search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: check for previous versions in check_any_access_fsp()
[Samba.git] / librpc / rpc / dcerpc_util.c
blobe6f7fa634a92749e2ef61c993140efd3df918c26
1 /*
2 Unix SMB/CIFS implementation.
3 raw dcerpc operations
4
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include <tevent.h>
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/rpc/dcerpc_util.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "rpc_common.h"
31 #include "lib/util/bitmap.h"
32
33 #undef strncasecmp
34
35 /* we need to be able to get/set the fragment length without doing a full
36 decode */
37 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
38 {
39 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
40
41 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
42 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
43 } else {
44 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
45 }
46 }
47
48 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
49 {
50 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
51
52 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
53 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
54 } else {
55 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
56 }
57 }
58
59 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
60 {
61 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
62
63 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
64 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
65 } else {
66 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
67 }
68 }
69
70 uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
71 {
72 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
73
74 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
75 return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
76 } else {
77 return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
78 }
79 }
80
81 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
82 {
83 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
84
85 return blob->data[DCERPC_DREP_OFFSET];
86 }
87
88 static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
89 {
90 uint16_t frag_len = dcerpc_get_frag_length(blob);
91 uint16_t auth_len = dcerpc_get_auth_length(blob);
92 uint16_t min_offset;
93 uint16_t offset;
94
95 if (auth_len == 0) {
96 return 0;
97 }
98
99 if (frag_len > blob->length) {
100 return 0;
101 }
102
103 if (auth_len > frag_len) {
104 return 0;
105 }
106
107 min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
108 offset = frag_len - auth_len;
109 if (offset < min_offset) {
110 return 0;
111 }
112 offset -= DCERPC_AUTH_TRAILER_LENGTH;
113
114 return offset;
115 }
116
117 uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
118 {
119 uint16_t offset;
120
121 offset = dcerpc_get_auth_context_offset(blob);
122 if (offset == 0) {
123 return 0;
124 }
125
126 /*
127 * auth_typw is in the 1st byte
128 * of the auth trailer
129 */
130 offset += 0;
131
132 return blob->data[offset];
133 }
134
135 uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
136 {
137 uint16_t offset;
138
139 offset = dcerpc_get_auth_context_offset(blob);
140 if (offset == 0) {
141 return 0;
142 }
143
144 /*
145 * auth_level is in 2nd byte
146 * of the auth trailer
147 */
148 offset += 1;
149
150 return blob->data[offset];
151 }
152
153 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
154 {
155 uint16_t offset;
156
157 offset = dcerpc_get_auth_context_offset(blob);
158 if (offset == 0) {
159 return 0;
160 }
161
162 /*
163 * auth_context_id is in the last 4 byte
164 * of the auth trailer
165 */
166 offset += 4;
167
168 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
169 return IVAL(blob->data, offset);
170 } else {
171 return RIVAL(blob->data, offset);
172 }
173 }
174
175 /**
176 * @brief Decodes a ncacn_packet
177 *
178 * @param mem_ctx The memory context on which to allocate the packet
179 * elements
180 * @param blob The blob of data to decode
181 * @param r An empty ncacn_packet, must not be NULL
182 *
183 * @return a NTSTATUS error code
184 */
185 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
186 const DATA_BLOB *blob,
187 struct ncacn_packet *r)
188 {
189 enum ndr_err_code ndr_err;
190 struct ndr_pull *ndr;
191
192 ndr = ndr_pull_init_blob(blob, mem_ctx);
193 if (!ndr) {
194 return NT_STATUS_NO_MEMORY;
195 }
196
197 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
198
199 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 talloc_free(ndr);
201 return ndr_map_error2ntstatus(ndr_err);
202 }
203 talloc_free(ndr);
204
205 if (r->frag_length != blob->length) {
206 return NT_STATUS_RPC_PROTOCOL_ERROR;
207 }
208
209 return NT_STATUS_OK;
210 }
211
212 /**
213 * @brief Pull a dcerpc_auth structure, taking account of any auth
214 * padding in the blob. For request/response packets we pass
215 * the whole data blob, so auth_data_only must be set to false
216 * as the blob contains data+pad+auth and no just pad+auth.
