Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : raw dcerpc operations
4 :
5 : Copyright (C) Andrew Tridgell 2003-2005
6 : Copyright (C) Jelmer Vernooij 2004-2005
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "system/network.h"
24 : #include <tevent.h>
25 : #include "lib/tsocket/tsocket.h"
26 : #include "lib/util/tevent_ntstatus.h"
27 : #include "librpc/rpc/dcerpc.h"
28 : #include "librpc/rpc/dcerpc_util.h"
29 : #include "librpc/gen_ndr/ndr_dcerpc.h"
30 : #include "rpc_common.h"
31 : #include "lib/util/bitmap.h"
32 :
33 : #undef strncasecmp
34 :
35 : /* we need to be able to get/set the fragment length without doing a full
36 : decode */
37 3884816 : void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
38 : {
39 3884816 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
40 :
41 3884816 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
42 3850798 : SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
43 : } else {
44 34018 : RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
45 : }
46 3884816 : }
47 :
48 2476924 : uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
49 : {
50 2476924 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
51 :
52 2476924 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
53 2408240 : return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
54 : } else {
55 68684 : return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
56 : }
57 : }
58 :
59 1453921 : void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
60 : {
61 1453921 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
62 :
63 1453921 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
64 1422511 : SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
65 : } else {
66 31410 : RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
67 : }
68 1453921 : }
69 :
70 340386 : uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
71 : {
72 340386 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
73 :
74 340386 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
75 304380 : return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
76 : } else {
77 36006 : return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
78 : }
79 : }
80 :
81 0 : uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
82 : {
83 0 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
84 :
85 0 : return blob->data[DCERPC_DREP_OFFSET];
86 : }
87 :
88 340386 : static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
89 : {
90 340386 : uint16_t frag_len = dcerpc_get_frag_length(blob);
91 340386 : uint16_t auth_len = dcerpc_get_auth_length(blob);
92 12216 : uint16_t min_offset;
93 12216 : uint16_t offset;
94 :
95 340386 : if (auth_len == 0) {
96 0 : return 0;
97 : }
98 :
99 340386 : if (frag_len > blob->length) {
100 0 : return 0;
101 : }
102 :
103 340386 : if (auth_len > frag_len) {
104 0 : return 0;
105 : }
106 :
107 340386 : min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
108 340386 : offset = frag_len - auth_len;
109 340386 : if (offset < min_offset) {
110 9 : return 0;
111 : }
112 340377 : offset -= DCERPC_AUTH_TRAILER_LENGTH;
113 :
114 340377 : return offset;
115 : }
116 :
117 113462 : uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
118 : {
119 4072 : uint16_t offset;
120 :
121 113462 : offset = dcerpc_get_auth_context_offset(blob);
122 113462 : if (offset == 0) {
123 3 : return 0;
124 : }
125 :
126 : /*
127 : * auth_typw is in the 1st byte
128 : * of the auth trailer
129 : */
130 113459 : offset += 0;
131 :
132 113459 : return blob->data[offset];
133 : }
134 :
135 113462 : uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
136 : {
137 4072 : uint16_t offset;
138 :
139 113462 : offset = dcerpc_get_auth_context_offset(blob);
140 113462 : if (offset == 0) {
141 3 : return 0;
142 : }
143 :
144 : /*
145 : * auth_level is in 2nd byte
146 : * of the auth trailer
147 : */
148 113459 : offset += 1;
149 :
150 113459 : return blob->data[offset];
151 : }
152 :
153 113462 : uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
154 : {
155 4072 : uint16_t offset;
156 :
157 113462 : offset = dcerpc_get_auth_context_offset(blob);
158 113462 : if (offset == 0) {
159 3 : return 0;
160 : }
161 :
162 : /*
163 : * auth_context_id is in the last 4 byte
164 : * of the auth trailer
165 : */
166 113459 : offset += 4;
167 :
168 113459 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
169 101457 : return IVAL(blob->data, offset);
170 : } else {
171 12002 : return RIVAL(blob->data, offset);
172 : }
173 : }
174 :
175 : /**
176 : * @brief Decodes a ncacn_packet
177 : *
178 : * @param mem_ctx The memory context on which to allocate the packet
179 : * elements
180 : * @param blob The blob of data to decode
181 : * @param r An empty ncacn_packet, must not be NULL
182 : *
183 : * @return a NTSTATUS error code
184 : */
185 2806611 : NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
186 : const DATA_BLOB *blob,
187 : struct ncacn_packet *r)
188 : {
189 23013 : enum ndr_err_code ndr_err;
190 23013 : struct ndr_pull *ndr;
191 :
192 2806611 : ndr = ndr_pull_init_blob(blob, mem_ctx);
193 2806611 : if (!ndr) {
194 0 : return NT_STATUS_NO_MEMORY;
195 : }
196 :
197 2806611 : ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
198 :
199 2806611 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 0 : talloc_free(ndr);
201 0 : return ndr_map_error2ntstatus(ndr_err);
202 : }
203 2806611 : talloc_free(ndr);
204 :
205 2806611 : if (r->frag_length != blob->length) {
206 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
207 : }
208 :
209 2806611 : return NT_STATUS_OK;
210 : }
211 :
212 : /**
213 : * @brief Pull a dcerpc_auth structure, taking account of any auth
214 : * padding in the blob. For request/response packets we pass
215 : * the whole data blob, so auth_data_only must be set to false
216 : * as the blob contains data+pad+auth and no just pad+auth.
