_size = 1;
1276
1277 u.alter_resp.num_results = 1;
1278 u.alter_resp.ctx_list = &alter_ack_ctx;
1279
1280 /* NOTE: We leave the auth_info empty so we can calculate the padding
1281 * later and then append the auth_info --simo */
1282
1283 /*
1284 * Marshall directly into the outgoing PDU space. We
1285 * must do this as we need to set to the bind response
1286 * header and are never sending more than one PDU here.
1287 */
1288
1289 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1290 DCERPC_PKT_ALTER_RESP,
1291 DCERPC_PFC_FLAG_FIRST |
1292 DCERPC_PFC_FLAG_LAST,
1293 auth_resp.length,
1294 pkt->call_id,
1295 &u,
1296 &p->out_data.frag);
1297 if (!NT_STATUS_IS_OK(status)) {
1298 DEBUG(0, ("Failed to marshall alter_resp packet. (%s)\n",
1299 nt_errstr(status)));
1300 goto err_exit;
1301 }
1302
1303 if (auth_resp.length) {
1304 status = dcerpc_push_dcerpc_auth(pkt,
1305 p->auth.auth_type,
1306 p->auth.auth_level,
1307 0, /* pad_len */
1308 p->auth.auth_context_id,
1309 &auth_resp,
1310 &auth_blob);
1311 if (!NT_STATUS_IS_OK(status)) {
1312 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1313 goto err_exit;
1314 }
1315 }
1316
1317 /* Now that we have the auth len store it into the right place in
1318 * the dcerpc header */
1319 dcerpc_set_frag_length(&p->out_data.frag,
1320 p->out_data.frag.length +
1321 auth_blob.length);
1322
1323 if (auth_resp.length) {
1324 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1325 auth_blob.data, auth_blob.length)) {
1326 DEBUG(0, ("Append of auth info failed.\n"));
1327 goto err_exit;
1328 }
1329 }
1330
1331 /*
1332 * Setup the lengths for the initial reply.
1333 */
1334
1335 p->out_data.data_sent_length = 0;
1336 p->out_data.current_pdu_sent = 0;
1337
1338 TALLOC_FREE(auth_blob.data);
1339 return True;
1340
1341 err_exit:
1342
1343 data_blob_free(&p->out_data.frag);
1344 TALLOC_FREE(auth_blob.data);
1345 return setup_bind_nak(p, pkt);
1346 }
1347
1348 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1349 const struct api_struct *api_rpc_cmds, int n_cmds,
1350 const struct ndr_syntax_id *syntax);
1351
1352 static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
1353 struct ncacn_packet *pkt,
1354 struct pipe_rpc_fns *pipe_fns)
1355 {
1356 TALLOC_CTX *frame = talloc_stackframe();
1357 struct dcerpc_sec_verification_trailer *vt = NULL;
1358 const uint32_t bitmask1 =
1359 p->auth.client_hdr_signing ? DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1360 const struct dcerpc_sec_vt_pcontext pcontext = {
1361 .abstract_syntax = pipe_fns->syntax,
1362 .transfer_syntax = ndr_transfer_syntax_ndr,
1363 };
1364 const struct dcerpc_sec_vt_header2 header2 =
1365 dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
1366 struct ndr_pull *ndr;
1367 enum ndr_err_code ndr_err;
1368 bool ret = false;
1369
1370 ndr = ndr_pull_init_blob(&p->in_data.data, frame);
1371 if (ndr == NULL) {
1372 goto done;
1373 }
1374
1375 ndr_err = ndr_pop_dcerpc_sec_verification_trailer(ndr, frame, &vt);
1376 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1377 goto done;
1378 }
1379
1380 ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1381 &pcontext, &header2);
1382 done:
1383 TALLOC_FREE(frame);
1384 return ret;
1385 }
1386
1387 /****************************************************************************
1388 Find the correct RPC function to call for this request.
1389 If the pipe is authenticated then become the correct UNIX user
1390 before doing the call.