217 *
218 * @param pkt - The ncacn_packet structure
219 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
220 * @param pkt_trailer - The packet trailer data, usually the trailing
221 * auth_info blob, but in the request/response case
222 * this is the stub_and_verifier blob.
223 * @param auth - A preallocated dcerpc_auth *empty* structure
224 * @param auth_length - The length of the auth trail, sum of auth header
225 * length and pkt->auth_length
226 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
227 * (+ padding) or also other data.
228 *
229 * @return - A NTSTATUS error code.
230 */
231 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
232 TALLOC_CTX *mem_ctx,
233 const DATA_BLOB *pkt_trailer,
234 struct dcerpc_auth *auth,
235 uint32_t *_auth_length,
236 bool auth_data_only)
237 {
238 struct ndr_pull *ndr;
239 enum ndr_err_code ndr_err;
240 uint16_t data_and_pad;
241 uint16_t auth_length;
242 uint32_t tmp_length;
243 uint32_t max_pad_len = 0;
244
245 ZERO_STRUCTP(auth);
246 if (_auth_length != NULL) {
247 *_auth_length = 0;
248
249 if (auth_data_only) {
250 return NT_STATUS_INTERNAL_ERROR;
251 }
252 } else {
253 if (!auth_data_only) {
254 return NT_STATUS_INTERNAL_ERROR;
255 }
256 }
257
258 /* Paranoia checks for auth_length. The caller should check this... */
259 if (pkt->auth_length == 0) {
260 return NT_STATUS_INTERNAL_ERROR;
261 }
262
263 /* Paranoia checks for auth_length. The caller should check this... */
264 if (pkt->auth_length > pkt->frag_length) {
265 return NT_STATUS_INTERNAL_ERROR;
266 }
267 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
268 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
269 tmp_length += pkt->auth_length;
270 if (tmp_length > pkt->frag_length) {
271 return NT_STATUS_INTERNAL_ERROR;
272 }
273 if (pkt_trailer->length > UINT16_MAX) {
274 return NT_STATUS_INTERNAL_ERROR;
275 }
276
277 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
278 if (pkt_trailer->length < auth_length) {
279 return NT_STATUS_RPC_PROTOCOL_ERROR;
280 }
281
282 data_and_pad = pkt_trailer->length - auth_length;
283
284 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
285 if (!ndr) {
286 return NT_STATUS_NO_MEMORY;
287 }
288
289 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
290 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
291 }
292
293 ndr_err = ndr_pull_advance(ndr, data_and_pad);
294 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
295 talloc_free(ndr);
296 return ndr_map_error2ntstatus(ndr_err);
297 }
298
299 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
300 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
301 talloc_free(ndr);
302 ZERO_STRUCTP(auth);
303 return ndr_map_error2ntstatus(ndr_err);
304 }
305
306 /*
307 * Make sure the padding would not exceed
308 * the frag_length.
309 *
310 * Here we assume at least 24 bytes for the
311 * payload specific header the value of
312 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
313 *
314 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
315 *
316 * We need this check before we ignore possible
317 * invalid values. See also bug #11982.
318 *
319 * This check is mainly used to generate the correct
320 * error for BIND_*, ALTER_* and AUTH3 pdus.
321 *
322 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
323 * protection for REQUEST and RESPONSE pdus, where the
324 * auth_pad_length field is actually used by the caller.
325 */
326 tmp_length = DCERPC_REQUEST_LENGTH;
327 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
328 tmp_length += pkt->auth_length;
329 if (tmp_length < pkt->frag_length) {
330 max_pad_len = pkt->frag_length - tmp_length;
331 }
332 if (max_pad_len < auth->auth_pad_length) {
333 DEBUG(1, (__location__ ": ERROR: pad length too large. "
334 "max %"PRIu32" got %"PRIu8"\n",
335 max_pad_len,
336 auth->auth_pad_length));
337 talloc_free(ndr);
338 ZERO_STRUCTP(auth);
339 return NT_STATUS_RPC_PROTOCOL_ERROR;
340 }
341
342 /*
343 * This is a workaround for a bug in old
344 * Samba releases. For BIND_ACK <= 3.5.x
345 * and for ALTER_RESP <= 4.2.x (see bug #11061)
346 *
347 * See also bug #11982.
