Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : raw dcerpc operations
4 :
5 : Copyright (C) Andrew Tridgell 2003-2005
6 : Copyright (C) Jelmer Vernooij 2004-2005
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "system/network.h"
24 : #include <tevent.h>
25 : #include "lib/tsocket/tsocket.h"
26 : #include "lib/util/util_file.h"
27 : #include "lib/util/tevent_ntstatus.h"
28 : #include "librpc/rpc/dcerpc.h"
29 : #include "librpc/rpc/dcerpc_util.h"
30 : #include "librpc/gen_ndr/ndr_dcerpc.h"
31 : #include "rpc_common.h"
32 : #include "lib/util/bitmap.h"
33 :
34 : #undef strncasecmp
35 :
36 : /* we need to be able to get/set the fragment length without doing a full
37 : decode */
38 3847530 : void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
39 : {
40 3847530 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
41 :
42 3847530 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
43 3815027 : SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
44 : } else {
45 32503 : RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
46 : }
47 3847530 : }
48 :
49 2452272 : uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
50 : {
51 2452272 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
52 :
53 2452272 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
54 2392552 : return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
55 : } else {
56 59720 : return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
57 : }
58 : }
59 :
60 1435297 : void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
61 : {
62 1435297 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
63 :
64 1435297 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
65 1405462 : SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
66 : } else {
67 29835 : RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
68 : }
69 1435297 : }
70 :
71 333900 : uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
72 : {
73 333900 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
74 :
75 333900 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
76 305343 : return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
77 : } else {
78 28557 : return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
79 : }
80 : }
81 :
82 0 : uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
83 : {
84 0 : SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
85 :
86 0 : return blob->data[DCERPC_DREP_OFFSET];
87 : }
88 :
89 333900 : static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
90 : {
91 333900 : uint16_t frag_len = dcerpc_get_frag_length(blob);
92 333900 : uint16_t auth_len = dcerpc_get_auth_length(blob);
93 12219 : uint16_t min_offset;
94 12219 : uint16_t offset;
95 :
96 333900 : if (auth_len == 0) {
97 0 : return 0;
98 : }
99 :
100 333900 : if (frag_len > blob->length) {
101 0 : return 0;
102 : }
103 :
104 333900 : if (auth_len > frag_len) {
105 0 : return 0;
106 : }
107 :
108 333900 : min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
109 333900 : offset = frag_len - auth_len;
110 333900 : if (offset < min_offset) {
111 9 : return 0;
112 : }
113 333891 : offset -= DCERPC_AUTH_TRAILER_LENGTH;
114 :
115 333891 : return offset;
116 : }
117 :
118 111300 : uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
119 : {
120 4073 : uint16_t offset;
121 :
122 111300 : offset = dcerpc_get_auth_context_offset(blob);
123 111300 : if (offset == 0) {
124 3 : return 0;
125 : }
126 :
127 : /*
128 : * auth_typw is in the 1st byte
129 : * of the auth trailer
130 : */
131 111297 : offset += 0;
132 :
133 111297 : return blob->data[offset];
134 : }
135 :
136 111300 : uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
137 : {
138 4073 : uint16_t offset;
139 :
140 111300 : offset = dcerpc_get_auth_context_offset(blob);
141 111300 : if (offset == 0) {
142 3 : return 0;
143 : }
144 :
145 : /*
146 : * auth_level is in 2nd byte
147 : * of the auth trailer
148 : */
149 111297 : offset += 1;
150 :
151 111297 : return blob->data[offset];
152 : }
153 :
154 111300 : uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
155 : {
156 4073 : uint16_t offset;
157 :
158 111300 : offset = dcerpc_get_auth_context_offset(blob);
159 111300 : if (offset == 0) {
160 3 : return 0;
161 : }
162 :
163 : /*
164 : * auth_context_id is in the last 4 byte
165 : * of the auth trailer
166 : */
167 111297 : offset += 4;
168 :
169 111297 : if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
170 101778 : return IVAL(blob->data, offset);
171 : } else {
172 9519 : return RIVAL(blob->data, offset);
173 : }
174 : }
175 :
176 : /**