1391 ****************************************************************************/
1392
1393 static bool api_pipe_request(struct pipes_struct *p,
1394 struct ncacn_packet *pkt)
1395 {
1396 TALLOC_CTX *frame = talloc_stackframe();
1397 bool ret = False;
1398 struct pipe_rpc_fns *pipe_fns;
1399 const char *interface_name = NULL;
1400
1401 if (!p->pipe_bound) {
1402 DEBUG(1, ("Pipe not bound!\n"));
1403 data_blob_free(&p->out_data.rdata);
1404 TALLOC_FREE(frame);
1405 return false;
1406 }
1407
1408 /* get the set of RPC functions for this context */
1409 pipe_fns = find_pipe_fns_by_context(p->contexts,
1410 pkt->u.request.context_id);
1411 if (pipe_fns == NULL) {
1412 DEBUG(0, ("No rpc function table associated with context "
1413 "[%d]\n",
1414 pkt->u.request.context_id));
1415 data_blob_free(&p->out_data.rdata);
1416 TALLOC_FREE(frame);
1417 return false;
1418 }
1419
1420 interface_name = ndr_interface_name(&pipe_fns->syntax.uuid,
1421 pipe_fns->syntax.if_version);
1422 SMB_ASSERT(interface_name != NULL);
1423
1424 if (p->auth.auth_level < pipe_fns->min_auth_level) {
1425
1426 DEBUG(1, ("%s: auth level required for %s: 0x%x, got: 0x%0x\n",
1427 __func__, interface_name,
1428 pipe_fns->min_auth_level,
1429 p->auth.auth_level));
1430
1431 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1432 TALLOC_FREE(frame);
1433 return true;
1434 }
1435
1436 switch (p->auth.auth_level) {
1437 case DCERPC_AUTH_LEVEL_NONE:
1438 case DCERPC_AUTH_LEVEL_PACKET:
1439 case DCERPC_AUTH_LEVEL_INTEGRITY:
1440 case DCERPC_AUTH_LEVEL_PRIVACY:
1441 break;
1442 default:
1443 if (!pipe_fns->allow_connect) {
1444 char *addr;
1445
1446 addr = tsocket_address_string(p->remote_address, frame);
1447
1448 DEBUG(1, ("%s: restrict auth_level_connect access "
1449 "to [%s] with auth[type=0x%x,level=0x%x] "
1450 "on [%s] from [%s]\n",
1451 __func__, interface_name,
1452 p->auth.auth_type,
1453 p->auth.auth_level,
1454 derpc_transport_string_by_transport(p->transport),
1455 addr));
1456
1457 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1458 TALLOC_FREE(frame);
1459 return true;
1460 }
1461 break;
1462 }
1463
1464 if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
1465 DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
1466 set_incoming_fault(p);
1467 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1468 data_blob_free(&p->out_data.rdata);
1469 TALLOC_FREE(frame);
1470 return true;
1471 }
1472
1473 if (!become_authenticated_pipe_user(p->session_info)) {
1474 DEBUG(1, ("Failed to become pipe user!\n"));
1475 data_blob_free(&p->out_data.rdata);
1476 TALLOC_FREE(frame);
1477 return false;
1478 }
1479
1480 DEBUG(5, ("Requested %s rpc service\n", interface_name));
1481
1482 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1483 &pipe_fns->syntax);
1484 unbecome_authenticated_pipe_user();
1485
1486 TALLOC_FREE(frame);
1487 return ret;
