search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: RPC: Don't crash on trying to talloc_free(-1) if smb_iconv_open_ex() fails.
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob3bc291fb0c98ad3038a4e6e1c29d447b25f512cf
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_dcerpc.h"
34 #include "../librpc/rpc/rpc_common.h"
35 #include "dcesrv_auth_generic.h"
36 #include "rpc_server.h"
37 #include "rpc_dce.h"
38 #include "smbd/smbd.h"
39 #include "auth.h"
40 #include "ntdomain.h"
41 #include "rpc_server/srv_pipe.h"
42 #include "rpc_server/rpc_contexts.h"
43 #include "lib/param/param.h"
44 #include "librpc/ndr/ndr_table.h"
45 #include "auth/gensec/gensec.h"
46 #include "librpc/ndr/ndr_dcerpc.h"
47 #include "lib/tsocket/tsocket.h"
48 #include "../librpc/gen_ndr/ndr_samr.h"
49 #include "../librpc/gen_ndr/ndr_lsa.h"
50 #include "../librpc/gen_ndr/ndr_netlogon.h"
51 #include "../librpc/gen_ndr/ndr_epmapper.h"
52 #include "../librpc/gen_ndr/ndr_echo.h"
53 #include "../librpc/gen_ndr/ndr_winspool.h"
54
55 #undef DBGC_CLASS
56 #define DBGC_CLASS DBGC_RPC_SRV
57
58 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p);
59
60 /**
61 * Dump everything from the start of the end up of the provided data
62 * into a file, but only at debug level >= 50
63 **/
64 static void dump_pdu_region(const char *name, int v,
65 DATA_BLOB *data, size_t start, size_t end)
66 {
67 int fd, i;
68 char *fname = NULL;
69 ssize_t sz;
70
71 if (DEBUGLEVEL < 50) return;
72
73 if (start > data->length || end > data->length || start > end) return;
74
75 for (i = 1; i < 100; i++) {
76 if (v != -1) {
77 fname = talloc_asprintf(talloc_tos(),
78 "/tmp/%s_%d.%d.prs",
79 name, v, i);
80 } else {
81 fname = talloc_asprintf(talloc_tos(),
82 "/tmp/%s_%d.prs",
83 name, i);
84 }
85 if (!fname) {
86 return;
87 }
88 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
89 if (fd != -1 || errno != EEXIST) break;
90 }
91 if (fd != -1) {
92 sz = write(fd, data->data + start, end - start);
93 i = close(fd);
94 if ((sz != end - start) || (i != 0) ) {
95 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
96 fname, (unsigned long)sz,
97 (unsigned long)end - start, i));
98 } else {
99 DEBUG(0,("created %s\n", fname));
100 }
101 }
102 TALLOC_FREE(fname);
103 }
104
105 static DATA_BLOB generic_session_key(void)
106 {
107 return data_blob_const("SystemLibraryDTC", 16);
108 }
109
110 /*******************************************************************
111 Generate the next PDU to be returned from the data.
112 ********************************************************************/
113
114 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
115 struct pipe_auth_data *auth,
116 uint32_t call_id,
117 DATA_BLOB *rdata,
118 size_t data_sent_length,
119 DATA_BLOB *frag,
120 size_t *pdu_size)
121 {
122 union dcerpc_payload u;
123 uint8_t pfc_flags;
124 size_t data_left;
125 size_t data_to_send;
126 size_t frag_len;
127 size_t pad_len = 0;
128 size_t auth_len = 0;
129 NTSTATUS status;
130
131 ZERO_STRUCT(u.response);
132
133 /* Set up rpc packet pfc flags. */
134 if (data_sent_length == 0) {
135 pfc_flags = DCERPC_PFC_FLAG_FIRST;
136 } else {
137 pfc_flags = 0;
138 }
139
140 /* Work out how much we can fit in a single PDU. */
141 data_left = rdata->length - data_sent_length;
142
143 /* Ensure there really is data left to send. */
144 if (!data_left) {
145 DEBUG(0, ("No data left to send !\n"));
146 return NT_STATUS_BUFFER_TOO_SMALL;
147 }
148
149 status = dcerpc_guess_sizes(auth,
150 DCERPC_RESPONSE_LENGTH,
151 data_left,
152 RPC_MAX_PDU_FRAG_LEN,
153 &data_to_send, &frag_len,
154 &auth_len, &pad_len);
155 if (!NT_STATUS_IS_OK(status)) {
156 return status;
157 }
158
159 /* Set up the alloc hint. This should be the data left to send. */
160 u.response.alloc_hint = data_left;
161
162 /* Work out if this PDU will be the last. */
163 if (data_sent_length + data_to_send >= rdata->length) {
164 pfc_flags |= DCERPC_PFC_FLAG_LAST;
165 }
166
167 /* Prepare data to be NDR encoded. */
168 u.response.stub_and_verifier =
169 data_blob_const(rdata->data + data_sent_length, data_to_send);
170
171 /* Store the packet in the data stream. */
172 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
173 pfc_flags, auth_len, call_id,
174 &u, frag);
175 if (!NT_STATUS_IS_OK(status)) {
176 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
177 return status;
178 }
179
180 if (auth_len) {
181 /* Set the proper length on the pdu, including padding.
182 * Only needed if an auth trailer will be appended. */
183 dcerpc_set_frag_length(frag, frag->length
184 + pad_len
185 + DCERPC_AUTH_TRAILER_LENGTH
186 + auth_len);
187 }
188
189 if (auth_len) {
190 status = dcerpc_add_auth_footer(auth, pad_len, frag);
191 if (!NT_STATUS_IS_OK(status)) {
192 data_blob_free(frag);
193 return status;
194 }
195 }
196
197 *pdu_size = data_to_send;
198 return NT_STATUS_OK;
199 }
200
201 /*******************************************************************
202 Generate the next PDU to be returned from the data in p->rdata.
203 ********************************************************************/
204
205 bool create_next_pdu(struct pipes_struct *p)
206 {
207 size_t pdu_size = 0;
208 NTSTATUS status;
209
210 /*
211 * If we're in the fault state, keep returning fault PDU's until
212 * the pipe gets closed. JRA.
213 */
214 if (p->fault_state) {
215 setup_fault_pdu(p, NT_STATUS(p->fault_state));
216 return true;
217 }
218
219 status = create_next_packet(p->mem_ctx, &p->auth,
220 p->call_id, &p->out_data.rdata,
221 p->out_data.data_sent_length,
222 &p->out_data.frag, &pdu_size);
223 if (!NT_STATUS_IS_OK(status)) {
224 DEBUG(0, ("Failed to create packet with error %s, "
225 "(auth level %u / type %u)\n",
226 nt_errstr(status),
227 (unsigned int)p->auth.auth_level,
228 (unsigned int)p->auth.auth_type));
229 return false;
230 }
231
232 /* Setup the counts for this PDU. */
233 p->out_data.data_sent_length += pdu_size;
234 p->out_data.current_pdu_sent = 0;
235 return true;
236 }
237
238
239 static bool pipe_init_outgoing_data(struct pipes_struct *p);
240
241 /*******************************************************************
242 Marshall a bind_nak pdu.
243 *******************************************************************/
244
245 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
246 {
247 NTSTATUS status;
248 union dcerpc_payload u;
249
250 /* Free any memory in the current return data buffer. */
251 pipe_init_outgoing_data(p);
252
253 /*
254 * Initialize a bind_nak header.
255 */
256
257 ZERO_STRUCT(u);
258
259 u.bind_nak.reject_reason = 0;
260
261 /*
262 * Marshall directly into the outgoing PDU space. We
263 * must do this as we need to set to the bind response
264 * header and are never sending more than one PDU here.