348 */
349 if (auth_data_only && data_and_pad == 0 &&
350 auth->auth_pad_length > 0) {
351 /*
352 * we need to ignore invalid auth_pad_length
353 * values for BIND_*, ALTER_* and AUTH3 pdus.
354 */
355 auth->auth_pad_length = 0;
356 }
357
358 if (data_and_pad < auth->auth_pad_length) {
359 DBG_WARNING(__location__ ": ERROR: pad length too long. "
360 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
361 "was less than auth_pad_length=%"PRIu8"\n",
362 data_and_pad,
363 pkt_trailer->length,
364 auth_length,
365 auth->auth_pad_length);
366 talloc_free(ndr);
367 ZERO_STRUCTP(auth);
368 return NT_STATUS_RPC_PROTOCOL_ERROR;
369 }
370
371 if (auth_data_only && data_and_pad > auth->auth_pad_length) {
372 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
373 "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
374 "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
375 "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
376 data_and_pad - auth->auth_pad_length,
377 pkt_trailer->length,
378 auth_length,
379 data_and_pad,
380 auth->auth_pad_length);
381 talloc_free(ndr);
382 ZERO_STRUCTP(auth);
383 return NT_STATUS_RPC_PROTOCOL_ERROR;
384 }
385
386 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
387 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
388 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
389 "but auth_pad_length=%"PRIu8"\n",
390 data_and_pad,
391 pkt_trailer->length,
392 auth_length,
393 auth->auth_pad_length);
394 talloc_free(ndr);
395 ZERO_STRUCTP(auth);
396 return NT_STATUS_RPC_PROTOCOL_ERROR;
397 }
398
399 DBG_DEBUG("auth_pad_length %"PRIu8"\n",
400 auth->auth_pad_length);
401
402 talloc_steal(mem_ctx, auth->credentials.data);
403 talloc_free(ndr);
404
405 if (_auth_length != NULL) {
406 *_auth_length = auth_length;
407 }
408
409 return NT_STATUS_OK;
410 }
411
412 /**
413 * @brief Verify the fields in ncacn_packet header.
414 *
415 * @param pkt - The ncacn_packet structure
416 * @param ptype - The expected PDU type
417 * @param max_auth_info - The maximum size of a possible auth trailer
418 * @param required_flags - The required flags for the pdu.
419 * @param optional_flags - The possible optional flags for the pdu.
420 *
421 * @return - A NTSTATUS error code.
422 */
423 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
424 enum dcerpc_pkt_type ptype,
425 size_t max_auth_info,
426 uint8_t required_flags,
427 uint8_t optional_flags)
428 {
429 if (pkt->rpc_vers != 5) {
430 return NT_STATUS_RPC_PROTOCOL_ERROR;
431 }
432
433 if (pkt->rpc_vers_minor != 0) {
434 return NT_STATUS_RPC_PROTOCOL_ERROR;
435 }
436
437 if (pkt->auth_length > pkt->frag_length) {
438 return NT_STATUS_RPC_PROTOCOL_ERROR;
439 }
440
441 if (pkt->ptype != ptype) {
442 return NT_STATUS_RPC_PROTOCOL_ERROR;
443 }
444
445 if (max_auth_info > UINT16_MAX) {
446 return NT_STATUS_INTERNAL_ERROR;
447 }
448
449 if (pkt->auth_length > 0) {
450 size_t max_auth_length;
451
452 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
453 return NT_STATUS_RPC_PROTOCOL_ERROR;
454 }
455 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
456
457 if (pkt->auth_length > max_auth_length) {
458 return NT_STATUS_RPC_PROTOCOL_ERROR;
459 }
460 }
461
462 if ((pkt->pfc_flags & required_flags) != required_flags) {
463 return NT_STATUS_RPC_PROTOCOL_ERROR;
464 }
465 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
466 return NT_STATUS_RPC_PROTOCOL_ERROR;
467 }
468
469 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
470 return NT_STATUS_RPC_PROTOCOL_ERROR;
471 }
472 if (pkt->drep[1] != 0) {
473 return NT_STATUS_RPC_PROTOCOL_ERROR;
474 }
475 if (pkt->drep[2] != 0) {
476 return NT_STATUS_RPC_PROTOCOL_ERROR;
477 }
478 if (pkt->drep[3] != 0) {
479 return NT_STATUS_RPC_PROTOCOL_ERROR;
480 }
481
482 return NT_STATUS_OK;
483 }
484
485 struct dcerpc_read_ncacn_packet_state {
486 #if 0
487 struct {
488 } caller;
489 #endif
490 DATA_BLOB buffer;
491 struct ncacn_packet *pkt;
492 };
493
494 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