1488 }
1489
1490 /*******************************************************************
1491 Calls the underlying RPC function for a named pipe.
1492 ********************************************************************/
1493
1494 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1495 const struct api_struct *api_rpc_cmds, int n_cmds,
1496 const struct ndr_syntax_id *syntax)
1497 {
1498 int fn_num;
1499 uint32_t offset1;
1500 const struct ndr_interface_table *table;
1501
1502 /* interpret the command */
1503 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1504 ndr_interface_name(&syntax->uuid, syntax->if_version),
1505 pkt->u.request.opnum));
1506
1507 table = ndr_table_by_uuid(&syntax->uuid);
1508 if (table == NULL) {
1509 DEBUG(0,("unknown interface\n"));
1510 return false;
1511 }
1512
1513 if (DEBUGLEVEL >= 50) {
1514 fstring name;
1515 slprintf(name, sizeof(name)-1, "in_%s",
1516 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
1517 dump_pdu_region(name, pkt->u.request.opnum,
1518 &p->in_data.data, 0,
1519 p->in_data.data.length);
1520 }
1521
1522 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1523 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1524 api_rpc_cmds[fn_num].fn != NULL) {
1525 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1526 api_rpc_cmds[fn_num].name));
1527 break;
1528 }
1529 }
1530
1531 if (fn_num == n_cmds) {
1532 /*
1533 * For an unknown RPC just return a fault PDU but
1534 * return True to allow RPC's on the pipe to continue
1535 * and not put the pipe into fault state. JRA.
1536 */
1537 DEBUG(4, ("unknown\n"));
1538 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1539 return True;
1540 }
1541
1542 offset1 = p->out_data.rdata.length;
1543
1544 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1545 fn_num, api_rpc_cmds[fn_num].fn));
1546 /* do the actual command */
1547 if(!api_rpc_cmds[fn_num].fn(p)) {
1548 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1549 ndr_interface_name(&syntax->uuid, syntax->if_version),
1550 api_rpc_cmds[fn_num].name));
1551 data_blob_free(&p->out_data.rdata);
1552 return False;
1553 }
1554
1555 if (p->fault_state) {
1556 DEBUG(4,("api_rpcTNP: fault(%d) return.\n", p->fault_state));
1557 setup_fault_pdu(p, NT_STATUS(p->fault_state));
1558 p->fault_state = 0;
1559 return true;
1560 }
1561
1562 if (DEBUGLEVEL >= 50) {
1563 fstring name;
1564 slprintf(name, sizeof(name)-1, "out_%s",
1565 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
1566 dump_pdu_region(name, pkt->u.request.opnum,
1567 &p->out_data.rdata, offset1,
1568 p->out_data.rdata.length);
1569 }
1570
1571 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1572 ndr_interface_name(&syntax->uuid, syntax->if_version)));
1573
1574 /* Check for buffer underflow in rpc parsing */
1575 if ((DEBUGLEVEL >= 10) &&
1576 (pkt->frag_length < p->in_data.data.length)) {
1577 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1578 dump_data(10, p->in_data.data.data + pkt->frag_length,
1579 p->in_data.data.length - pkt->frag_length);
1580 }
1581
1582 return True;
1583 }
1584
1585 /****************************************************************************
1586 Initialise an outgoing packet.
1587 ****************************************************************************/
1588
1589 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1590 {
1591 output_data *o_data = &p->out_data;
1592
1593 /* Reset the offset counters. */
1594 o_data->data_sent_length = 0;
1595 o_data->current_pdu_sent = 0;
1596
1597 data_blob_free(&o_data->frag);
1598
1599 /* Free any memory in the current return data buffer. */
1600 data_blob_free(&o_data->rdata);
1601
1602 return True;
1603 }
1604
1605 /****************************************************************************
1606 Sets the fault state on incoming packets.
1607 ****************************************************************************/
1608
1609 void set_incoming_fault(struct pipes_struct *p)
1610 {
1611 data_blob_free(&p->in_data.data);
1612 p->in_data.pdu_needed_len = 0;
1613 p->in_data.pdu.length = 0;
1614 p->fault_state = DCERPC_NCA_S_PROTO_ERROR;
1615
1616 p->allow_alter = false;
1617 p->allow_auth3 = false;
1618 p->pipe_bound = false;
1619
1620 DEBUG(10, ("Setting fault state\n"));
1621 }
1622
1623 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1624 struct ncacn_packet *pkt,
1625 DATA_BLOB *raw_pkt)
1626 {
1627 NTSTATUS status;
1628 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1629
1630 DEBUG(10, ("Checking request auth.\n"));
1631
1632 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1633 hdr_size += 16;
1634 }
1635
1636 /* in case of sealing this function will unseal the data in place */
1637 status = dcerpc_check_auth(auth, pkt,
1638 &pkt->u.request.stub_and_verifier,
1639 hdr_size, raw_pkt);
1640 if (!NT_STATUS_IS_OK(status)) {
1641 return status;
1642 }
1643
1644 return NT_STATUS_OK;
1645 }
1646
1647 /****************************************************************************
1648 Processes a request pdu. This will do auth processing if needed, and
1649 appends the data into the complete stream if the LAST flag is not set.