265 */
266
267 status = dcerpc_push_ncacn_packet(p->mem_ctx,
268 DCERPC_PKT_BIND_NAK,
269 DCERPC_PFC_FLAG_FIRST |
270 DCERPC_PFC_FLAG_LAST,
271 0,
272 pkt->call_id,
273 &u,
274 &p->out_data.frag);
275 if (!NT_STATUS_IS_OK(status)) {
276 return False;
277 }
278
279 p->out_data.data_sent_length = 0;
280 p->out_data.current_pdu_sent = 0;
281
282 set_incoming_fault(p);
283 TALLOC_FREE(p->auth.auth_ctx);
284 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
285 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
286 p->pipe_bound = False;
287 p->allow_bind = false;
288 p->allow_alter = false;
289 p->allow_auth3 = false;
290
291 return True;
292 }
293
294 /*******************************************************************
295 Marshall a fault pdu.
296 *******************************************************************/
297
298 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
299 {
300 NTSTATUS status;
301 union dcerpc_payload u;
302
303 /* Free any memory in the current return data buffer. */
304 pipe_init_outgoing_data(p);
305
306 /*
307 * Initialize a fault header.
308 */
309
310 ZERO_STRUCT(u);
311
312 u.fault.status = NT_STATUS_V(fault_status);
313
314 /*
315 * Marshall directly into the outgoing PDU space. We
316 * must do this as we need to set to the bind response
317 * header and are never sending more than one PDU here.
318 */
319
320 status = dcerpc_push_ncacn_packet(p->mem_ctx,
321 DCERPC_PKT_FAULT,
322 DCERPC_PFC_FLAG_FIRST |
323 DCERPC_PFC_FLAG_LAST |
324 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
325 0,
326 p->call_id,
327 &u,
328 &p->out_data.frag);
329 if (!NT_STATUS_IS_OK(status)) {
330 return False;
331 }
332
333 p->out_data.data_sent_length = 0;
334 p->out_data.current_pdu_sent = 0;
335
336 return True;
337 }
338
339 /*******************************************************************
340 Ensure a bind request has the correct abstract & transfer interface.
341 Used to reject unknown binds from Win2k.
342 *******************************************************************/
343
344 static bool check_bind_req(struct pipes_struct *p,
345 struct ndr_syntax_id* abstract,
346 struct ndr_syntax_id* transfer,
347 uint32_t context_id)
348 {
349 struct pipe_rpc_fns *context_fns;
350 bool ok;
351 const char *interface_name = NULL;
352
353 DEBUG(3,("check_bind_req for %s context_id=%u\n",
354 ndr_interface_name(&abstract->uuid,
355 abstract->if_version),
356 (unsigned)context_id));
357
358 ok = ndr_syntax_id_equal(transfer, &ndr_transfer_syntax_ndr);
359 if (!ok) {
360 DEBUG(1,("check_bind_req unknown transfer syntax for "
361 "%s context_id=%u\n",
362 ndr_interface_name(&abstract->uuid,
363 abstract->if_version),
364 (unsigned)context_id));
365 return false;
366 }
367
368 for (context_fns = p->contexts;
369 context_fns != NULL;
370 context_fns = context_fns->next)
371 {
372 if (context_fns->context_id != context_id) {
373 continue;
374 }
375
376 ok = ndr_syntax_id_equal(&context_fns->syntax,
377 abstract);
378 if (ok) {
379 return true;
380 }
381
382 DEBUG(1,("check_bind_req: changing abstract syntax for "
383 "%s context_id=%u into %s not supported\n",
384 ndr_interface_name(&context_fns->syntax.uuid,
385 context_fns->syntax.if_version),
386 (unsigned)context_id,
387 ndr_interface_name(&abstract->uuid,
388 abstract->if_version)));
389 return false;
390 }
391
392 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
393 if (!rpc_srv_pipe_exists_by_id(abstract)) {
394 return false;
395 }
396
397 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
398 rpc_srv_get_pipe_cli_name(abstract),
399 rpc_srv_get_pipe_srv_name(abstract)));
400
401 ok = init_pipe_handles(p, abstract);
402 if (!ok) {
403 DEBUG(1, ("Failed to init pipe handles!\n"));
404 return false;
405 }
406
407 context_fns = talloc_zero(p, struct pipe_rpc_fns);
408 if (context_fns == NULL) {
409 DEBUG(0,("check_bind_req: talloc() failed!\n"));
410 return false;
411 }
412
413 interface_name = ndr_interface_name(&abstract->uuid,
414 abstract->if_version);
415 SMB_ASSERT(interface_name != NULL);
416
417 context_fns->next = context_fns->prev = NULL;
418 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
419 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
420 context_fns->context_id = context_id;
421 context_fns->syntax = *abstract;
422
423 context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
424 /*
425 * for the samr, lsarpc and netlogon interfaces we don't allow "connect"
426 * auth_level by default.
427 */
428 ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
429 if (ok) {
430 context_fns->allow_connect = false;
431 }
432 ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
433 if (ok) {
434 context_fns->allow_connect = false;
435 }
436 ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
437 if (ok) {
438 context_fns->allow_connect = false;
439 }
440 /*
441 * for the epmapper and echo interfaces we allow "connect"
442 * auth_level by default.
443 */
444 ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
445 if (ok) {
446 context_fns->allow_connect = true;
447 }
448 ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
449 if (ok) {
450 context_fns->allow_connect = true;
451 }
452 /*
453 * every interface can be modified to allow "connect" auth_level by
454 * using a parametric option like:
455 * allow dcerpc auth level connect:<interface>
456 * e.g.
457 * allow dcerpc auth level connect:samr = yes
458 */
459 context_fns->allow_connect = lp_parm_bool(-1,
460 "allow dcerpc auth level connect",
461 interface_name, context_fns->allow_connect);
462
463 ok = ndr_syntax_id_equal(abstract, &ndr_table_iremotewinspool.syntax_id);
464 if (ok) {
465 context_fns->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
466 }
467
468 /* add to the list of open contexts */
469
470 DLIST_ADD( p->contexts, context_fns );
471
472 return True;
473 }
474
475 /**
476 * Is a named pipe known?
477 * @param[in] pipename Just the filename
478 * @result NT error code
479 */
480 NTSTATUS is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
481 {
482 NTSTATUS status;
483
484 if (strchr(pipename, '/')) {
485 DBG_WARNING("Refusing open on pipe %s\n", pipename);
486 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
487 }
488
489 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
490 DBG_DEBUG("refusing spoolss access\n");
491 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
492 }
493
494 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
495 return NT_STATUS_OK;
496 }
497
498 status = smb_probe_module("rpc", pipename);
499 if (!NT_STATUS_IS_OK(status)) {
500 DBG_DEBUG("Unknown pipe '%s'\n", pipename);
501 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
502 }
503 DBG_DEBUG("'%s' loaded dynamically\n", pipename);
504
505 /*
506 * Scan the list again for the interface id
507 */
508 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
509 return NT_STATUS_OK;