177 : * @brief Decodes a ncacn_packet
178 : *
179 : * @param mem_ctx The memory context on which to allocate the packet
180 : * elements
181 : * @param blob The blob of data to decode
182 : * @param r An empty ncacn_packet, must not be NULL
183 : *
184 : * @return a NTSTATUS error code
185 : */
186 2769145 : NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
187 : const DATA_BLOB *blob,
188 : struct ncacn_packet *r)
189 : {
190 23882 : enum ndr_err_code ndr_err;
191 23882 : struct ndr_pull *ndr;
192 :
193 2769145 : ndr = ndr_pull_init_blob(blob, mem_ctx);
194 2769145 : if (!ndr) {
195 0 : return NT_STATUS_NO_MEMORY;
196 : }
197 :
198 2769145 : ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
199 :
200 2769145 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
201 0 : talloc_free(ndr);
202 0 : return ndr_map_error2ntstatus(ndr_err);
203 : }
204 2769145 : talloc_free(ndr);
205 :
206 2769145 : if (r->frag_length != blob->length) {
207 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
208 : }
209 :
210 2769145 : return NT_STATUS_OK;
211 : }
212 :
213 : /**
214 : * @brief Pull a dcerpc_auth structure, taking account of any auth
215 : * padding in the blob. For request/response packets we pass
216 : * the whole data blob, so auth_data_only must be set to false
217 : * as the blob contains data+pad+auth and no just pad+auth.
218 : *
219 : * @param pkt - The ncacn_packet structure
220 : * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
221 : * @param pkt_trailer - The packet trailer data, usually the trailing
222 : * auth_info blob, but in the request/response case
223 : * this is the stub_and_verifier blob.
224 : * @param auth - A preallocated dcerpc_auth *empty* structure
225 : * @param auth_length - The length of the auth trail, sum of auth header
226 : * length and pkt->auth_length
227 : * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
228 : * (+ padding) or also other data.
229 : *
230 : * @return - A NTSTATUS error code.
231 : */
232 516683 : NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
233 : TALLOC_CTX *mem_ctx,
234 : const DATA_BLOB *pkt_trailer,
235 : struct dcerpc_auth *auth,
236 : uint32_t *_auth_length,
237 : bool auth_data_only)
238 : {
239 7825 : struct ndr_pull *ndr;
240 7825 : enum ndr_err_code ndr_err;
241 7825 : uint16_t data_and_pad;
242 7825 : uint16_t auth_length;
243 7825 : uint32_t tmp_length;
244 516683 : uint32_t max_pad_len = 0;
245 :
246 516683 : ZERO_STRUCTP(auth);
247 516683 : if (_auth_length != NULL) {
248 486181 : *_auth_length = 0;
249 :
250 486181 : if (auth_data_only) {
251 0 : return NT_STATUS_INTERNAL_ERROR;
252 : }
253 : } else {
254 30502 : if (!auth_data_only) {
255 0 : return NT_STATUS_INTERNAL_ERROR;
256 : }
257 : }
258 :
259 : /* Paranoia checks for auth_length. The caller should check this... */
260 516683 : if (pkt->auth_length == 0) {
261 0 : return NT_STATUS_INTERNAL_ERROR;
262 : }
263 :
264 : /* Paranoia checks for auth_length. The caller should check this... */
265 516683 : if (pkt->auth_length > pkt->frag_length) {
266 0 : return NT_STATUS_INTERNAL_ERROR;
267 : }
268 516683 : tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
269 516683 : tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
270 516683 : tmp_length += pkt->auth_length;
271 516683 : if (tmp_length > pkt->frag_length) {
272 0 : return NT_STATUS_INTERNAL_ERROR;
273 : }
274 516683 : if (pkt_trailer->length > UINT16_MAX) {
275 0 : return NT_STATUS_INTERNAL_ERROR;
276 : }
277 :
278 516683 : auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
279 516683 : if (pkt_trailer->length < auth_length) {
280 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
281 : }
282 :
283 516683 : data_and_pad = pkt_trailer->length - auth_length;
284 :
285 516683 : ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
286 516683 : if (!ndr) {
287 0 : return NT_STATUS_NO_MEMORY;
288 : }
289 :
290 516683 : if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
291 9933 : ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
292 : }
293 :
294 516683 : ndr_err = ndr_pull_advance(ndr, data_and_pad);
295 516683 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
296 0 : talloc_free(ndr);
297 0 : return ndr_map_error2ntstatus(ndr_err);
298 : }
299 :
300 516683 : ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
301 516683 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
302 0 : talloc_free(ndr);
303 0 : ZERO_STRUCTP(auth);
304 0 : return ndr_map_error2ntstatus(ndr_err);
305 : }
306 :
307 : /*
308 : * Make sure the padding would not exceed
309 : * the frag_length.