495 void *private_data,
496 TALLOC_CTX *mem_ctx,
497 struct iovec **_vector,
498 size_t *_count);
499 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
500
501 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
502 struct tevent_context *ev,
503 struct tstream_context *stream)
504 {
505 struct tevent_req *req;
506 struct dcerpc_read_ncacn_packet_state *state;
507 struct tevent_req *subreq;
508
509 req = tevent_req_create(mem_ctx, &state,
510 struct dcerpc_read_ncacn_packet_state);
511 if (req == NULL) {
512 return NULL;
513 }
514
515 state->pkt = talloc_zero(state, struct ncacn_packet);
516 if (tevent_req_nomem(state->pkt, req)) {
517 goto post;
518 }
519
520 subreq = tstream_readv_pdu_send(state, ev,
521 stream,
522 dcerpc_read_ncacn_packet_next_vector,
523 state);
524 if (tevent_req_nomem(subreq, req)) {
525 goto post;
526 }
527 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
528
529 return req;
530 post:
531 tevent_req_post(req, ev);
532 return req;
533 }
534
535 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
536 void *private_data,
537 TALLOC_CTX *mem_ctx,
538 struct iovec **_vector,
539 size_t *_count)
540 {
541 struct dcerpc_read_ncacn_packet_state *state =
542 talloc_get_type_abort(private_data,
543 struct dcerpc_read_ncacn_packet_state);
544 struct iovec *vector;
545 off_t ofs = 0;
546
547 if (state->buffer.length == 0) {
548 /*
549 * first get enough to read the fragment length
550 *
551 * We read the full fixed ncacn_packet header
552 * in order to make wireshark happy with
553 * pcap files from socket_wrapper.
554 */
555 ofs = 0;
556 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
557 state->buffer.data = talloc_array(state, uint8_t,
558 state->buffer.length);
559 if (!state->buffer.data) {
560 return -1;
561 }
562 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
563 /* now read the fragment length and allocate the full buffer */
564 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
565
566 ofs = state->buffer.length;
567
568 if (frag_len <= ofs) {
569 /*
570 * With frag_len == ofs, we are done, this is likely
571 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
572 * without any payload.
573 *
574 * Otherwise it's a broken packet and we
575 * let the caller deal with it.
576 */
577 *_vector = NULL;
578 *_count = 0;
579 return 0;
580 }
581
582 state->buffer.data = talloc_realloc(state,
583 state->buffer.data,
584 uint8_t, frag_len);
585 if (!state->buffer.data) {
586 return -1;
587 }
588 state->buffer.length = frag_len;
589 } else {
590 /* if we reach this we have a full fragment */
591 *_vector = NULL;
592 *_count = 0;
593 return 0;
594 }
595
596 /* now create the vector that we want to be filled */
597 vector = talloc_array(mem_ctx, struct iovec, 1);
598 if (!vector) {
599 return -1;
600 }
601
602 vector[0].iov_base = (void *) (state->buffer.data + ofs);
603 vector[0].iov_len = state->buffer.length - ofs;
604
605 *_vector = vector;
606 *_count = 1;
607 return 0;
608 }
609
610 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
611 {
612 struct tevent_req *req = tevent_req_callback_data(subreq,
613 struct tevent_req);
614 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
615 struct dcerpc_read_ncacn_packet_state);
616 int ret;
617 int sys_errno;
618 NTSTATUS status;
619
620 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
621 TALLOC_FREE(subreq);
622 if (ret == -1) {
623 status = map_nt_error_from_unix_common(sys_errno);
624 tevent_req_nterror(req, status);
625 return;
626 }
627
628 status = dcerpc_pull_ncacn_packet(state->pkt,
629 &state->buffer,
630 state->pkt);
631 if (tevent_req_nterror(req, status)) {
632 return;
633 }
634
635 tevent_req_done(req);
636 }
637
638 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
639 TALLOC_CTX *mem_ctx,
640 struct ncacn_packet **pkt,
641 DATA_BLOB *buffer)
642 {
643 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
644 struct dcerpc_read_ncacn_packet_state);