510 }
511
512 DBG_DEBUG("pipe %s did not register itself!\n", pipename);
513
514 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
515 }
516
517 /*******************************************************************
518 Handle an NTLMSSP bind auth.
519 *******************************************************************/
520
521 static bool pipe_auth_generic_bind(struct pipes_struct *p,
522 struct ncacn_packet *pkt,
523 struct dcerpc_auth *auth_info,
524 const char *service_description,
525 DATA_BLOB *response)
526 {
527 TALLOC_CTX *mem_ctx = pkt;
528 struct gensec_security *gensec_security = NULL;
529 NTSTATUS status;
530
531 status = auth_generic_server_authtype_start(p,
532 auth_info->auth_type,
533 auth_info->auth_level,
534 p->remote_address,
535 p->local_address,
536 service_description,
537 &gensec_security);
538 if (!NT_STATUS_IS_OK(status)) {
539 DEBUG(0, (__location__ ": auth_generic_server_authtype_start[%u/%u] failed: %s\n",
540 auth_info->auth_type, auth_info->auth_level, nt_errstr(status)));
541 return false;
542 }
543
544 p->auth.auth_ctx = gensec_security;
545 p->auth.auth_type = auth_info->auth_type;
546 p->auth.auth_level = auth_info->auth_level;
547 p->auth.auth_context_id = auth_info->auth_context_id;
548
549 if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
550 p->auth.client_hdr_signing = true;
551 p->auth.hdr_signing = gensec_have_feature(gensec_security,
552 GENSEC_FEATURE_SIGN_PKT_HEADER);
553 }
554
555 if (p->auth.hdr_signing) {
556 gensec_want_feature(gensec_security,
557 GENSEC_FEATURE_SIGN_PKT_HEADER);
558 }
559
560 status = auth_generic_server_step(gensec_security, mem_ctx,
561 &auth_info->credentials,
562 response);
563 if (!NT_STATUS_IS_OK(status) &&
564 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
565 {
566 DEBUG(2, (__location__ ": "
567 "auth_generic_server_step[%u/%u] failed: %s\n",
568 auth_info->auth_type, auth_info->auth_level,
569 nt_errstr(status)));
570 return false;
571 }
572
573 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
574 return true;
575 }
576
577 status = pipe_auth_verify_final(p);
578 if (!NT_STATUS_IS_OK(status)) {
579 DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
580 nt_errstr(status)));
581 return false;
582 }
583
584 return true;
585 }
586
587 /*******************************************************************
588 Process an NTLMSSP authentication response.
589 If this function succeeds, the user has been authenticated
590 and their domain, name and calling workstation stored in
591 the pipe struct.
592 *******************************************************************/
593
594 static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
595 struct gensec_security *gensec_security,
596 enum dcerpc_AuthLevel auth_level,
597 struct auth_session_info **session_info)
598 {
599 NTSTATUS status;
600 bool ret;
601
602 DEBUG(5, (__location__ ": checking user details\n"));
603
604 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
605 ensure the underlying NTLMSSP flags are also set. If not we should
606 refuse the bind. */
607
608 status = auth_generic_server_check_flags(gensec_security,
609 (auth_level >=
610 DCERPC_AUTH_LEVEL_PACKET),
611 (auth_level ==
612 DCERPC_AUTH_LEVEL_PRIVACY));
613 if (!NT_STATUS_IS_OK(status)) {
614 DEBUG(0, (__location__ ": Client failed to negotiate proper "
615 "security for rpc connection\n"));
616 return false;
617 }
618
619 TALLOC_FREE(*session_info);
620
621 status = auth_generic_server_get_user_info(gensec_security,
622 mem_ctx, session_info);
623 if (!NT_STATUS_IS_OK(status)) {
624 DEBUG(0, (__location__ ": failed to obtain the server info "
625 "for authenticated user: %s\n", nt_errstr(status)));
626 return false;
627 }
628
629 if ((*session_info)->security_token == NULL) {
630 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
631 return false;
632 }
633
634 if ((*session_info)->unix_token == NULL) {
635 DEBUG(1, ("Auth module failed to provide unix_token\n"));
636 return false;
637 }
638
639 /*
640 * We're an authenticated bind over smb, so the session key needs to
641 * be set to "SystemLibraryDTC". Weird, but this is what Windows
642 * does. See the RPC-SAMBA3SESSIONKEY.
643 */
644
645 ret = session_info_set_session_key((*session_info), generic_session_key());
646 if (!ret) {
647 DEBUG(0, ("Failed to set session key!\n"));
648 return false;
649 }
650
651 return true;
652 }
653
654 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
655 {
656 struct gensec_security *gensec_security;
657 bool ok;
658
659 if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
660 p->pipe_bound = true;
661 return NT_STATUS_OK;
662 }
663
664 gensec_security = p->auth.auth_ctx;
665
666 ok = pipe_auth_generic_verify_final(p, gensec_security,
667 p->auth.auth_level,
668 &p->session_info);
669 if (!ok) {
670 return NT_STATUS_ACCESS_DENIED;
671 }
672
673 p->pipe_bound = true;
674
675 return NT_STATUS_OK;
676 }
677
678 /*******************************************************************
679 Respond to a pipe bind request.
680 *******************************************************************/
681
682 static bool api_pipe_bind_req(struct pipes_struct *p,
683 struct ncacn_packet *pkt)
684 {
685 struct dcerpc_auth auth_info = {0};
686 uint16_t assoc_gid;
687 NTSTATUS status;
688 struct ndr_syntax_id id;
689 uint8_t pfc_flags = 0;
690 union dcerpc_payload u;
691 struct dcerpc_ack_ctx bind_ack_ctx;
692 DATA_BLOB auth_resp = data_blob_null;
693 DATA_BLOB auth_blob = data_blob_null;
694 const struct ndr_interface_table *table;
695 const char *secondary_address = NULL;
696
697 if (!p->allow_bind) {
698 DEBUG(2,("Pipe not in allow bind state\n"));
699 return setup_bind_nak(p, pkt);
700 }
701 p->allow_bind = false;
702
703 status = dcerpc_verify_ncacn_packet_header(pkt,
704 DCERPC_PKT_BIND,
705 pkt->u.bind.auth_info.length,
706 0, /* required flags */
707 DCERPC_PFC_FLAG_FIRST |
708 DCERPC_PFC_FLAG_LAST |
709 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
710 0x08 | /* this is not defined, but should be ignored */
711 DCERPC_PFC_FLAG_CONC_MPX |
712 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
713 DCERPC_PFC_FLAG_MAYBE |
714 DCERPC_PFC_FLAG_OBJECT_UUID);
715 if (!NT_STATUS_IS_OK(status)) {
716 DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
717 nt_errstr(status)));
718 NDR_PRINT_DEBUG(ncacn_packet, pkt);
719 goto err_exit;
720 }
721
722 if (pkt->u.bind.num_contexts == 0) {
723 DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
724 goto err_exit;
725 }
726
727 if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
728 DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
729 goto err_exit;
730 }
731
732 /*
733 * Try and find the correct pipe name to ensure
734 * that this is a pipe name we support.