217 : *
218 : * @param pkt - The ncacn_packet structure
219 : * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
220 : * @param pkt_trailer - The packet trailer data, usually the trailing
221 : * auth_info blob, but in the request/response case
222 : * this is the stub_and_verifier blob.
223 : * @param auth - A preallocated dcerpc_auth *empty* structure
224 : * @param auth_length - The length of the auth trail, sum of auth header
225 : * length and pkt->auth_length
226 : * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
227 : * (+ padding) or also other data.
228 : *
229 : * @return - A NTSTATUS error code.
230 : */
231 541269 : NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
232 : TALLOC_CTX *mem_ctx,
233 : const DATA_BLOB *pkt_trailer,
234 : struct dcerpc_auth *auth,
235 : uint32_t *_auth_length,
236 : bool auth_data_only)
237 : {
238 7825 : struct ndr_pull *ndr;
239 7825 : enum ndr_err_code ndr_err;
240 7825 : uint16_t data_and_pad;
241 7825 : uint16_t auth_length;
242 7825 : uint32_t tmp_length;
243 541269 : uint32_t max_pad_len = 0;
244 :
245 541269 : ZERO_STRUCTP(auth);
246 541269 : if (_auth_length != NULL) {
247 510869 : *_auth_length = 0;
248 :
249 510869 : if (auth_data_only) {
250 0 : return NT_STATUS_INTERNAL_ERROR;
251 : }
252 : } else {
253 30400 : if (!auth_data_only) {
254 0 : return NT_STATUS_INTERNAL_ERROR;
255 : }
256 : }
257 :
258 : /* Paranoia checks for auth_length. The caller should check this... */
259 541269 : if (pkt->auth_length == 0) {
260 0 : return NT_STATUS_INTERNAL_ERROR;
261 : }
262 :
263 : /* Paranoia checks for auth_length. The caller should check this... */
264 541269 : if (pkt->auth_length > pkt->frag_length) {
265 0 : return NT_STATUS_INTERNAL_ERROR;
266 : }
267 541269 : tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
268 541269 : tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
269 541269 : tmp_length += pkt->auth_length;
270 541269 : if (tmp_length > pkt->frag_length) {
271 0 : return NT_STATUS_INTERNAL_ERROR;
272 : }
273 541269 : if (pkt_trailer->length > UINT16_MAX) {
274 0 : return NT_STATUS_INTERNAL_ERROR;
275 : }
276 :
277 541269 : auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
278 541269 : if (pkt_trailer->length < auth_length) {
279 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
280 : }
281 :
282 541269 : data_and_pad = pkt_trailer->length - auth_length;
283 :
284 541269 : ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
285 541269 : if (!ndr) {
286 0 : return NT_STATUS_NO_MEMORY;
287 : }
288 :
289 541269 : if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
290 12416 : ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
291 : }
292 :
293 541269 : ndr_err = ndr_pull_advance(ndr, data_and_pad);
294 541269 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
295 0 : talloc_free(ndr);
296 0 : return ndr_map_error2ntstatus(ndr_err);
297 : }
298 :
299 541269 : ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
300 541269 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
301 0 : talloc_free(ndr);
302 0 : ZERO_STRUCTP(auth);
303 0 : return ndr_map_error2ntstatus(ndr_err);
304 : }
305 :
306 : /*
307 : * Make sure the padding would not exceed
308 : * the frag_length.
309 : *
310 : * Here we assume at least 24 bytes for the
311 : * payload specific header the value of
312 : * DCERPC_{REQUEST,RESPONSE}_LENGTH.
313 : *
314 : * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
315 : *
316 : * We need this check before we ignore possible
317 : * invalid values. See also bug #11982.
