CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
[Samba.git] / source3 / rpc_client / cli_winreg_int.c
blobc65353a952aaacd1496092695647dddfdb936e9d
1 /*
2 * Unix SMB/CIFS implementation.
4 * WINREG internal client routines
6 * Copyright (c) 2011 Andreas Schneider <asn@samba.org>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "includes.h"
23 #include "include/registry.h"
24 #include "librpc/gen_ndr/ndr_winreg_c.h"
25 #include "rpc_client/cli_winreg_int.h"
26 #include "rpc_server/rpc_ncacn_np.h"
27 #include "../lib/tsocket/tsocket.h"
29 /**
30 * Split path into hive name and subkeyname
31 * normalizations performed:
32 * - if the path contains no '\\' characters,
33 * assume that the legacy format of using '/'
34 * as a separator is used and convert '/' to '\\'
35 * - strip trailing '\\' chars
37 static WERROR _split_hive_key(TALLOC_CTX *mem_ctx,
38 const char *path,
39 char **hivename,
40 char **subkeyname)
42 char *p;
43 const char *tmp_subkeyname;
45 if ((path == NULL) || (hivename == NULL) || (subkeyname == NULL)) {
46 return WERR_INVALID_PARAM;
49 if (strlen(path) == 0) {
50 return WERR_INVALID_PARAM;
53 if (strchr(path, '\\') == NULL) {
54 *hivename = talloc_string_sub(mem_ctx, path, "/", "\\");
55 } else {
56 *hivename = talloc_strdup(mem_ctx, path);
59 if (*hivename == NULL) {
60 return WERR_NOMEM;
63 /* strip trailing '\\' chars */
64 p = strrchr(*hivename, '\\');
65 while ((p != NULL) && (p[1] == '\0')) {
66 *p = '\0';
67 p = strrchr(*hivename, '\\');
70 p = strchr(*hivename, '\\');
72 if ((p == NULL) || (*p == '\0')) {
73 /* just the hive - no subkey given */
74 tmp_subkeyname = "";
75 } else {
76 *p = '\0';
77 tmp_subkeyname = p+1;
79 *subkeyname = talloc_strdup(mem_ctx, tmp_subkeyname);
80 if (*subkeyname == NULL) {
81 return WERR_NOMEM;
84 return WERR_OK;
87 static NTSTATUS _winreg_int_openkey(TALLOC_CTX *mem_ctx,
88 const struct auth_session_info *session_info,
89 struct messaging_context *msg_ctx,
90 struct dcerpc_binding_handle **h,
91 uint32_t reg_type,
92 const char *key,
93 bool create_key,
94 uint32_t access_mask,
95 struct policy_handle *hive_handle,
96 struct policy_handle *key_handle,
97 WERROR *pwerr)
99 struct tsocket_address *local;
100 struct dcerpc_binding_handle *binding_handle;
101 struct winreg_String wkey, wkeyclass;
102 NTSTATUS status;
103 WERROR result = WERR_OK;
104 int rc;
106 rc = tsocket_address_inet_from_strings(mem_ctx,
107 "ip",
108 "127.0.0.1",
110 &local);
111 if (rc < 0) {
112 return NT_STATUS_NO_MEMORY;
115 status = rpcint_binding_handle(mem_ctx,
116 &ndr_table_winreg,
117 local,
118 session_info,
119 msg_ctx,
120 &binding_handle);
121 if (!NT_STATUS_IS_OK(status)) {
122 DEBUG(0, ("dcerpc_winreg_int_openkey: Could not connect to winreg pipe: %s\n",
123 nt_errstr(status)));
124 return status;
127 switch (reg_type) {
128 case HKEY_LOCAL_MACHINE:
129 status = dcerpc_winreg_OpenHKLM(binding_handle,
130 mem_ctx,
131 NULL,
132 access_mask,
133 hive_handle,
134 &result);
135 break;
136 case HKEY_CLASSES_ROOT:
137 status = dcerpc_winreg_OpenHKCR(binding_handle,
138 mem_ctx,
139 NULL,
140 access_mask,
141 hive_handle,
142 &result);
143 break;
144 case HKEY_USERS:
145 status = dcerpc_winreg_OpenHKU(binding_handle,
146 mem_ctx,
147 NULL,
148 access_mask,
149 hive_handle,
150 &result);
151 break;
152 case HKEY_CURRENT_USER:
153 status = dcerpc_winreg_OpenHKCU(binding_handle,
154 mem_ctx,
155 NULL,
156 access_mask,
157 hive_handle,
158 &result);
159 break;
160 case HKEY_PERFORMANCE_DATA:
161 status = dcerpc_winreg_OpenHKPD(binding_handle,
162 mem_ctx,
163 NULL,
164 access_mask,