735 */
736 id = pkt->u.bind.ctx_list[0].abstract_syntax;
737
738 table = ndr_table_by_uuid(&id.uuid);
739 if (table == NULL) {
740 char *iface = ndr_syntax_id_to_string(talloc_tos(), &id);
741 DBG_NOTICE("unknown interface %s\n",
742 iface ? iface : "<null>");
743 TALLOC_FREE(iface);
744 return false;
745 }
746
747 if (rpc_srv_pipe_exists_by_id(&id)) {
748 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
749 rpc_srv_get_pipe_cli_name(&id),
750 rpc_srv_get_pipe_srv_name(&id)));
751 } else {
752 status = smb_probe_module(
753 "rpc", dcerpc_default_transport_endpoint(pkt,
754 NCACN_NP, table));
755
756 if (NT_STATUS_IS_ERR(status)) {
757 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
758 "%s in bind request.\n",
759 ndr_interface_name(&id.uuid,
760 id.if_version)));
761
762 return setup_bind_nak(p, pkt);
763 }
764
765 if (rpc_srv_get_pipe_interface_by_cli_name(
766 dcerpc_default_transport_endpoint(pkt,
767 NCACN_NP, table),
768 &id)) {
769 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
770 rpc_srv_get_pipe_cli_name(&id),
771 rpc_srv_get_pipe_srv_name(&id)));
772 } else {
773 DEBUG(0, ("module %s doesn't provide functions for "
774 "pipe %s!\n",
775 ndr_interface_name(&id.uuid,
776 id.if_version),
777 ndr_interface_name(&id.uuid,
778 id.if_version)));
779 return setup_bind_nak(p, pkt);
780 }
781 }
782
783 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
784
785 if (pkt->u.bind.assoc_group_id != 0) {
786 assoc_gid = pkt->u.bind.assoc_group_id;
787 } else {
788 assoc_gid = 0x53f0;
789 }
790
791 /*
792 * Create the bind response struct.
793 */
794
795 /* If the requested abstract synt uuid doesn't match our client pipe,
796 reject the bind_ack & set the transfer interface synt to all 0's,
797 ver 0 (observed when NT5 attempts to bind to abstract interfaces
798 unknown to NT4)
799 Needed when adding entries to a DACL from NT5 - SK */
800
801 if (check_bind_req(p,
802 &pkt->u.bind.ctx_list[0].abstract_syntax,
803 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
804 pkt->u.bind.ctx_list[0].context_id)) {
805
806 bind_ack_ctx.result = 0;
807 bind_ack_ctx.reason.value = 0;
808 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
809 } else {
810 /* Rejection reason: abstract syntax not supported */
811 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
812 bind_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX;
813 bind_ack_ctx.syntax = ndr_syntax_id_null;
814 }
815
816 /*
817 * Check if this is an authenticated bind request.
818 */
819 if (pkt->auth_length) {
820 /*
821 * Decode the authentication verifier.
822 */
823 status = dcerpc_pull_auth_trailer(pkt, pkt,
824 &pkt->u.bind.auth_info,
825 &auth_info, NULL, true);
826 if (!NT_STATUS_IS_OK(status)) {
827 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
828 goto err_exit;
829 }
830
831 if (!pipe_auth_generic_bind(p, pkt,
832 &auth_info,
833 table->name,
834 &auth_resp)) {
835 goto err_exit;
836 }
837 } else {
838 TALLOC_CTX *frame = talloc_stackframe();
839 struct auth4_context *auth4_context;
840 const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
841 if (p->transport == NCACN_NP) {
842 transport_protection = AUTHZ_TRANSPORT_PROTECTION_SMB;
843 }
844
845 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
846 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
847 p->auth.auth_context_id = 0;
848
849 become_root();
850 status = make_auth4_context(frame, &auth4_context);
851 unbecome_root();
852 if (!NT_STATUS_IS_OK(status)) {
853 DEBUG(0, ("Unable to make auth context for authz log.\n"));
854 TALLOC_FREE(frame);
855 goto err_exit;
856 }
857
858 /*
859 * Log the authorization to this RPC interface. This
860 * covered ncacn_np pass-through auth, and anonymous
861 * DCE/RPC (eg epmapper, netlogon etc)
862 */
863 log_successful_authz_event(auth4_context->msg_ctx,
864 auth4_context->lp_ctx,
865 p->remote_address,
866 p->local_address,
867 table->name,
868 derpc_transport_string_by_transport(p->transport),
869 transport_protection,
870 p->session_info);
871 TALLOC_FREE(frame);
872 }
873
874 ZERO_STRUCT(u.bind_ack);
875 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
876 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
877 u.bind_ack.assoc_group_id = assoc_gid;
878
879 switch (p->transport) {
880 case NCACN_IP_TCP:
881 secondary_address = talloc_asprintf(pkt, "%d",
882 tsocket_address_inet_port(p->local_address));
883 break;
884 case NCACN_NP:
885 default:
886 /* name has to be \PIPE\xxxxx */
887 secondary_address =
888 talloc_asprintf(pkt, "\\PIPE\\%s",
889 rpc_srv_get_pipe_srv_name(&id));
890 break;
891 }
892
893 if (secondary_address == NULL) {
894 DEBUG(0, ("Out of memory!\n"));
895 goto err_exit;
896 }
897
898 u.bind_ack.secondary_address = secondary_address;
899 u.bind_ack.secondary_address_size =
900 strlen(u.bind_ack.secondary_address) + 1;
901
902 u.bind_ack.num_results = 1;
903 u.bind_ack.ctx_list = &bind_ack_ctx;
904
905 /* NOTE: We leave the auth_info empty so we can calculate the padding
906 * later and then append the auth_info --simo */
907
908 /*
909 * Marshall directly into the outgoing PDU space. We
910 * must do this as we need to set to the bind response
911 * header and are never sending more than one PDU here.
912 */
913
914 pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
915
916 if (p->auth.hdr_signing) {
917 pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
918 }
919
920 status = dcerpc_push_ncacn_packet(p->mem_ctx,
921 DCERPC_PKT_BIND_ACK,
922 pfc_flags,
923 auth_resp.length,
924 pkt->call_id,
925 &u,
926 &p->out_data.frag);
927 if (!NT_STATUS_IS_OK(status)) {
928 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
929 nt_errstr(status)));
930 goto err_exit;
931 }
932
933 if (auth_resp.length) {
934 status = dcerpc_push_dcerpc_auth(pkt,
935 p->auth.auth_type,
936 p->auth.auth_level,
937 0, /* pad_len */
938 p->auth.auth_context_id,
939 &auth_resp,
940 &auth_blob);
941 if (!NT_STATUS_IS_OK(status)) {
942 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
943 goto err_exit;
944 }
945 }
946
947 /* Now that we have the auth len store it into the right place in
948 * the dcerpc header */
949 dcerpc_set_frag_length(&p->out_data.frag,
950 p->out_data.frag.length + auth_blob.length);
951
952 if (auth_blob.length) {
953
954 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
955 auth_blob.data, auth_blob.length)) {
956 DEBUG(0, ("Append of auth info failed.\n"));
957 goto err_exit;
958 }
959 }
960
961 /*
962 * Setup the lengths for the initial reply.
963 */
964
965 p->out_data.data_sent_length = 0;
966 p->out_data.current_pdu_sent = 0;
967
968 TALLOC_FREE(auth_blob.data);
969
970 if (bind_ack_ctx.result == 0) {
971 p->allow_alter = true;
972 p->allow_auth3 = true;
973 if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
974 status = pipe_auth_verify_final(p);
975 if (!NT_STATUS_IS_OK(status)) {
976 DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
977 nt_errstr(status)));
978 goto err_exit;
979 }
980 }
981 } else {
982 goto err_exit;
983 }
984
985 return True;
986
987 err_exit:
988
989 data_blob_free(&p->out_data.frag);
990 TALLOC_FREE(auth_blob.data);
991 return setup_bind_nak(p, pkt);