318 : *
319 : * This check is mainly used to generate the correct
320 : * error for BIND_*, ALTER_* and AUTH3 pdus.
321 : *
322 : * We always have the 'if (data_and_pad < auth->auth_pad_length)'
323 : * protection for REQUEST and RESPONSE pdus, where the
324 : * auth_pad_length field is actually used by the caller.
325 : */
326 541269 : tmp_length = DCERPC_REQUEST_LENGTH;
327 541269 : tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
328 541269 : tmp_length += pkt->auth_length;
329 541269 : if (tmp_length < pkt->frag_length) {
330 540748 : max_pad_len = pkt->frag_length - tmp_length;
331 : }
332 541269 : if (max_pad_len < auth->auth_pad_length) {
333 9 : DEBUG(1, (__location__ ": ERROR: pad length too large. "
334 : "max %"PRIu32" got %"PRIu8"\n",
335 : max_pad_len,
336 : auth->auth_pad_length));
337 9 : talloc_free(ndr);
338 9 : ZERO_STRUCTP(auth);
339 9 : return NT_STATUS_RPC_PROTOCOL_ERROR;
340 : }
341 :
342 : /*
343 : * This is a workaround for a bug in old
344 : * Samba releases. For BIND_ACK <= 3.5.x
345 : * and for ALTER_RESP <= 4.2.x (see bug #11061)
346 : *
347 : * See also bug #11982.
348 : */
349 541260 : if (auth_data_only && data_and_pad == 0 &&
350 29351 : auth->auth_pad_length > 0) {
351 : /*
352 : * we need to ignore invalid auth_pad_length
353 : * values for BIND_*, ALTER_* and AUTH3 pdus.
354 : */
355 15 : auth->auth_pad_length = 0;
356 : }
357 :
358 541260 : if (data_and_pad < auth->auth_pad_length) {
359 0 : DBG_WARNING(__location__ ": ERROR: pad length too long. "
360 : "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
361 : "was less than auth_pad_length=%"PRIu8"\n",
362 : data_and_pad,
363 : pkt_trailer->length,
364 : auth_length,
365 : auth->auth_pad_length);
366 0 : talloc_free(ndr);
367 0 : ZERO_STRUCTP(auth);
368 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
369 : }
370 :
371 541260 : if (auth_data_only && data_and_pad > auth->auth_pad_length) {
372 0 : DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
373 : "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
374 : "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
375 : "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
376 : data_and_pad - auth->auth_pad_length,
377 : pkt_trailer->length,
378 : auth_length,
379 : data_and_pad,
380 : auth->auth_pad_length);
381 0 : talloc_free(ndr);
382 0 : ZERO_STRUCTP(auth);
383 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
384 : }
385 :
386 541260 : if (auth_data_only && data_and_pad != auth->auth_pad_length) {
387 0 : DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
388 : "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
389 : "but auth_pad_length=%"PRIu8"\n",
390 : data_and_pad,
391 : pkt_trailer->length,
392 : auth_length,
393 : auth->auth_pad_length);
394 0 : talloc_free(ndr);
395 0 : ZERO_STRUCTP(auth);
396 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
397 : }
398 :
399 541260 : DBG_DEBUG("auth_pad_length %"PRIu8"\n",
400 : auth->auth_pad_length);
401 :
402 541260 : talloc_steal(mem_ctx, auth->credentials.data);
403 541260 : talloc_free(ndr);
404 :
405 541260 : if (_auth_length != NULL) {
406 510869 : *_auth_length = auth_length;
407 : }
408 :
409 541260 : return NT_STATUS_OK;
410 : }
411 :
412 : /**
413 : * @brief Verify the fields in ncacn_packet header.
414 : *
415 : * @param pkt - The ncacn_packet structure
416 : * @param ptype - The expected PDU type
417 : * @param max_auth_info - The maximum size of a possible auth trailer
418 : * @param required_flags - The required flags for the pdu.
419 : * @param optional_flags - The possible optional flags for the pdu.
420 : *
421 : * @return - A NTSTATUS error code.