310 : *
311 : * Here we assume at least 24 bytes for the
312 : * payload specific header the value of
313 : * DCERPC_{REQUEST,RESPONSE}_LENGTH.
314 : *
315 : * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
316 : *
317 : * We need this check before we ignore possible
318 : * invalid values. See also bug #11982.
319 : *
320 : * This check is mainly used to generate the correct
321 : * error for BIND_*, ALTER_* and AUTH3 pdus.
322 : *
323 : * We always have the 'if (data_and_pad < auth->auth_pad_length)'
324 : * protection for REQUEST and RESPONSE pdus, where the
325 : * auth_pad_length field is actually used by the caller.
326 : */
327 516683 : tmp_length = DCERPC_REQUEST_LENGTH;
328 516683 : tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
329 516683 : tmp_length += pkt->auth_length;
330 516683 : if (tmp_length < pkt->frag_length) {
331 516162 : max_pad_len = pkt->frag_length - tmp_length;
332 : }
333 516683 : if (max_pad_len < auth->auth_pad_length) {
334 9 : DEBUG(1, (__location__ ": ERROR: pad length too large. "
335 : "max %"PRIu32" got %"PRIu8"\n",
336 : max_pad_len,
337 : auth->auth_pad_length));
338 9 : talloc_free(ndr);
339 9 : ZERO_STRUCTP(auth);
340 9 : return NT_STATUS_RPC_PROTOCOL_ERROR;
341 : }
342 :
343 : /*
344 : * This is a workaround for a bug in old
345 : * Samba releases. For BIND_ACK <= 3.5.x
346 : * and for ALTER_RESP <= 4.2.x (see bug #11061)
347 : *
348 : * See also bug #11982.
349 : */
350 516674 : if (auth_data_only && data_and_pad == 0 &&
351 29453 : auth->auth_pad_length > 0) {
352 : /*
353 : * we need to ignore invalid auth_pad_length
354 : * values for BIND_*, ALTER_* and AUTH3 pdus.
355 : */
356 15 : auth->auth_pad_length = 0;
357 : }
358 :
359 516674 : if (data_and_pad < auth->auth_pad_length) {
360 0 : DBG_WARNING(__location__ ": ERROR: pad length too long. "
361 : "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
362 : "was less than auth_pad_length=%"PRIu8"\n",
363 : data_and_pad,
364 : pkt_trailer->length,
365 : auth_length,
366 : auth->auth_pad_length);
367 0 : talloc_free(ndr);
368 0 : ZERO_STRUCTP(auth);
369 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
370 : }
371 :
372 516674 : if (auth_data_only && data_and_pad > auth->auth_pad_length) {
373 0 : DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
374 : "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
375 : "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
376 : "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
377 : data_and_pad - auth->auth_pad_length,
378 : pkt_trailer->length,
379 : auth_length,
380 : data_and_pad,
381 : auth->auth_pad_length);
382 0 : talloc_free(ndr);
383 0 : ZERO_STRUCTP(auth);
384 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
385 : }
386 :
387 516674 : if (auth_data_only && data_and_pad != auth->auth_pad_length) {
388 0 : DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
389 : "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
390 : "but auth_pad_length=%"PRIu8"\n",
391 : data_and_pad,
392 : pkt_trailer->length,
393 : auth_length,
394 : auth->auth_pad_length);
395 0 : talloc_free(ndr);
396 0 : ZERO_STRUCTP(auth);
397 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
398 : }
399 :
400 516674 : DBG_DEBUG("auth_pad_length %"PRIu8"\n",
401 : auth->auth_pad_length);
402 :
403 516674 : talloc_steal(mem_ctx, auth->credentials.data);
404 516674 : talloc_free(ndr);
405 :
406 516674 : if (_auth_length != NULL) {
407 486181 : *_auth_length = auth_length;
408 : }
409 :
410 516674 : return NT_STATUS_OK;
411 : }
412 :
413 : /**
414 : * @brief Verify the fields in ncacn_packet header.