1650 ****************************************************************************/
1651
1652 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1653 {
1654 NTSTATUS status;
1655 DATA_BLOB data;
1656 struct dcerpc_sec_vt_header2 hdr2;
1657
1658 if (!p->pipe_bound) {
1659 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1660 set_incoming_fault(p);
1661 return False;
1662 }
1663
1664 /*
1665 * We don't ignore DCERPC_PFC_FLAG_PENDING_CANCEL.
1666 * TODO: we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later.
1667 */
1668 status = dcerpc_verify_ncacn_packet_header(pkt,
1669 DCERPC_PKT_REQUEST,
1670 pkt->u.request.stub_and_verifier.length,
1671 0, /* required_flags */
1672 DCERPC_PFC_FLAG_FIRST |
1673 DCERPC_PFC_FLAG_LAST |
1674 0x08 | /* this is not defined, but should be ignored */
1675 DCERPC_PFC_FLAG_CONC_MPX |
1676 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1677 DCERPC_PFC_FLAG_MAYBE |
1678 DCERPC_PFC_FLAG_OBJECT_UUID);
1679 if (!NT_STATUS_IS_OK(status)) {
1680 DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
1681 nt_errstr(status)));
1682 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1683 set_incoming_fault(p);
1684 return false;
1685 }
1686
1687 hdr2 = dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
1688 if (pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST) {
1689 p->header2 = hdr2;
1690 } else {
1691 if (!dcerpc_sec_vt_header2_equal(&hdr2, &p->header2)) {
1692 set_incoming_fault(p);
1693 return false;
1694 }
1695 }
1696
1697 /* Store the opnum */
1698 p->opnum = pkt->u.request.opnum;
1699
1700 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1701 if (!NT_STATUS_IS_OK(status)) {
1702 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1703 nt_errstr(status)));
1704 set_incoming_fault(p);
1705 return false;
1706 }
1707
1708 data = pkt->u.request.stub_and_verifier;
1709
1710 /*
1711 * Check the data length doesn't go over the 15Mb limit.
1712 * increased after observing a bug in the Windows NT 4.0 SP6a
1713 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1714 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1715 */
1716
1717 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1718 DEBUG(0, ("process_request_pdu: "
1719 "rpc data buffer too large (%u) + (%u)\n",
1720 (unsigned int)p->in_data.data.length,
1721 (unsigned int)data.length));
1722 set_incoming_fault(p);
1723 return False;
1724 }
1725
1726 /*
1727 * Append the data portion into the buffer and return.
1728 */
1729
1730 if (data.length) {
1731 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1732 data.data, data.length)) {
1733 DEBUG(0, ("Unable to append data size %u "
1734 "to parse buffer of size %u.\n",
1735 (unsigned int)data.length,
1736 (unsigned int)p->in_data.data.length));
1737 set_incoming_fault(p);
1738 return False;
1739 }
1740 }
1741
1742 if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
1743 return true;
1744 }
1745
1746 /*
1747 * Ok - we finally have a complete RPC stream.
1748 * Call the rpc command to process it.