645 NTSTATUS status;
646
647 if (tevent_req_is_nterror(req, &status)) {
648 tevent_req_received(req);
649 return status;
650 }
651
652 *pkt = talloc_move(mem_ctx, &state->pkt);
653 if (buffer) {
654 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
655 buffer->length = state->buffer.length;
656 }
657
658 tevent_req_received(req);
659 return NT_STATUS_OK;
660 }
661
662 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
663 enum dcerpc_transport_t transport,
664 const struct ndr_interface_table *table)
665 {
666 NTSTATUS status;
667 const char *p = NULL;
668 const char *endpoint = NULL;
669 uint32_t i;
670 struct dcerpc_binding *default_binding = NULL;
671 TALLOC_CTX *frame = talloc_stackframe();
672
673 /* Find one of the default pipes for this interface */
674
675 for (i = 0; i < table->endpoints->count; i++) {
676 enum dcerpc_transport_t dtransport;
677 const char *dendpoint;
678
679 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
680 &default_binding);
681 if (!NT_STATUS_IS_OK(status)) {
682 continue;
683 }
684
685 dtransport = dcerpc_binding_get_transport(default_binding);
686 dendpoint = dcerpc_binding_get_string_option(default_binding,
687 "endpoint");
688 if (dendpoint == NULL) {
689 TALLOC_FREE(default_binding);
690 continue;
691 }
692
693 if (transport == NCA_UNKNOWN) {
694 transport = dtransport;
695 }
696
697 if (transport != dtransport) {
698 TALLOC_FREE(default_binding);
699 continue;
700 }
701
702 p = dendpoint;
703 break;
704 }
705
706 if (p == NULL) {
707 goto done;
708 }
709
710 /*
711 * extract the pipe name without \\pipe from for example
712 * ncacn_np:[\\pipe\\epmapper]
713 */
714 if (transport == NCACN_NP) {
715 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
716 p += 6;
717 }
718 if (p[0] == '\\') {
719 p += 1;
720 }
721 }
722
723 endpoint = talloc_strdup(mem_ctx, p);
724
725 done:
726 talloc_free(frame);
727 return endpoint;
728 }
729
730 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
731 {
732 struct dcerpc_sec_vt_header2 ret;
733
734 ZERO_STRUCT(ret);
735 ret.ptype = pkt->ptype;
736 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
737 ret.call_id = pkt->call_id;
738
739 switch (pkt->ptype) {
740 case DCERPC_PKT_REQUEST:
741 ret.context_id = pkt->u.request.context_id;
742 ret.opnum = pkt->u.request.opnum;
743 break;
744
745 case DCERPC_PKT_RESPONSE:
746 ret.context_id = pkt->u.response.context_id;
747 break;
748
749 case DCERPC_PKT_FAULT:
750 ret.context_id = pkt->u.fault.context_id;
751 break;
752
753 default:
754 break;
755 }
756
757 return ret;
758 }
759
760 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
761 const struct dcerpc_sec_vt_header2 *v2)
762 {
763 if (v1->ptype != v2->ptype) {
764 return false;
765 }
766
767 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
768 return false;
769 }
770
771 if (v1->call_id != v2->call_id) {
772 return false;
773 }
774
775 if (v1->context_id != v2->context_id) {
776 return false;
777 }
778
779 if (v1->opnum != v2->opnum) {
780 return false;
781 }
782
783 return true;
784 }
785
786 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
787 {
788 bool ret = false;
789 TALLOC_CTX *frame = talloc_stackframe();
790 struct bitmap *commands_seen;
791 int i;
792
793 if (r->count.count == 0) {
794 ret = true;
795 goto done;
796 }
797
798 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
799 goto done;
800 }
801
802 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
803 if (commands_seen == NULL) {
804 goto done;
805 }
806
807 for (i=0; i < r->count.count; i++) {
808 enum dcerpc_sec_vt_command_enum cmd =
809 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
810
811 if (bitmap_query(commands_seen, cmd)) {
812 /* Each command must appear at most once. */
813 goto done;
814 }
815 bitmap_set(commands_seen, cmd);
816
817 switch (cmd) {
818 case DCERPC_SEC_VT_COMMAND_BITMASK1:
819 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
820 case DCERPC_SEC_VT_COMMAND_HEADER2:
821 break;