422 : */
423 2981884 : NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
424 : enum dcerpc_pkt_type ptype,
425 : size_t max_auth_info,
426 : uint8_t required_flags,
427 : uint8_t optional_flags)
428 : {
429 2981884 : if (pkt->rpc_vers != 5) {
430 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
431 : }
432 :
433 2981884 : if (pkt->rpc_vers_minor != 0) {
434 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
435 : }
436 :
437 2981884 : if (pkt->auth_length > pkt->frag_length) {
438 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
439 : }
440 :
441 2981884 : if (pkt->ptype != ptype) {
442 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
443 : }
444 :
445 2981884 : if (max_auth_info > UINT16_MAX) {
446 0 : return NT_STATUS_INTERNAL_ERROR;
447 : }
448 :
449 2981884 : if (pkt->auth_length > 0) {
450 11377 : size_t max_auth_length;
451 :
452 649844 : if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
453 3 : return NT_STATUS_RPC_PROTOCOL_ERROR;
454 : }
455 649841 : max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
456 :
457 649841 : if (pkt->auth_length > max_auth_length) {
458 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
459 : }
460 : }
461 :
462 2981881 : if ((pkt->pfc_flags & required_flags) != required_flags) {
463 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
464 : }
465 2981881 : if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
466 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
467 : }
468 :
469 2981881 : if (pkt->drep[0] & ~DCERPC_DREP_LE) {
470 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
471 : }
472 2981881 : if (pkt->drep[1] != 0) {
473 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
474 : }
475 2981881 : if (pkt->drep[2] != 0) {
476 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
477 : }
478 2981881 : if (pkt->drep[3] != 0) {
479 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
480 : }
481 :
482 2981881 : return NT_STATUS_OK;
483 : }
484 :
485 : struct dcerpc_read_ncacn_packet_state {
486 : #if 0
487 : struct {
488 : } caller;
489 : #endif
490 : DATA_BLOB buffer;
491 : struct ncacn_packet *pkt;
492 : };
493 :
494 : static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
495 : void *private_data,
496 : TALLOC_CTX *mem_ctx,
497 : struct iovec **_vector,
498 : size_t *_count);
499 : static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
500 :
501 1603286 : struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
502 : struct tevent_context *ev,
503 : struct tstream_context *stream)
504 : {
505 16236 : struct tevent_req *req;
506 16236 : struct dcerpc_read_ncacn_packet_state *state;
507 16236 : struct tevent_req *subreq;
508 :
509 1603286 : req = tevent_req_create(mem_ctx, &state,
510 : struct dcerpc_read_ncacn_packet_state);
511 1603286 : if (req == NULL) {
512 0 : return NULL;
513 : }
514 :
515 1603286 : state->pkt = talloc_zero(state, struct ncacn_packet);
516 1603286 : if (tevent_req_nomem(state->pkt, req)) {
517 0 : goto post;
518 : }
519 :
520 1603286 : subreq = tstream_readv_pdu_send(state, ev,
521 : stream,
522 : dcerpc_read_ncacn_packet_next_vector,
523 : state);
524 1603286 : if (tevent_req_nomem(subreq, req)) {
525 0 : goto post;
526 : }
527 1603286 : tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
528 :
529 1603286 : return req;
530 0 : post:
531 0 : tevent_req_post(req, ev);
532 0 : return req;
533 : }
534 :
535 4699479 : static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
536 : void *private_data,
537 : TALLOC_CTX *mem_ctx,
538 : struct iovec **_vector,
539 : size_t *_count)
540 : {
541 46946 : struct dcerpc_read_ncacn_packet_state *state =
542 4699479 : talloc_get_type_abort(private_data,
543 : struct dcerpc_read_ncacn_packet_state);
544 46946 : struct iovec *vector;
545 4699479 : off_t ofs = 0;
546 :
547 4699479 : if (state->buffer.length == 0) {
548 : /*
549 : * first get enough to read the fragment length
550 : *
551 : * We read the full fixed ncacn_packet header
552 : * in order to make wireshark happy with
553 : * pcap files from socket_wrapper.
554 : */
555 1603286 : ofs = 0;
556 1603286 : state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
557 1603286 : state->buffer.data = talloc_array(state, uint8_t,
558 : state->buffer.length);
559 1603286 : if (!state->buffer.data) {
560 0 : return -1;
561 : }
562 3096193 : } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
563 : /* now read the fragment length and allocate the full buffer */
564 1548107 : size_t frag_len = dcerpc_get_frag_length(&state->buffer);
565 :
566 1548107 : ofs = state->buffer.length;
567 :
568 1548107 : if (frag_len <= ofs) {
569 : /*
570 : * With frag_len == ofs, we are done, this is likely
571 : * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
572 : * without any payload.
573 : *
574 : * Otherwise it's a broken packet and we
575 : * let the caller deal with it.