415 : *
416 : * @param pkt - The ncacn_packet structure
417 : * @param ptype - The expected PDU type
418 : * @param max_auth_info - The maximum size of a possible auth trailer
419 : * @param required_flags - The required flags for the pdu.
420 : * @param optional_flags - The possible optional flags for the pdu.
421 : *
422 : * @return - A NTSTATUS error code.
423 : */
424 2964585 : NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
425 : enum dcerpc_pkt_type ptype,
426 : size_t max_auth_info,
427 : uint8_t required_flags,
428 : uint8_t optional_flags)
429 : {
430 2964585 : if (pkt->rpc_vers != 5) {
431 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
432 : }
433 :
434 2964585 : if (pkt->rpc_vers_minor != 0) {
435 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
436 : }
437 :
438 2964585 : if (pkt->auth_length > pkt->frag_length) {
439 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
440 : }
441 :
442 2964585 : if (pkt->ptype != ptype) {
443 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
444 : }
445 :
446 2964585 : if (max_auth_info > UINT16_MAX) {
447 0 : return NT_STATUS_INTERNAL_ERROR;
448 : }
449 :
450 2964585 : if (pkt->auth_length > 0) {
451 11378 : size_t max_auth_length;
452 :
453 623041 : if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
454 3 : return NT_STATUS_RPC_PROTOCOL_ERROR;
455 : }
456 623038 : max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
457 :
458 623038 : if (pkt->auth_length > max_auth_length) {
459 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
460 : }
461 : }
462 :
463 2964582 : if ((pkt->pfc_flags & required_flags) != required_flags) {
464 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
465 : }
466 2964582 : if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
467 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
468 : }
469 :
470 2964582 : if (pkt->drep[0] & ~DCERPC_DREP_LE) {
471 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
472 : }
473 2964582 : if (pkt->drep[1] != 0) {
474 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
475 : }
476 2964582 : if (pkt->drep[2] != 0) {
477 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
478 : }
479 2964582 : if (pkt->drep[3] != 0) {
480 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
481 : }
482 :
483 2964582 : return NT_STATUS_OK;
484 : }
485 :
486 : struct dcerpc_read_ncacn_packet_state {
487 : #if 0
488 : struct {
489 : } caller;
490 : #endif
491 : DATA_BLOB buffer;
492 : struct ncacn_packet *pkt;
493 : };
494 :
495 : static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
496 : void *private_data,
497 : TALLOC_CTX *mem_ctx,
498 : struct iovec **_vector,
499 : size_t *_count);
500 : static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
501 :
502 1585261 : struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
503 : struct tevent_context *ev,
504 : struct tstream_context *stream)
505 : {
506 16816 : struct tevent_req *req;
507 16816 : struct dcerpc_read_ncacn_packet_state *state;
508 16816 : struct tevent_req *subreq;
509 :
510 1585261 : req = tevent_req_create(mem_ctx, &state,
511 : struct dcerpc_read_ncacn_packet_state);
512 1585261 : if (req == NULL) {
513 0 : return NULL;
514 : }
515 :
516 1585261 : state->pkt = talloc_zero(state, struct ncacn_packet);
517 1585261 : if (tevent_req_nomem(state->pkt, req)) {
518 0 : goto post;
519 : }
520 :
521 1585261 : subreq = tstream_readv_pdu_send(state, ev,
522 : stream,
523 : dcerpc_read_ncacn_packet_next_vector,
524 : state);
525 1585261 : if (tevent_req_nomem(subreq, req)) {
526 0 : goto post;
527 : }
528 1585261 : tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
529 :
530 1585261 : return req;
531 0 : post:
532 0 : tevent_req_post(req, ev);
533 0 : return req;
534 : }
535 :
536 4644984 : static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
537 : void *private_data,
538 : TALLOC_CTX *mem_ctx,
539 : struct iovec **_vector,
540 : size_t *_count)
541 : {
542 48686 : struct dcerpc_read_ncacn_packet_state *state =
543 4644984 : talloc_get_type_abort(private_data,
544 : struct dcerpc_read_ncacn_packet_state);
545 48686 : struct iovec *vector;
546 4644984 : off_t ofs = 0;
547 :
548 4644984 : if (state->buffer.length == 0) {
549 : /*
550 : * first get enough to read the fragment length
551 : *
552 : * We read the full fixed ncacn_packet header
553 : * in order to make wireshark happy with
554 : * pcap files from socket_wrapper.