822 default:
823 if ((r->commands[i].u._unknown.length % 4) != 0) {
824 goto done;
825 }
826 break;
827 }
828 }
829 ret = true;
830 done:
831 TALLOC_FREE(frame);
832 return ret;
833 }
834
835 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
836 struct dcerpc_sec_vt *c)
837 {
838 if (bitmask1 == NULL) {
839 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
840 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
841 "failed\n"));
842 return false;
843 }
844
845 return true;
846 }
847
848 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
849 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
850 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
851 "failed\n"));
852 return false;
853 }
854 return true;
855 }
856
857 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
858 struct dcerpc_sec_vt *c)
859 {
860 bool ok;
861
862 if (pcontext == NULL) {
863 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
864 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
865 "failed\n"));
866 return false;
867 }
868
869 return true;
870 }
871
872 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
873 &c->u.pcontext.abstract_syntax);
874 if (!ok) {
875 struct ndr_syntax_id_buf buf1, buf2;
876 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
877 "%s vs. %s\n",
878 ndr_syntax_id_buf_string(
879 &pcontext->abstract_syntax, &buf1),
880 ndr_syntax_id_buf_string(
881 &c->u.pcontext.abstract_syntax, &buf2)));
882 return false;
883 }
884 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
885 &c->u.pcontext.transfer_syntax);
886 if (!ok) {
887 struct ndr_syntax_id_buf buf1, buf2;
888 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
889 "%s vs. %s\n",
890 ndr_syntax_id_buf_string(
891 &pcontext->transfer_syntax, &buf1),
892 ndr_syntax_id_buf_string(
893 &c->u.pcontext.transfer_syntax, &buf2)));
894 return false;
895 }
896
897 return true;
898 }
899
900 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
901 struct dcerpc_sec_vt *c)
902 {
903 if (header2 == NULL) {
904 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
905 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
906 return false;
907 }
908
909 return true;
910 }
911
912 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
913 DEBUG(10, ("SEC_VT check Header2 failed\n"));
914 return false;
915 }
916
917 return true;
918 }
919
920 bool dcerpc_sec_verification_trailer_check(
921 const struct dcerpc_sec_verification_trailer *vt,
922 const uint32_t *bitmask1,
923 const struct dcerpc_sec_vt_pcontext *pcontext,
924 const struct dcerpc_sec_vt_header2 *header2)
925 {
926 size_t i;
927
928 if (!dcerpc_sec_vt_is_valid(vt)) {
929 return false;
930 }
931
932 for (i=0; i < vt->count.count; i++) {
933 bool ok;
934 struct dcerpc_sec_vt *c = &vt->commands[i];
935
936 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
937 case DCERPC_SEC_VT_COMMAND_BITMASK1:
938 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
939 if (!ok) {
940 return false;
941 }
942 break;
943
944 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
945 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
946 if (!ok) {
947 return false;
948 }
949 break;
950
951 case DCERPC_SEC_VT_COMMAND_HEADER2: {
952 ok = dcerpc_sec_vt_hdr2_check(header2, c);
953 if (!ok) {
954 return false;
955 }
956 break;
957 }
958
959 default:
960 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
961 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
962 return false;
963 }
964
965 break;
966 }
967 }
968
969 return true;
970 }
971
972 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
973 .uuid = {
974 .time_low = 0x6cb71c2c,
975 .time_mid = 0x9812,
976 .time_hi_and_version = 0x4540,
977 .clock_seq = {0x00, 0x00},
978 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
979 },
980 .if_version = 1,
981 };
982
983 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
984 {
985 uint8_t values[8];
986 uint64_t features = 0;
987
988 values[0] = s.uuid.clock_seq[0];