1749 */
1750
1751 return api_pipe_request(p, pkt);
1752 }
1753
1754 void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1755 {
1756 bool reply = false;
1757
1758 /* Store the call_id */
1759 p->call_id = pkt->call_id;
1760
1761 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1762
1763 if (!pipe_init_outgoing_data(p)) {
1764 goto done;
1765 }
1766
1767 switch (pkt->ptype) {
1768 case DCERPC_PKT_REQUEST:
1769 reply = process_request_pdu(p, pkt);
1770 break;
1771
1772 case DCERPC_PKT_PING: /* CL request - ignore... */
1773 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1774 (unsigned int)pkt->ptype));
1775 break;
1776
1777 case DCERPC_PKT_RESPONSE: /* No responses here. */
1778 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1779 break;
1780
1781 case DCERPC_PKT_FAULT:
1782 case DCERPC_PKT_WORKING:
1783 /* CL request - reply to a ping when a call in process. */
1784 case DCERPC_PKT_NOCALL:
1785 /* CL - server reply to a ping call. */
1786 case DCERPC_PKT_REJECT:
1787 case DCERPC_PKT_ACK:
1788 case DCERPC_PKT_CL_CANCEL:
1789 case DCERPC_PKT_FACK:
1790 case DCERPC_PKT_CANCEL_ACK:
1791 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1792 (unsigned int)pkt->ptype));
1793 break;
1794
1795 case DCERPC_PKT_BIND:
1796 /*
1797 * We assume that a pipe bind is only in one pdu.
1798 */
1799 reply = api_pipe_bind_req(p, pkt);
1800 break;
1801
1802 case DCERPC_PKT_BIND_ACK:
1803 case DCERPC_PKT_BIND_NAK:
1804 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1805 "packet type %u received.\n",
1806 (unsigned int)pkt->ptype));
1807 break;
1808
1809
1810 case DCERPC_PKT_ALTER:
1811 /*
1812 * We assume that a pipe bind is only in one pdu.
1813 */
1814 reply = api_pipe_alter_context(p, pkt);
1815 break;
1816
1817 case DCERPC_PKT_ALTER_RESP:
1818 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1819 "Should only be server -> client.\n"));
1820 break;
1821
1822 case DCERPC_PKT_AUTH3:
1823 /*
1824 * The third packet in an auth exchange.
1825 */
1826 reply = api_pipe_bind_auth3(p, pkt);
1827 break;
1828
1829 case DCERPC_PKT_SHUTDOWN:
1830 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1831 "Should only be server -> client.\n"));
1832 break;
1833
1834 case DCERPC_PKT_CO_CANCEL:
1835 /* For now just free all client data and continue
1836 * processing. */
1837 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1838 " Abandoning rpc call.\n"));
1839 /* As we never do asynchronous RPC serving, we can
1840 * never cancel a call (as far as I know).
1841 * If we ever did we'd have to send a cancel_ack reply.
1842 * For now, just free all client data and continue
1843 * processing. */
1844 reply = True;
1845 break;
1846
1847 #if 0
1848 /* Enable this if we're doing async rpc. */
1849 /* We must check the outstanding callid matches. */
1850 if (pipe_init_outgoing_data(p)) {
1851 /* Send a cancel_ack PDU reply. */
1852 /* We should probably check the auth-verifier here. */
1853 reply = setup_cancel_ack_reply(p, pkt);
1854 }
1855 break;
1856 #endif
1857
1858 case DCERPC_PKT_ORPHANED:
1859 /* We should probably check the auth-verifier here.
1860 * For now just free all client data and continue
1861 * processing. */
1862 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1863 " Abandoning rpc call.\n"));
1864 reply = True;
1865 break;
1866
1867 default:
1868 DEBUG(0, ("process_complete_pdu: "
1869 "Unknown rpc type = %u received.\n",
1870 (unsigned int)pkt->ptype));
1871 break;
1872 }
1873
1874 done:
1875 if (!reply) {
1876 DEBUG(3,("DCE/RPC fault sent!"));
1877 set_incoming_fault(p);
1878 setup_fault_pdu(p, NT_STATUS(DCERPC_NCA_S_PROTO_ERROR));
1879 }
1880 /* pkt and p->in_data.pdu.data freed by caller */
1881 }
1882
Samba GIT mirror