992 }
993
994 /*******************************************************************
995 This is the "stage3" response after a bind request and reply.
996 *******************************************************************/
997
998 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
999 {
1000 struct dcerpc_auth auth_info;
1001 DATA_BLOB response = data_blob_null;
1002 struct gensec_security *gensec_security;
1003 NTSTATUS status;
1004
1005 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1006
1007 if (!p->allow_auth3) {
1008 DEBUG(1, ("Pipe not in allow auth3 state.\n"));
1009 goto err;
1010 }
1011
1012 status = dcerpc_verify_ncacn_packet_header(pkt,
1013 DCERPC_PKT_AUTH3,
1014 pkt->u.auth3.auth_info.length,
1015 0, /* required flags */
1016 DCERPC_PFC_FLAG_FIRST |
1017 DCERPC_PFC_FLAG_LAST |
1018 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1019 0x08 | /* this is not defined, but should be ignored */
1020 DCERPC_PFC_FLAG_CONC_MPX |
1021 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1022 DCERPC_PFC_FLAG_MAYBE |
1023 DCERPC_PFC_FLAG_OBJECT_UUID);
1024 if (!NT_STATUS_IS_OK(status)) {
1025 DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
1026 nt_errstr(status)));
1027 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1028 goto err;
1029 }
1030
1031 /* We can only finish if the pipe is unbound for now */
1032 if (p->pipe_bound) {
1033 DEBUG(0, (__location__ ": Pipe already bound, "
1034 "AUTH3 not supported!\n"));
1035 goto err;
1036 }
1037
1038 if (pkt->auth_length == 0) {
1039 DEBUG(1, ("No auth field sent for auth3 request!\n"));
1040 goto err;
1041 }
1042
1043 /*
1044 * Decode the authentication verifier response.
1045 */
1046
1047 status = dcerpc_pull_auth_trailer(pkt, pkt,
1048 &pkt->u.auth3.auth_info,
1049 &auth_info, NULL, true);
1050 if (!NT_STATUS_IS_OK(status)) {
1051 DEBUG(1, ("Failed to unmarshall dcerpc_auth.\n"));
1052 goto err;
1053 }
1054
1055 /* We must NEVER look at auth_info->auth_pad_len here,
1056 * as old Samba client code gets it wrong and sends it
1057 * as zero. JRA.
1058 */
1059
1060 if (auth_info.auth_type != p->auth.auth_type) {
1061 DEBUG(1, ("Auth type mismatch! Client sent %d, "
1062 "but auth was started as type %d!\n",
1063 auth_info.auth_type, p->auth.auth_type));
1064 goto err;
1065 }
1066
1067 if (auth_info.auth_level != p->auth.auth_level) {
1068 DEBUG(1, ("Auth level mismatch! Client sent %d, "
1069 "but auth was started as level %d!\n",
1070 auth_info.auth_level, p->auth.auth_level));
1071 goto err;
1072 }
1073
1074 if (auth_info.auth_context_id != p->auth.auth_context_id) {
1075 DEBUG(0, ("Auth context id mismatch! Client sent %u, "
1076 "but auth was started as level %u!\n",
1077 (unsigned)auth_info.auth_context_id,
1078 (unsigned)p->auth.auth_context_id));
1079 goto err;
1080 }
1081
1082 gensec_security = p->auth.auth_ctx;
1083
1084 status = auth_generic_server_step(gensec_security,
1085 pkt, &auth_info.credentials,
1086 &response);
1087
1088 if (NT_STATUS_EQUAL(status,
1089 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1090 response.length) {
1091 DEBUG(1, (__location__ ": This was supposed to be the final "
1092 "leg, but crypto machinery claims a response is "
1093 "needed, aborting auth!\n"));
1094 data_blob_free(&response);
1095 goto err;
1096 }
1097 if (!NT_STATUS_IS_OK(status)) {
1098 DEBUG(2, ("Auth failed (%s)\n", nt_errstr(status)));
1099 goto err;
1100 }
1101
1102 /* Now verify auth was indeed successful and extract server info */
1103 status = pipe_auth_verify_final(p);
1104 if (!NT_STATUS_IS_OK(status)) {
1105 DEBUG(2, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1106 goto err;
1107 }
1108
1109 return true;
1110
1111 err:
1112 p->pipe_bound = false;
1113 p->allow_bind = false;
1114 p->allow_alter = false;
1115 p->allow_auth3 = false;
1116
1117 TALLOC_FREE(p->auth.auth_ctx);
1118 return false;
1119 }
1120
1121 /****************************************************************************
1122 Deal with an alter context call. Can be third part of 3 leg auth request for
1123 SPNEGO calls.
1124 ****************************************************************************/
1125
1126 static bool api_pipe_alter_context(struct pipes_struct *p,
1127 struct ncacn_packet *pkt)
1128 {
1129 struct dcerpc_auth auth_info = {0};
1130 uint16_t assoc_gid;
1131 NTSTATUS status;
1132 union dcerpc_payload u;
1133 struct dcerpc_ack_ctx alter_ack_ctx;
1134 DATA_BLOB auth_resp = data_blob_null;
1135 DATA_BLOB auth_blob = data_blob_null;
1136 struct gensec_security *gensec_security;
1137
1138 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1139
1140 if (!p->allow_alter) {
1141 DEBUG(1, ("Pipe not in allow alter state.\n"));
1142 goto err_exit;
1143 }
1144
1145 status = dcerpc_verify_ncacn_packet_header(pkt,
1146 DCERPC_PKT_ALTER,
1147 pkt->u.alter.auth_info.length,
1148 0, /* required flags */
1149 DCERPC_PFC_FLAG_FIRST |
1150 DCERPC_PFC_FLAG_LAST |
1151 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1152 0x08 | /* this is not defined, but should be ignored */
1153 DCERPC_PFC_FLAG_CONC_MPX |
1154 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1155 DCERPC_PFC_FLAG_MAYBE |
1156 DCERPC_PFC_FLAG_OBJECT_UUID);
1157 if (!NT_STATUS_IS_OK(status)) {
1158 DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
1159 nt_errstr(status)));
1160 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1161 goto err_exit;
1162 }
1163
1164 if (pkt->u.alter.num_contexts == 0) {
1165 DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
1166 goto err_exit;
1167 }
1168
1169 if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
1170 DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
1171 goto err_exit;
1172 }
1173
1174 if (pkt->u.alter.assoc_group_id != 0) {
1175 assoc_gid = pkt->u.alter.assoc_group_id;
1176 } else {
1177 assoc_gid = 0x53f0;
1178 }
1179
1180 /*
1181 * Create the bind response struct.
1182 */
1183
1184 /* If the requested abstract synt uuid doesn't match our client pipe,
1185 reject the alter_ack & set the transfer interface synt to all 0's,
1186 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1187 unknown to NT4)
1188 Needed when adding entries to a DACL from NT5 - SK */
1189
1190 if (check_bind_req(p,
1191 &pkt->u.alter.ctx_list[0].abstract_syntax,
1192 &pkt->u.alter.ctx_list[0].transfer_syntaxes[0],
1193 pkt->u.alter.ctx_list[0].context_id)) {
1194
1195 alter_ack_ctx.result = 0;
1196 alter_ack_ctx.reason.value = 0;
1197 alter_ack_ctx.syntax = pkt->u.alter.ctx_list[0].transfer_syntaxes[0];
1198 } else {
1199 /* Rejection reason: abstract syntax not supported */
1200 alter_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1201 alter_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX;
1202 alter_ack_ctx.syntax = ndr_syntax_id_null;
1203 }
1204
1205 /*
1206 * Check if this is an authenticated alter context request.