555 : */
556 1585261 : ofs = 0;
557 1585261 : state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
558 1585261 : state->buffer.data = talloc_array(state, uint8_t,
559 : state->buffer.length);
560 1585261 : if (!state->buffer.data) {
561 0 : return -1;
562 : }
563 3059723 : } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
564 : /* now read the fragment length and allocate the full buffer */
565 1529872 : size_t frag_len = dcerpc_get_frag_length(&state->buffer);
566 :
567 1529872 : ofs = state->buffer.length;
568 :
569 1529872 : if (frag_len <= ofs) {
570 : /*
571 : * With frag_len == ofs, we are done, this is likely
572 : * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
573 : * without any payload.
574 : *
575 : * Otherwise it's a broken packet and we
576 : * let the caller deal with it.
577 : */
578 21 : *_vector = NULL;
579 21 : *_count = 0;
580 21 : return 0;
581 : }
582 :
583 1529851 : state->buffer.data = talloc_realloc(state,
584 : state->buffer.data,
585 : uint8_t, frag_len);
586 1529851 : if (!state->buffer.data) {
587 0 : return -1;
588 : }
589 1529851 : state->buffer.length = frag_len;
590 : } else {
591 : /* if we reach this we have a full fragment */
592 1529851 : *_vector = NULL;
593 1529851 : *_count = 0;
594 1529851 : return 0;
595 : }
596 :
597 : /* now create the vector that we want to be filled */
598 3115112 : vector = talloc_array(mem_ctx, struct iovec, 1);
599 3115112 : if (!vector) {
600 0 : return -1;
601 : }
602 :
603 3115112 : vector[0].iov_base = (void *) (state->buffer.data + ofs);
604 3115112 : vector[0].iov_len = state->buffer.length - ofs;
605 :
606 3115112 : *_vector = vector;
607 3115112 : *_count = 1;
608 3115112 : return 0;
609 : }
610 :
611 1584878 : static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
612 : {
613 1584878 : struct tevent_req *req = tevent_req_callback_data(subreq,
614 : struct tevent_req);
615 1584878 : struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
616 : struct dcerpc_read_ncacn_packet_state);
617 16798 : int ret;
618 16798 : int sys_errno;
619 16798 : NTSTATUS status;
620 :
621 1584878 : ret = tstream_readv_pdu_recv(subreq, &sys_errno);
622 1584878 : TALLOC_FREE(subreq);
623 1584878 : if (ret == -1) {
624 55006 : status = map_nt_error_from_unix_common(sys_errno);
625 55006 : tevent_req_nterror(req, status);
626 55493 : return;
627 : }
628 :
629 1529872 : status = dcerpc_pull_ncacn_packet(state->pkt,
630 1529872 : &state->buffer,
631 : state->pkt);
632 1529872 : if (tevent_req_nterror(req, status)) {
633 0 : return;
634 : }
635 :
636 1529872 : tevent_req_done(req);
637 : }
638 :
639 1584878 : NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
640 : TALLOC_CTX *mem_ctx,
641 : struct ncacn_packet **pkt,
642 : DATA_BLOB *buffer)
643 : {
644 1584878 : struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
645 : struct dcerpc_read_ncacn_packet_state);
646 16798 : NTSTATUS status;
647 :
648 1584878 : if (tevent_req_is_nterror(req, &status)) {
649 55006 : tevent_req_received(req);
650 55006 : return status;
651 : }
652 :
653 1529872 : *pkt = talloc_move(mem_ctx, &state->pkt);
654 1529872 : if (buffer) {
655 1529872 : buffer->data = talloc_move(mem_ctx, &state->buffer.data);