165 hive_handle,
166 &result);
167 break;
168 default:
169 result = WERR_INVALID_PARAMETER;
170 status = NT_STATUS_OK;
172 if (!NT_STATUS_IS_OK(status)) {
173 talloc_free(binding_handle);
174 return status;
176 if (!W_ERROR_IS_OK(result)) {
177 talloc_free(binding_handle);
178 *pwerr = result;
179 return status;
182 ZERO_STRUCT(wkey);
183 wkey.name = key;
185 if (create_key) {
186 enum winreg_CreateAction action = REG_ACTION_NONE;
188 ZERO_STRUCT(wkeyclass);
189 wkeyclass.name = "";
191 status = dcerpc_winreg_CreateKey(binding_handle,
192 mem_ctx,
193 hive_handle,
194 wkey,
195 wkeyclass,
197 access_mask,
198 NULL,
199 key_handle,
200 &action,
201 &result);
202 switch (action) {
203 case REG_ACTION_NONE:
204 DEBUG(8, ("dcerpc_winreg_int_openkey: createkey"
205 " did nothing -- huh?\n"));
206 break;
207 case REG_CREATED_NEW_KEY:
208 DEBUG(8, ("dcerpc_winreg_int_openkey: createkey"
209 " created %s\n", key));
210 break;
211 case REG_OPENED_EXISTING_KEY:
212 DEBUG(8, ("dcerpc_winreg_int_openkey: createkey"
213 " opened existing %s\n", key));
214 break;
216 } else {
217 status = dcerpc_winreg_OpenKey(binding_handle,
218 mem_ctx,
219 hive_handle,
220 wkey,
222 access_mask,
223 key_handle,
224 &result);
226 if (!NT_STATUS_IS_OK(status)) {
227 talloc_free(binding_handle);
228 return status;
230 if (!W_ERROR_IS_OK(result)) {
231 talloc_free(binding_handle);
232 *pwerr = result;
233 return status;
236 *h = binding_handle;
238 return status;
241 NTSTATUS dcerpc_winreg_int_openkey(TALLOC_CTX *mem_ctx,
242 const struct auth_session_info *server_info,
243 struct messaging_context *msg_ctx,
244 struct dcerpc_binding_handle **h,
245 const char *key,
246 bool create_key,
247 uint32_t access_mask,
248 struct policy_handle *hive_handle,
249 struct policy_handle *key_handle,
250 WERROR *pwerr)
252 char *hivename = NULL;
253 char *subkey = NULL;
254 uint32_t reg_type;
255 WERROR result;
257 result = _split_hive_key(mem_ctx, key, &hivename, &subkey);
258 if (!W_ERROR_IS_OK(result)) {
259 *pwerr = result;
260 return NT_STATUS_OK;
263 if (strequal(hivename, "HKLM") ||
264 strequal(hivename, "HKEY_LOCAL_MACHINE")) {
265 reg_type = HKEY_LOCAL_MACHINE;
266 } else if (strequal(hivename, "HKCR") ||
267 strequal(hivename, "HKEY_CLASSES_ROOT")) {
268 reg_type = HKEY_CLASSES_ROOT;
269 } else if (strequal(hivename, "HKU") ||
270 strequal(hivename, "HKEY_USERS")) {
271 reg_type = HKEY_USERS;
272 } else if (strequal(hivename, "HKCU") ||
273 strequal(hivename, "HKEY_CURRENT_USER")) {
274 reg_type = HKEY_CURRENT_USER;
275 } else if (strequal(hivename, "HKPD") ||
276 strequal(hivename, "HKEY_PERFORMANCE_DATA")) {
277 reg_type = HKEY_PERFORMANCE_DATA;
278 } else {
279 DEBUG(10,("dcerpc_winreg_int_openkey: unrecognised hive key %s\n",
280 key));
281 *pwerr = WERR_INVALID_PARAMETER;
282 return NT_STATUS_OK;
285 return _winreg_int_openkey(mem_ctx,
286 server_info,
287 msg_ctx,
289 reg_type,
290 key,
291 create_key,
292 access_mask,
293 hive_handle,
294 key_handle,
295 pwerr);
298 NTSTATUS dcerpc_winreg_int_hklm_openkey(TALLOC_CTX *mem_ctx,
299 const struct auth_session_info *server_info,
300 struct messaging_context *msg_ctx,
301 struct dcerpc_binding_handle **h,
302 const char *key,
303 bool create_key,
304 uint32_t access_mask,
305 struct policy_handle *hive_handle,
306 struct policy_handle *key_handle,
307 WERROR *pwerr)
309 return _winreg_int_openkey(mem_ctx,
310 server_info,
311 msg_ctx,
313 HKEY_LOCAL_MACHINE,
314 key,
315 create_key,
316 access_mask,
317 hive_handle,
318 key_handle,
319 pwerr);
322 /* vim: set ts=8 sw=8 noet cindent syntax=c.doxygen: */