1207 */
1208 if (pkt->auth_length) {
1209 /* We can only finish if the pipe is unbound for now */
1210 if (p->pipe_bound) {
1211 DEBUG(0, (__location__ ": Pipe already bound, "
1212 "Altering Context not yet supported!\n"));
1213 goto err_exit;
1214 }
1215
1216 status = dcerpc_pull_auth_trailer(pkt, pkt,
1217 &pkt->u.alter.auth_info,
1218 &auth_info, NULL, true);
1219 if (!NT_STATUS_IS_OK(status)) {
1220 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1221 goto err_exit;
1222 }
1223
1224 if (auth_info.auth_type != p->auth.auth_type) {
1225 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1226 "but auth was started as type %d!\n",
1227 auth_info.auth_type, p->auth.auth_type));
1228 goto err_exit;
1229 }
1230
1231 if (auth_info.auth_level != p->auth.auth_level) {
1232 DEBUG(0, ("Auth level mismatch! Client sent %d, "
1233 "but auth was started as level %d!\n",
1234 auth_info.auth_level, p->auth.auth_level));
1235 goto err_exit;
1236 }
1237
1238 if (auth_info.auth_context_id != p->auth.auth_context_id) {
1239 DEBUG(0, ("Auth context id mismatch! Client sent %u, "
1240 "but auth was started as level %u!\n",
1241 (unsigned)auth_info.auth_context_id,
1242 (unsigned)p->auth.auth_context_id));
1243 goto err_exit;
1244 }
1245
1246 gensec_security = p->auth.auth_ctx;
1247 status = auth_generic_server_step(gensec_security,
1248 pkt,
1249 &auth_info.credentials,
1250 &auth_resp);
1251 if (NT_STATUS_IS_OK(status)) {
1252 /* third leg of auth, verify auth info */
1253 status = pipe_auth_verify_final(p);
1254 if (!NT_STATUS_IS_OK(status)) {
1255 DEBUG(0, ("Auth Verify failed (%s)\n",
1256 nt_errstr(status)));
1257 goto err_exit;
1258 }
1259 } else if (NT_STATUS_EQUAL(status,
1260 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1261 DEBUG(10, ("More auth legs required.\n"));
1262 } else {
1263 DEBUG(0, ("Auth step returned an error (%s)\n",
1264 nt_errstr(status)));
1265 goto err_exit;
1266 }
1267 }
1268
1269 ZERO_STRUCT(u.alter_resp);
1270 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1271 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1272 u.alter_resp.assoc_group_id = assoc_gid;
1273
1274 /* secondary address CAN be NULL
1275 * as the specs say it's ignored.
1276 * It MUST be NULL to have the spoolss working.
1277 */
1278 u.alter_resp.secondary_address = "";
1279 u.alter_resp.secondary_address_size = 1;
1280
1281 u.alter_resp.num_results = 1;
1282 u.alter_resp.ctx_list = &alter_ack_ctx;
1283
1284 /* NOTE: We leave the auth_info empty so we can calculate the padding
1285 * later and then append the auth_info --simo */
1286
1287 /*
1288 * Marshall directly into the outgoing PDU space. We
1289 * must do this as we need to set to the bind response
1290 * header and are never sending more than one PDU here.
1291 */
1292
1293 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1294 DCERPC_PKT_ALTER_RESP,
1295 DCERPC_PFC_FLAG_FIRST |
1296 DCERPC_PFC_FLAG_LAST,
1297 auth_resp.length,
1298 pkt->call_id,
1299 &u,
1300 &p->out_data.frag);
1301 if (!NT_STATUS_IS_OK(status)) {
1302 DEBUG(0, ("Failed to marshall alter_resp packet. (%s)\n",
1303 nt_errstr(status)));
1304 goto err_exit;
1305 }
1306
1307 if (auth_resp.length) {
1308 status = dcerpc_push_dcerpc_auth(pkt,
1309 p->auth.auth_type,
1310 p->auth.auth_level,
1311 0, /* pad_len */
1312 p->auth.auth_context_id,
1313 &auth_resp,
1314 &auth_blob);
1315 if (!NT_STATUS_IS_OK(status)) {
1316 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1317 goto err_exit;
1318 }
1319 }
1320
1321 /* Now that we have the auth len store it into the right place in
1322 * the dcerpc header */
1323 dcerpc_set_frag_length(&p->out_data.frag,
1324 p->out_data.frag.length +
1325 auth_blob.length);
1326
1327 if (auth_resp.length) {
1328 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1329 auth_blob.data, auth_blob.length)) {
1330 DEBUG(0, ("Append of auth info failed.\n"));
1331 goto err_exit;
1332 }
1333 }
1334
1335 /*
1336 * Setup the lengths for the initial reply.
1337 */
1338
1339 p->out_data.data_sent_length = 0;
1340 p->out_data.current_pdu_sent = 0;
1341
1342 TALLOC_FREE(auth_blob.data);
1343 return True;
1344
1345 err_exit:
1346
1347 data_blob_free(&p->out_data.frag);
1348 TALLOC_FREE(auth_blob.data);
1349 return setup_bind_nak(p, pkt);
1350 }
1351
1352 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1353 const struct api_struct *api_rpc_cmds, int n_cmds,
1354 const struct ndr_syntax_id *syntax);
1355
1356 static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
1357 struct ncacn_packet *pkt,
1358 struct pipe_rpc_fns *pipe_fns)
1359 {
1360 TALLOC_CTX *frame = talloc_stackframe();
1361 struct dcerpc_sec_verification_trailer *vt = NULL;
1362 const uint32_t bitmask1 =
1363 p->auth.client_hdr_signing ? DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1364 const struct dcerpc_sec_vt_pcontext pcontext = {
1365 .abstract_syntax = pipe_fns->syntax,
1366 .transfer_syntax = ndr_transfer_syntax_ndr,
1367 };
1368 const struct dcerpc_sec_vt_header2 header2 =
1369 dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
1370 struct ndr_pull *ndr;
1371 enum ndr_err_code ndr_err;
1372 bool ret = false;
1373
1374 ndr = ndr_pull_init_blob(&p->in_data.data, frame);
1375 if (ndr == NULL) {
1376 goto done;
1377 }
1378
1379 ndr_err = ndr_pop_dcerpc_sec_verification_trailer(ndr, frame, &vt);
1380 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1381 goto done;
1382 }
1383
1384 ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1385 &pcontext, &header2);
1386 done:
1387 TALLOC_FREE(frame);
1388 return ret;
1389 }
1390
1391 /****************************************************************************
1392 Find the correct RPC function to call for this request.
1393 If the pipe is authenticated then become the correct UNIX user
1394 before doing the call.