656 1529872 : buffer->length = state->buffer.length;
657 : }
658 :
659 1529872 : tevent_req_received(req);
660 1529872 : return NT_STATUS_OK;
661 : }
662 :
663 40726 : const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
664 : enum dcerpc_transport_t transport,
665 : const struct ndr_interface_table *table)
666 : {
667 0 : NTSTATUS status;
668 40726 : const char *p = NULL;
669 40726 : const char *endpoint = NULL;
670 0 : uint32_t i;
671 40726 : struct dcerpc_binding *default_binding = NULL;
672 40726 : TALLOC_CTX *frame = talloc_stackframe();
673 :
674 : /* Find one of the default pipes for this interface */
675 :
676 40726 : for (i = 0; i < table->endpoints->count; i++) {
677 0 : enum dcerpc_transport_t dtransport;
678 0 : const char *dendpoint;
679 :
680 40726 : status = dcerpc_parse_binding(frame, table->endpoints->names[i],
681 : &default_binding);
682 40726 : if (!NT_STATUS_IS_OK(status)) {
683 0 : continue;
684 : }
685 :
686 40726 : dtransport = dcerpc_binding_get_transport(default_binding);
687 40726 : dendpoint = dcerpc_binding_get_string_option(default_binding,
688 : "endpoint");
689 40726 : if (dendpoint == NULL) {
690 0 : TALLOC_FREE(default_binding);
691 0 : continue;
692 : }
693 :
694 40726 : if (transport == NCA_UNKNOWN) {
695 0 : transport = dtransport;
696 : }
697 :
698 40726 : if (transport != dtransport) {
699 0 : TALLOC_FREE(default_binding);
700 0 : continue;
701 : }
702 :
703 40726 : p = dendpoint;
704 40726 : break;
705 : }
706 :
707 40726 : if (p == NULL) {
708 0 : goto done;
709 : }
710 :
711 : /*
712 : * extract the pipe name without \\pipe from for example
713 : * ncacn_np:[\\pipe\\epmapper]
714 : */
715 40726 : if (transport == NCACN_NP) {
716 40726 : if (strncasecmp(p, "\\pipe\\", 6) == 0) {
717 40726 : p += 6;
718 : }
719 40726 : if (p[0] == '\\') {
720 0 : p += 1;
721 : }
722 : }
723 :
724 40726 : endpoint = talloc_strdup(mem_ctx, p);
725 :
726 40726 : done:
727 40726 : talloc_free(frame);
728 40726 : return endpoint;
729 : }
730 :
731 833507 : struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
732 : {
733 6905 : struct dcerpc_sec_vt_header2 ret;
734 :
735 833507 : ZERO_STRUCT(ret);
736 833507 : ret.ptype = pkt->ptype;
737 833507 : memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
738 833507 : ret.call_id = pkt->call_id;
739 :
740 833507 : switch (pkt->ptype) {
741 833507 : case DCERPC_PKT_REQUEST:
742 833507 : ret.context_id = pkt->u.request.context_id;
743 833507 : ret.opnum = pkt->u.request.opnum;
744 833507 : break;
745 :
746 0 : case DCERPC_PKT_RESPONSE:
747 0 : ret.context_id = pkt->u.response.context_id;
748 0 : break;
749 :
750 0 : case DCERPC_PKT_FAULT:
751 0 : ret.context_id = pkt->u.fault.context_id;
752 0 : break;
753 :
754 0 : default:
755 0 : break;
756 : }
757 :
758 833507 : return ret;
759 : }
760 :
761 8268 : bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
762 : const struct dcerpc_sec_vt_header2 *v2)
763 : {
764 8268 : if (v1->ptype != v2->ptype) {
765 0 : return false;
766 : }
767 :
768 8268 : if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
769 0 : return false;
770 : }
771 :
772 8268 : if (v1->call_id != v2->call_id) {
773 0 : return false;
774 : }
775 :
776 8268 : if (v1->context_id != v2->context_id) {