989 values[1] = s.uuid.clock_seq[1];
990 values[2] = s.uuid.node[0];
991 values[3] = s.uuid.node[1];
992 values[4] = s.uuid.node[2];
993 values[5] = s.uuid.node[3];
994 values[6] = s.uuid.node[4];
995 values[7] = s.uuid.node[5];
996
997 ZERO_STRUCT(s.uuid.clock_seq);
998 ZERO_STRUCT(s.uuid.node);
999
1000 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1001 if (_features != NULL) {
1002 *_features = 0;
1003 }
1004 return false;
1005 }
1006
1007 features = BVAL(values, 0);
1008
1009 if (_features != NULL) {
1010 *_features = features;
1011 }
1012
1013 return true;
1014 }
1015
1016 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1017 {
1018 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1019 uint8_t values[8];
1020
1021 SBVAL(values, 0, features);
1022
1023 s.uuid.clock_seq[0] = values[0];
1024 s.uuid.clock_seq[1] = values[1];
1025 s.uuid.node[0] = values[2];
1026 s.uuid.node[1] = values[3];
1027 s.uuid.node[2] = values[4];
1028 s.uuid.node[3] = values[5];
1029 s.uuid.node[4] = values[6];
1030 s.uuid.node[5] = values[7];
1031
1032 return s;
1033 }
1034
1035 NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1036 {
1037 *session_key = data_blob_null;
1038
1039 /* this took quite a few CPU cycles to find ... */
1040 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1041 session_key->length = 16;
1042 return NT_STATUS_OK;
1043 }
1044
1045 /*
1046 push a ncacn_packet into a blob, potentially with auth info
1047 */
1048 NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1049 TALLOC_CTX *mem_ctx,
1050 struct ncacn_packet *pkt,
1051 struct dcerpc_auth *auth_info)
1052 {
1053 struct ndr_push *ndr;
1054 enum ndr_err_code ndr_err;
1055
1056 ndr = ndr_push_init_ctx(mem_ctx);
1057 if (!ndr) {
1058 return NT_STATUS_NO_MEMORY;
1059 }
1060
1061 if (auth_info) {
1062 pkt->auth_length = auth_info->credentials.length;
1063 } else {
1064 pkt->auth_length = 0;
1065 }
1066
1067 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1068 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1069 return ndr_map_error2ntstatus(ndr_err);
1070 }
1071
1072 if (auth_info) {
1073 #if 0
1074 /* the s3 rpc server doesn't handle auth padding in
1075 bind requests. Use zero auth padding to keep us
1076 working with old servers */
1077 uint32_t offset = ndr->offset;
1078 ndr_err = ndr_push_align(ndr, 16);
1079 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1080 return ndr_map_error2ntstatus(ndr_err);
1081 }
1082 auth_info->auth_pad_length = ndr->offset - offset;
1083 #else
1084 auth_info->auth_pad_length = 0;
1085 #endif
1086 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1087 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1088 return ndr_map_error2ntstatus(ndr_err);
1089 }
1090 }
1091
1092 *blob = ndr_push_blob(ndr);
1093
1094 /* fill in the frag length */
1095 dcerpc_set_frag_length(blob, blob->length);
1096
1097 return NT_STATUS_OK;
1098 }
1099
1100 /*
1101 log a rpc packet in a format suitable for ndrdump. This is especially useful
1102 for sealed packets, where ethereal cannot easily see the contents
1103
1104 this triggers if "dcesrv:stubs directory" is set and present
1105 for all packets that fail to parse
1106 */
1107 void dcerpc_log_packet(const char *packet_log_dir,
1108 const char *interface_name,
1109 uint32_t opnum, ndr_flags_type flags,
1110 const DATA_BLOB *pkt,
1111 const char *why)
1112 {
1113 const int num_examples = 20;
1114 int i;
1115
1116 if (packet_log_dir == NULL) {
1117 return;
1118 }
1119
1120 for (i=0;i<num_examples;i++) {
1121 char *name=NULL;
1122 int ret;
1123 bool saved;
1124 ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1125 packet_log_dir, interface_name, opnum, i,
1126 (flags&NDR_IN)?"in":"out",
1127 why);
1128 if (ret == -1) {
1129 return;
1130 }
1131
1132 saved = file_save(name, pkt->data, pkt->length);
1133 if (saved) {
1134 DBG_DEBUG("Logged rpc packet to %s\n", name);
1135 free(name);
1136 break;
1137 }
1138 free(name);
1139 }
1140 }
Samba GIT mirror