1395 ****************************************************************************/
1396
1397 static bool api_pipe_request(struct pipes_struct *p,
1398 struct ncacn_packet *pkt)
1399 {
1400 TALLOC_CTX *frame = talloc_stackframe();
1401 bool ret = False;
1402 struct pipe_rpc_fns *pipe_fns;
1403 const char *interface_name = NULL;
1404 const char *dump_dir = NULL;
1405
1406 if (!p->pipe_bound) {
1407 DEBUG(1, ("Pipe not bound!\n"));
1408 data_blob_free(&p->out_data.rdata);
1409 TALLOC_FREE(frame);
1410 return false;
1411 }
1412
1413 /* get the set of RPC functions for this context */
1414 pipe_fns = find_pipe_fns_by_context(p->contexts,
1415 pkt->u.request.context_id);
1416 if (pipe_fns == NULL) {
1417 DEBUG(0, ("No rpc function table associated with context "
1418 "[%d]\n",
1419 pkt->u.request.context_id));
1420 data_blob_free(&p->out_data.rdata);
1421 TALLOC_FREE(frame);
1422 return false;
1423 }
1424
1425 interface_name = ndr_interface_name(&pipe_fns->syntax.uuid,
1426 pipe_fns->syntax.if_version);
1427 SMB_ASSERT(interface_name != NULL);
1428
1429 if (p->auth.auth_level < pipe_fns->min_auth_level) {
1430
1431 DEBUG(1, ("%s: auth level required for %s: 0x%x, got: 0x%0x\n",
1432 __func__, interface_name,
1433 pipe_fns->min_auth_level,
1434 p->auth.auth_level));
1435
1436 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1437 TALLOC_FREE(frame);
1438 return true;
1439 }
1440
1441 switch (p->auth.auth_level) {
1442 case DCERPC_AUTH_LEVEL_NONE:
1443 case DCERPC_AUTH_LEVEL_PACKET:
1444 case DCERPC_AUTH_LEVEL_INTEGRITY:
1445 case DCERPC_AUTH_LEVEL_PRIVACY:
1446 break;
1447 default:
1448 if (!pipe_fns->allow_connect) {
1449 char *addr;
1450
1451 addr = tsocket_address_string(p->remote_address, frame);
1452
1453 DEBUG(1, ("%s: restrict auth_level_connect access "
1454 "to [%s] with auth[type=0x%x,level=0x%x] "
1455 "on [%s] from [%s]\n",
1456 __func__, interface_name,
1457 p->auth.auth_type,
1458 p->auth.auth_level,
1459 derpc_transport_string_by_transport(p->transport),
1460 addr));
1461
1462 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1463 TALLOC_FREE(frame);
1464 return true;
1465 }
1466 break;
1467 }
1468
1469 dump_dir = lp_parm_const_string(0, "dcesrv", "fuzz directory", NULL);
1470
1471 dcerpc_save_ndr_fuzz_seed(p,
1472 p->in_data.data,
1473 dump_dir,
1474 interface_name,
1475 NDR_IN,
1476 pkt->u.request.opnum,
1477 false);
1478
1479 if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
1480 DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
1481 set_incoming_fault(p);
1482 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
1483 data_blob_free(&p->out_data.rdata);
1484 TALLOC_FREE(frame);
1485 return true;
1486 }
1487
1488 if (!become_authenticated_pipe_user(p->session_info)) {
1489 DEBUG(1, ("Failed to become pipe user!\n"));
1490 data_blob_free(&p->out_data.rdata);
1491 TALLOC_FREE(frame);
1492 return false;
1493 }
1494
1495 DEBUG(5, ("Requested %s rpc service\n", interface_name));
1496
1497 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1498 &pipe_fns->syntax);
1499 unbecome_authenticated_pipe_user();
1500
1501 dcerpc_save_ndr_fuzz_seed(p,
1502 p->out_data.rdata,
1503 dump_dir,
1504 interface_name,
1505 NDR_OUT,
1506 pkt->u.request.opnum,
1507 false);
1508
1509 TALLOC_FREE(frame);
1510 return ret;
1511 }
1512
1513 /*******************************************************************
1514 Calls the underlying RPC function for a named pipe.
1515 ********************************************************************/
1516
1517 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1518 const struct api_struct *api_rpc_cmds, int n_cmds,
1519 const struct ndr_syntax_id *syntax)
1520 {
1521 int fn_num;
1522 uint32_t offset1;
1523 const struct ndr_interface_table *table;
1524
1525 /* interpret the command */
1526 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1527 ndr_interface_name(&syntax->uuid, syntax->if_version),
1528 pkt->u.request.opnum));
1529
1530 table = ndr_table_by_uuid(&syntax->uuid);
1531 if (table == NULL) {
1532 DEBUG(0,("unknown interface\n"));
1533 return false;
1534 }
1535
1536 if (DEBUGLEVEL >= 50) {
1537 fstring name;
1538 slprintf(name, sizeof(name)-1, "in_%s",
1539 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
1540 dump_pdu_region(name, pkt->u.request.opnum,
1541 &p->in_data.data, 0,
1542 p->in_data.data.length);
1543 }
1544
1545 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1546 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1547 api_rpc_cmds[fn_num].fn != NULL) {
1548 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1549 api_rpc_cmds[fn_num].name));
1550 break;
1551 }
1552 }
1553
1554 if (fn_num == n_cmds) {
1555 /*
1556 * For an unknown RPC just return a fault PDU but
1557 * return True to allow RPC's on the pipe to continue
1558 * and not put the pipe into fault state. JRA.
1559 */
1560 DEBUG(4, ("unknown\n"));
1561 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1562 return True;
1563 }
1564
1565 offset1 = p->out_data.rdata.length;
1566
1567 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1568 fn_num, api_rpc_cmds[fn_num].fn));
1569 /* do the actual command */
1570 if(!api_rpc_cmds[fn_num].fn(p)) {
1571 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1572 ndr_interface_name(&syntax->uuid, syntax->if_version),
1573 api_rpc_cmds[fn_num].name));
1574 data_blob_free(&p->out_data.rdata);
1575 return False;
1576 }
1577
1578 if (p->fault_state) {
1579 DEBUG(4,("api_rpcTNP: fault(%d) return.\n", p->fault_state));
1580 setup_fault_pdu(p, NT_STATUS(p->fault_state));
1581 p->fault_state = 0;
1582 return true;
1583 }
1584
1585 if (DEBUGLEVEL >= 50) {
1586 fstring name;
1587 slprintf(name, sizeof(name)-1, "out_%s",
1588 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
1589 dump_pdu_region(name, pkt->u.request.opnum,
1590 &p->out_data.rdata, offset1,
1591 p->out_data.rdata.length);
1592 }
1593
1594 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1595 ndr_interface_name(&syntax->uuid, syntax->if_version)));
1596
1597 /* Check for buffer underflow in rpc parsing */
1598 if ((DEBUGLEVEL >= 10) &&
1599 (pkt->frag_length < p->in_data.data.length)) {
1600 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1601 dump_data(10, p->in_data.data.data + pkt->frag_length,
1602 p->in_data.data.length - pkt->frag_length);
1603 }
1604
1605 return True;
1606 }
1607
1608 /****************************************************************************
1609 Initialise an outgoing packet.
1610 ****************************************************************************/
1611
1612 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1613 {
1614 output_data *o_data = &p->out_data;
1615
1616 /* Reset the offset counters. */
1617 o_data->data_sent_length = 0;
1618 o_data->current_pdu_sent = 0;
1619
1620 data_blob_free(&o_data->frag);
1621
1622 /* Free any memory in the current return data buffer. */
1623 data_blob_free(&o_data->rdata);
1624
1625 return True;
1626 }
1627
1628 /****************************************************************************
1629 Sets the fault state on incoming packets.
1630 ****************************************************************************/
1631
1632 void set_incoming_fault(struct pipes_struct *p)
1633 {
1634 data_blob_free(&p->in_data.data);
1635 p->in_data.pdu_needed_len = 0;
1636 p->in_data.pdu.length = 0;
1637 p->fault_state = DCERPC_NCA_S_PROTO_ERROR;
1638
1639 p->allow_alter = false;
1640 p->allow_auth3 = false;
1641 p->pipe_bound = false;
1642
1643 DEBUG(10, ("Setting fault state\n"));
1644 }
1645
1646 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1647 struct ncacn_packet *pkt,
1648 DATA_BLOB *raw_pkt)
1649 {
1650 NTSTATUS status;
1651 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1652
1653 DEBUG(10, ("Checking request auth.\n"));
1654
1655 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1656 hdr_size += 16;
1657 }
1658
1659 /* in case of sealing this function will unseal the data in place */
1660 status = dcerpc_check_auth(auth, pkt,
1661 &pkt->u.request.stub_and_verifier,
1662 hdr_size, raw_pkt);
1663 if (!NT_STATUS_IS_OK(status)) {
1664 return status;
1665 }
1666
1667 return NT_STATUS_OK;
1668 }
1669
1670 /****************************************************************************
1671 Processes a request pdu. This will do auth processing if needed, and
1672 appends the data into the complete stream if the LAST flag is not set.