576 : */
577 21 : *_vector = NULL;
578 21 : *_count = 0;
579 21 : return 0;
580 : }
581 :
582 1548086 : state->buffer.data = talloc_realloc(state,
583 : state->buffer.data,
584 : uint8_t, frag_len);
585 1548086 : if (!state->buffer.data) {
586 0 : return -1;
587 : }
588 1548086 : state->buffer.length = frag_len;
589 : } else {
590 : /* if we reach this we have a full fragment */
591 1548086 : *_vector = NULL;
592 1548086 : *_count = 0;
593 1548086 : return 0;
594 : }
595 :
596 : /* now create the vector that we want to be filled */
597 3151372 : vector = talloc_array(mem_ctx, struct iovec, 1);
598 3151372 : if (!vector) {
599 0 : return -1;
600 : }
601 :
602 3151372 : vector[0].iov_base = (void *) (state->buffer.data + ofs);
603 3151372 : vector[0].iov_len = state->buffer.length - ofs;
604 :
605 3151372 : *_vector = vector;
606 3151372 : *_count = 1;
607 3151372 : return 0;
608 : }
609 :
610 1602894 : static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
611 : {
612 1602894 : struct tevent_req *req = tevent_req_callback_data(subreq,
613 : struct tevent_req);
614 1602894 : struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
615 : struct dcerpc_read_ncacn_packet_state);
616 16225 : int ret;
617 16225 : int sys_errno;
618 16225 : NTSTATUS status;
619 :
620 1602894 : ret = tstream_readv_pdu_recv(subreq, &sys_errno);
621 1602894 : TALLOC_FREE(subreq);
622 1602894 : if (ret == -1) {
623 54787 : status = map_nt_error_from_unix_common(sys_errno);
624 54787 : tevent_req_nterror(req, status);
625 55292 : return;
626 : }
627 :
628 1548107 : status = dcerpc_pull_ncacn_packet(state->pkt,
629 1548107 : &state->buffer,
630 : state->pkt);
631 1548107 : if (tevent_req_nterror(req, status)) {
632 0 : return;
633 : }
634 :
635 1548107 : tevent_req_done(req);
636 : }
637 :
638 1602894 : NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
639 : TALLOC_CTX *mem_ctx,
640 : struct ncacn_packet **pkt,
641 : DATA_BLOB *buffer)
642 : {
643 1602894 : struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
644 : struct dcerpc_read_ncacn_packet_state);
645 16225 : NTSTATUS status;
646 :
647 1602894 : if (tevent_req_is_nterror(req, &status)) {
648 54787 : tevent_req_received(req);
649 54787 : return status;
650 : }
651 :
652 1548107 : *pkt = talloc_move(mem_ctx, &state->pkt);
653 1548107 : if (buffer) {
654 1548107 : buffer->data = talloc_move(mem_ctx, &state->buffer.data);
655 1548107 : buffer->length = state->buffer.length;
656 : }
657 :
658 1548107 : tevent_req_received(req);
659 1548107 : return NT_STATUS_OK;
660 : }
661 :
662 40724 : const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
663 : enum dcerpc_transport_t transport,
664 : const struct ndr_interface_table *table)
665 : {
666 0 : NTSTATUS status;
667 40724 : const char *p = NULL;
668 40724 : const char *endpoint = NULL;
669 0 : uint32_t i;
670 40724 : struct dcerpc_binding *default_binding = NULL;
671 40724 : TALLOC_CTX *frame = talloc_stackframe();
672 :
673 : /* Find one of the default pipes for this interface */
674 :
675 40724 : for (i = 0; i < table->endpoints->count; i++) {
676 0 : enum dcerpc_transport_t dtransport;
677 0 : const char *dendpoint;
678 :
679 40724 : status = dcerpc_parse_binding(frame, table->endpoints->names[i],
680 : &default_binding);
681 40724 : if (!NT_STATUS_IS_OK(status)) {
682 0 : continue;
683 : }
684 :
685 40724 : dtransport = dcerpc_binding_get_transport(default_binding);
686 40724 : dendpoint = dcerpc_binding_get_string_option(default_binding,
687 : "endpoint");
688 40724 : if (dendpoint == NULL) {
689 0 : TALLOC_FREE(default_binding);
690 0 : continue;
691 : }
692 :
693 40724 : if (transport == NCA_UNKNOWN) {
694 0 : transport = dtransport;
695 : }
696 :
697 40724 : if (transport != dtransport) {
698 0 : TALLOC_FREE(default_binding);
699 0 : continue;
700 : }
701 :
702 40724 : p = dendpoint;
703 40724 : break;
704 : }
705 :
706 40724 : if (p == NULL) {
707 0 : goto done;
708 : }
709 :
710 : /*
711 : * extract the pipe name without \\pipe from for example
712 : * ncacn_np:[\\pipe\\epmapper]