1673 ****************************************************************************/
1674
1675 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1676 {
1677 NTSTATUS status;
1678 DATA_BLOB data;
1679 struct dcerpc_sec_vt_header2 hdr2;
1680
1681 if (!p->pipe_bound) {
1682 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1683 set_incoming_fault(p);
1684 return False;
1685 }
1686
1687 /*
1688 * We don't ignore DCERPC_PFC_FLAG_PENDING_CANCEL.
1689 * TODO: we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later.
1690 */
1691 status = dcerpc_verify_ncacn_packet_header(pkt,
1692 DCERPC_PKT_REQUEST,
1693 pkt->u.request.stub_and_verifier.length,
1694 0, /* required_flags */
1695 DCERPC_PFC_FLAG_FIRST |
1696 DCERPC_PFC_FLAG_LAST |
1697 0x08 | /* this is not defined, but should be ignored */
1698 DCERPC_PFC_FLAG_CONC_MPX |
1699 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1700 DCERPC_PFC_FLAG_MAYBE |
1701 DCERPC_PFC_FLAG_OBJECT_UUID);
1702 if (!NT_STATUS_IS_OK(status)) {
1703 DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
1704 nt_errstr(status)));
1705 NDR_PRINT_DEBUG(ncacn_packet, pkt);
1706 set_incoming_fault(p);
1707 return false;
1708 }
1709
1710 hdr2 = dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
1711 if (pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST) {
1712 p->header2 = hdr2;
1713 } else {
1714 if (!dcerpc_sec_vt_header2_equal(&hdr2, &p->header2)) {
1715 set_incoming_fault(p);
1716 return false;
1717 }
1718 }
1719
1720 /* Store the opnum */
1721 p->opnum = pkt->u.request.opnum;
1722
1723 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1724 if (!NT_STATUS_IS_OK(status)) {
1725 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1726 nt_errstr(status)));
1727 set_incoming_fault(p);
1728 return false;
1729 }
1730
1731 data = pkt->u.request.stub_and_verifier;
1732
1733 /*
1734 * Check the data length doesn't go over the 15Mb limit.
1735 * increased after observing a bug in the Windows NT 4.0 SP6a
1736 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1737 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1738 */
1739
1740 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1741 DEBUG(0, ("process_request_pdu: "
1742 "rpc data buffer too large (%u) + (%u)\n",
1743 (unsigned int)p->in_data.data.length,
1744 (unsigned int)data.length));
1745 set_incoming_fault(p);
1746 return False;
1747 }
1748
1749 /*
1750 * Append the data portion into the buffer and return.
1751 */
1752
1753 if (data.length) {
1754 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1755 data.data, data.length)) {
1756 DEBUG(0, ("Unable to append data size %u "
1757 "to parse buffer of size %u.\n",
1758 (unsigned int)data.length,
1759 (unsigned int)p->in_data.data.length));
1760 set_incoming_fault(p);
1761 return False;
1762 }
1763 }
1764
1765 if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
1766 return true;
1767 }
1768
1769 /*
1770 * Ok - we finally have a complete RPC stream.
1771 * Call the rpc command to process it.
1772 */
1773
1774 return api_pipe_request(p, pkt);
1775 }
1776
1777 void process_complete_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1778 {
1779 bool reply = false;
1780
1781 /* Store the call_id */
1782 p->call_id = pkt->call_id;
1783
1784 DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1785
1786 if (!pipe_init_outgoing_data(p)) {
1787 goto done;
1788 }
1789
1790 switch (pkt->ptype) {
1791 case DCERPC_PKT_REQUEST:
1792 reply = process_request_pdu(p, pkt);
1793 break;
1794
1795 case DCERPC_PKT_PING: /* CL request - ignore... */
1796 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1797 (unsigned int)pkt->ptype));
1798 break;
1799
1800 case DCERPC_PKT_RESPONSE: /* No responses here. */
1801 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1802 break;
1803
1804 case DCERPC_PKT_FAULT:
1805 case DCERPC_PKT_WORKING:
1806 /* CL request - reply to a ping when a call in process. */
1807 case DCERPC_PKT_NOCALL:
1808 /* CL - server reply to a ping call. */
1809 case DCERPC_PKT_REJECT:
1810 case DCERPC_PKT_ACK:
1811 case DCERPC_PKT_CL_CANCEL:
1812 case DCERPC_PKT_FACK:
1813 case DCERPC_PKT_CANCEL_ACK:
1814 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1815 (unsigned int)pkt->ptype));
1816 break;
1817
1818 case DCERPC_PKT_BIND:
1819 /*
1820 * We assume that a pipe bind is only in one pdu.
1821 */
1822 reply = api_pipe_bind_req(p, pkt);
1823 break;
1824
1825 case DCERPC_PKT_BIND_ACK:
1826 case DCERPC_PKT_BIND_NAK:
1827 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1828 "packet type %u received.\n",
1829 (unsigned int)pkt->ptype));
1830 break;
1831
1832
1833 case DCERPC_PKT_ALTER:
1834 /*
1835 * We assume that a pipe bind is only in one pdu.
1836 */
1837 reply = api_pipe_alter_context(p, pkt);
1838 break;
1839
1840 case DCERPC_PKT_ALTER_RESP:
1841 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1842 "Should only be server -> client.\n"));
1843 break;
1844
1845 case DCERPC_PKT_AUTH3:
1846 /*
1847 * The third packet in an auth exchange.
1848 */
1849 reply = api_pipe_bind_auth3(p, pkt);
1850 break;
1851
1852 case DCERPC_PKT_SHUTDOWN:
1853 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1854 "Should only be server -> client.\n"));
1855 break;
1856
1857 case DCERPC_PKT_CO_CANCEL:
1858 /* For now just free all client data and continue
1859 * processing. */
1860 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1861 " Abandoning rpc call.\n"));
1862 /* As we never do asynchronous RPC serving, we can
1863 * never cancel a call (as far as I know).
1864 * If we ever did we'd have to send a cancel_ack reply.
1865 * For now, just free all client data and continue
1866 * processing. */
1867 reply = True;
1868 break;
1869
1870 #if 0
1871 /* Enable this if we're doing async rpc. */
1872 /* We must check the outstanding callid matches. */
1873 if (pipe_init_outgoing_data(p)) {
1874 /* Send a cancel_ack PDU reply. */
1875 /* We should probably check the auth-verifier here. */
1876 reply = setup_cancel_ack_reply(p, pkt);
1877 }
1878 break;
1879 #endif
1880
1881 case DCERPC_PKT_ORPHANED:
1882 /* We should probably check the auth-verifier here.
1883 * For now just free all client data and continue
1884 * processing. */
1885 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1886 " Abandoning rpc call.\n"));
1887 reply = True;
1888 break;
1889
1890 default:
1891 DEBUG(0, ("process_complete_pdu: "
1892 "Unknown rpc type = %u received.\n",
1893 (unsigned int)pkt->ptype));
1894 break;
1895 }
1896
1897 done:
1898 if (!reply) {
1899 DBG_NOTICE("DCE/RPC fault sent!\n");
1900 set_incoming_fault(p);
1901 setup_fault_pdu(p, NT_STATUS(DCERPC_NCA_S_PROTO_ERROR));
1902 }
1903 /* pkt and p->in_data.pdu.data freed by caller */
1904 }
1905
Samba GIT mirror