713 : */
714 40724 : if (transport == NCACN_NP) {
715 40724 : if (strncasecmp(p, "\\pipe\\", 6) == 0) {
716 40724 : p += 6;
717 : }
718 40724 : if (p[0] == '\\') {
719 0 : p += 1;
720 : }
721 : }
722 :
723 40724 : endpoint = talloc_strdup(mem_ctx, p);
724 :
725 40724 : done:
726 40724 : talloc_free(frame);
727 40724 : return endpoint;
728 : }
729 :
730 832648 : struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
731 : {
732 6616 : struct dcerpc_sec_vt_header2 ret;
733 :
734 832648 : ZERO_STRUCT(ret);
735 832648 : ret.ptype = pkt->ptype;
736 832648 : memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
737 832648 : ret.call_id = pkt->call_id;
738 :
739 832648 : switch (pkt->ptype) {
740 832648 : case DCERPC_PKT_REQUEST:
741 832648 : ret.context_id = pkt->u.request.context_id;
742 832648 : ret.opnum = pkt->u.request.opnum;
743 832648 : break;
744 :
745 0 : case DCERPC_PKT_RESPONSE:
746 0 : ret.context_id = pkt->u.response.context_id;
747 0 : break;
748 :
749 0 : case DCERPC_PKT_FAULT:
750 0 : ret.context_id = pkt->u.fault.context_id;
751 0 : break;
752 :
753 0 : default:
754 0 : break;
755 : }
756 :
757 832648 : return ret;
758 : }
759 :
760 8268 : bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
761 : const struct dcerpc_sec_vt_header2 *v2)
762 : {
763 8268 : if (v1->ptype != v2->ptype) {
764 0 : return false;
765 : }
766 :
767 8268 : if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
768 0 : return false;
769 : }
770 :
771 8268 : if (v1->call_id != v2->call_id) {
772 0 : return false;
773 : }
774 :
775 8268 : if (v1->context_id != v2->context_id) {
776 0 : return false;
777 : }
778 :
779 8268 : if (v1->opnum != v2->opnum) {
780 0 : return false;
781 : }
782 :
783 8268 : return true;
784 : }
785 :
786 832649 : static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
787 : {
788 832649 : bool ret = false;
789 832649 : TALLOC_CTX *frame = talloc_stackframe();
790 6617 : struct bitmap *commands_seen;
791 6617 : int i;
792 :
793 832649 : if (r->count.count == 0) {
794 815678 : ret = true;
795 815678 : goto done;
796 : }
797 :
798 16971 : if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
799 0 : goto done;
800 : }
801 :
802 16971 : commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
803 16971 : if (commands_seen == NULL) {
804 0 : goto done;
805 : }
806 :
807 43669 : for (i=0; i < r->count.count; i++) {
808 26698 : enum dcerpc_sec_vt_command_enum cmd =
809 26698 : r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
810 :
811 26698 : if (bitmap_query(commands_seen, cmd)) {
812 : /* Each command must appear at most once. */
813 0 : goto done;
814 : }
815 26698 : bitmap_set(commands_seen, cmd);
816 :
817 26698 : switch (cmd) {
818 25482 : case DCERPC_SEC_VT_COMMAND_BITMASK1:
819 : case DCERPC_SEC_VT_COMMAND_PCONTEXT:
820 : case DCERPC_SEC_VT_COMMAND_HEADER2:
821 25482 : break;
822 0 : default:
823 0 : if ((r->commands[i].u._unknown.length % 4) != 0) {
824 0 : goto done;
825 : }
826 0 : break;
827 : }
828 : }
829 16362 : ret = true;
830 832649 : done:
831 832649 : TALLOC_FREE(frame);
832 832649 : return ret;
833 : }
834 :
835 9211 : static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
836 : struct dcerpc_sec_vt *c)
837 : {
838 9211 : if (bitmask1 == NULL) {
839 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
840 0 : DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
841 : "failed\n"));
842 0 : return false;
843 : }
844 :
845 0 : return true;
846 : }
847 :
848 9211 : if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
849 9211 : && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
850 0 : DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
851 : "failed\n"));
852 0 : return false;
853 : }
854 8604 : return true;
855 : }
856 :
857 9219 : static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
858 : struct dcerpc_sec_vt *c)
859 : {
860 609 : bool ok;
861 :
862 9219 : if (pcontext == NULL) {
863 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
864 0 : DEBUG(10, ("SEC_VT check Pcontext must_process_command "
865 : "failed\n"));
866 0 : return false;
867 : }
868 :
869 0 : return true;
870 : }
871 :
872 9828 : ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
873 9219 : &c->u.pcontext.abstract_syntax);
874 9219 : if (!ok) {
875 0 : struct ndr_syntax_id_buf buf1, buf2;
876 0 : DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
877 : "%s vs. %s\n",
878 : ndr_syntax_id_buf_string(
879 : &pcontext->abstract_syntax, &buf1),
880 : ndr_syntax_id_buf_string(
881 : &c->u.pcontext.abstract_syntax, &buf2)));
882 0 : return false;
883 : }
884 9828 : ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
885 9219 : &c->u.pcontext.transfer_syntax);
886 9219 : if (!ok) {
887 0 : struct ndr_syntax_id_buf buf1, buf2;
888 0 : DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
889 : "%s vs. %s\n",
890 : ndr_syntax_id_buf_string(
891 : &pcontext->transfer_syntax, &buf1),
892 : ndr_syntax_id_buf_string(
893 : &c->u.pcontext.transfer_syntax, &buf2)));
894 0 : return false;
895 : }
896 :
897 8610 : return true;
898 : }
899 :
900 8268 : static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
901 : struct dcerpc_sec_vt *c)
902 : {
903 8268 : if (header2 == NULL) {
904 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
905 0 : DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
906 0 : return false;
907 : }
908 :
909 0 : return true;
910 : }
911 :
912 8268 : if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
913 0 : DEBUG(10, ("SEC_VT check Header2 failed\n"));
914 0 : return false;
915 : }
916 :
917 8268 : return true;
918 : }
919 :
920 832649 : bool dcerpc_sec_verification_trailer_check(
921 : const struct dcerpc_sec_verification_trailer *vt,
922 : const uint32_t *bitmask1,
923 : const struct dcerpc_sec_vt_pcontext *pcontext,
924 : const struct dcerpc_sec_vt_header2 *header2)
925 : {
926 6617 : size_t i;
927 :
928 832649 : if (!dcerpc_sec_vt_is_valid(vt)) {
929 0 : return false;
930 : }
931 :
932 859347 : for (i=0; i < vt->count.count; i++) {
933 1216 : bool ok;
934 26698 : struct dcerpc_sec_vt *c = &vt->commands[i];
935 :
936 26698 : switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
937 9211 : case DCERPC_SEC_VT_COMMAND_BITMASK1:
938 9211 : ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
939 9211 : if (!ok) {
940 0 : return false;
941 : }
942 8604 : break;
943 :
944 9219 : case DCERPC_SEC_VT_COMMAND_PCONTEXT:
945 9219 : ok = dcerpc_sec_vt_pctx_check(pcontext, c);
946 9219 : if (!ok) {
947 0 : return false;
948 : }
949 8610 : break;
950 :
951 8268 : case DCERPC_SEC_VT_COMMAND_HEADER2: {
952 8268 : ok = dcerpc_sec_vt_hdr2_check(header2, c);
953 8268 : if (!ok) {
954 0 : return false;
955 : }
956 8268 : break;
957 : }
958 :
959 0 : default:
960 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
961 0 : DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
962 0 : return false;
963 : }
964 :
965 0 : break;
966 : }
967 : }
968 :
969 826032 : return true;
970 : }
971 :
972 : static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
973 : .uuid = {
974 : .time_low = 0x6cb71c2c,
975 : .time_mid = 0x9812,
976 : .time_hi_and_version = 0x4540,
977 : .clock_seq = {0x00, 0x00},
978 : .node = {0x00,0x00,0x00,0x00,0x00,0x00}
979 : },
980 : .if_version = 1,
981 : };
982 :
983 73926 : bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
984 : {
985 1712 : uint8_t values[8];
986 73926 : uint64_t features = 0;
987 :
988 73926 : values[0] = s.uuid.clock_seq[0];
989 73926 : values[1] = s.uuid.clock_seq[1];
990 73926 : values[2] = s.uuid.node[0];
991 73926 : values[3] = s.uuid.node[1];
992 73926 : values[4] = s.uuid.node[2];
993 73926 : values[5] = s.uuid.node[3];
994 73926 : values[6] = s.uuid.node[4];
995 73926 : values[7] = s.uuid.node[5];
996 :
997 73926 : ZERO_STRUCT(s.uuid.clock_seq);
998 73926 : ZERO_STRUCT(s.uuid.node);
999 :
1000 73926 : if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1001 54921 : if (_features != NULL) {
1002 54921 : *_features = 0;
1003 : }
1004 54921 : return false;
1005 : }
1006 :
1007 19005 : features = BVAL(values, 0);
1008 :
1009 19005 : if (_features != NULL) {
1010 19005 : *_features = features;
1011 : }
1012 :
1013 18153 : return true;
1014 : }
1015 :
1016 19998 : struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1017 : {
1018 19998 : struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1019 870 : uint8_t values[8];
1020 :
1021 19998 : SBVAL(values, 0, features);
1022 :
1023 19998 : s.uuid.clock_seq[0] = values[0];
1024 19998 : s.uuid.clock_seq[1] = values[1];
1025 19998 : s.uuid.node[0] = values[2];
1026 19998 : s.uuid.node[1] = values[3];
1027 19998 : s.uuid.node[2] = values[4];
1028 19998 : s.uuid.node[3] = values[5];
1029 19998 : s.uuid.node[4] = values[6];
1030 19998 : s.uuid.node[5] = values[7];
1031 :
1032 19998 : return s;
1033 : }
1034 :
1035 190 : NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1036 : {
1037 190 : *session_key = data_blob_null;
1038 :
1039 : /* this took quite a few CPU cycles to find ... */
1040 190 : session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1041 190 : session_key->length = 16;
1042 190 : return NT_STATUS_OK;
1043 : }
1044 :
1045 : /*
1046 : push a ncacn_packet into a blob, potentially with auth info
1047 : */
1048 90167 : NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1049 : TALLOC_CTX *mem_ctx,
1050 : struct ncacn_packet *pkt,
1051 : struct dcerpc_auth *auth_info)
1052 : {
1053 2325 : struct ndr_push *ndr;
1054 2325 : enum ndr_err_code ndr_err;
1055 :
1056 90167 : ndr = ndr_push_init_ctx(mem_ctx);
1057 90167 : if (!ndr) {
1058 0 : return NT_STATUS_NO_MEMORY;
1059 : }
1060 :
1061 90167 : if (auth_info) {
1062 29681 : pkt->auth_length = auth_info->credentials.length;
1063 : } else {
1064 60486 : pkt->auth_length = 0;
1065 : }
1066 :
1067 90167 : ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1068 90167 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1069 0 : return ndr_map_error2ntstatus(ndr_err);
1070 : }
1071 :
1072 90167 : if (auth_info) {
1073 : #if 0
1074 : /* the s3 rpc server doesn't handle auth padding in
1075 : bind requests. Use zero auth padding to keep us
1076 : working with old servers */
1077 : uint32_t offset = ndr->offset;
1078 : ndr_err = ndr_push_align(ndr, 16);
1079 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1080 : return ndr_map_error2ntstatus(ndr_err);
1081 : }
1082 : auth_info->auth_pad_length = ndr->offset - offset;
1083 : #else
1084 29681 : auth_info->auth_pad_length = 0;
1085 : #endif
1086 29681 : ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1087 29681 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1088 0 : return ndr_map_error2ntstatus(ndr_err);
1089 : }
1090 : }
1091 :
1092 90167 : *blob = ndr_push_blob(ndr);
1093 :
1094 : /* fill in the frag length */
1095 90167 : dcerpc_set_frag_length(blob, blob->length);
1096 :
1097 90167 : return NT_STATUS_OK;
1098 : }
1099 :
1100 : /*
1101 : log a rpc packet in a format suitable for ndrdump. This is especially useful
1102 : for sealed packets, where ethereal cannot easily see the contents
1103 :
1104 : this triggers if "dcesrv:stubs directory" is set and present
1105 : for all packets that fail to parse
1106 : */
1107 2114 : void dcerpc_log_packet(const char *packet_log_dir,
1108 : const char *interface_name,
1109 : uint32_t opnum, ndr_flags_type flags,
1110 : const DATA_BLOB *pkt,
1111 : const char *why)
1112 : {
1113 2114 : const int num_examples = 20;
1114 4 : int i;
1115 :
1116 2114 : if (packet_log_dir == NULL) {
1117 2110 : return;
1118 : }
1119 :
1120 0 : for (i=0;i<num_examples;i++) {
1121 0 : char *name=NULL;
1122 0 : int ret;
1123 0 : bool saved;
1124 0 : ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1125 : packet_log_dir, interface_name, opnum, i,
1126 0 : (flags&NDR_IN)?"in":"out",
1127 : why);
1128 0 : if (ret == -1) {
1129 0 : return;
1130 : }
1131 :
1132 0 : saved = file_save(name, pkt->data, pkt->length);
1133 0 : if (saved) {
1134 0 : DBG_DEBUG("Logged rpc packet to %s\n", name);
1135 0 : free(name);
1136 0 : break;
1137 : }
1138 0 : free(name);
1139 : }
1140 : }
|