777 0 : return false;
778 : }
779 :
780 8268 : if (v1->opnum != v2->opnum) {
781 0 : return false;
782 : }
783 :
784 8268 : return true;
785 : }
786 :
787 833508 : static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
788 : {
789 833508 : bool ret = false;
790 833508 : TALLOC_CTX *frame = talloc_stackframe();
791 6906 : struct bitmap *commands_seen;
792 6906 : int i;
793 :
794 833508 : if (r->count.count == 0) {
795 816479 : ret = true;
796 816479 : goto done;
797 : }
798 :
799 17029 : if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
800 0 : goto done;
801 : }
802 :
803 17029 : commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
804 17029 : if (commands_seen == NULL) {
805 0 : goto done;
806 : }
807 :
808 43843 : for (i=0; i < r->count.count; i++) {
809 26814 : enum dcerpc_sec_vt_command_enum cmd =
810 26814 : r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
811 :
812 26814 : if (bitmap_query(commands_seen, cmd)) {
813 : /* Each command must appear at most once. */
814 0 : goto done;
815 : }
816 26814 : bitmap_set(commands_seen, cmd);
817 :
818 26814 : switch (cmd) {
819 25598 : case DCERPC_SEC_VT_COMMAND_BITMASK1:
820 : case DCERPC_SEC_VT_COMMAND_PCONTEXT:
821 : case DCERPC_SEC_VT_COMMAND_HEADER2:
822 25598 : break;
823 0 : default:
824 0 : if ((r->commands[i].u._unknown.length % 4) != 0) {
825 0 : goto done;
826 : }
827 0 : break;
828 : }
829 : }
830 16420 : ret = true;
831 833508 : done:
832 833508 : TALLOC_FREE(frame);
833 833508 : return ret;
834 : }
835 :
836 9269 : static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
837 : struct dcerpc_sec_vt *c)
838 : {
839 9269 : if (bitmask1 == NULL) {
840 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
841 0 : DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
842 : "failed\n"));
843 0 : return false;
844 : }
845 :
846 0 : return true;
847 : }
848 :
849 9269 : if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
850 9269 : && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
851 0 : DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
852 : "failed\n"));
853 0 : return false;
854 : }
855 8662 : return true;
856 : }
857 :
858 9277 : static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
859 : struct dcerpc_sec_vt *c)
860 : {
861 609 : bool ok;
862 :
863 9277 : if (pcontext == NULL) {
864 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
865 0 : DEBUG(10, ("SEC_VT check Pcontext must_process_command "
866 : "failed\n"));
867 0 : return false;
868 : }
869 :
870 0 : return true;
871 : }
872 :
873 9886 : ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
874 9277 : &c->u.pcontext.abstract_syntax);
875 9277 : if (!ok) {
876 0 : struct ndr_syntax_id_buf buf1, buf2;
877 0 : DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
878 : "%s vs. %s\n",
879 : ndr_syntax_id_buf_string(
880 : &pcontext->abstract_syntax, &buf1),
881 : ndr_syntax_id_buf_string(
882 : &c->u.pcontext.abstract_syntax, &buf2)));
883 0 : return false;
884 : }
885 9886 : ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
886 9277 : &c->u.pcontext.transfer_syntax);
887 9277 : if (!ok) {
888 0 : struct ndr_syntax_id_buf buf1, buf2;
889 0 : DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
890 : "%s vs. %s\n",
891 : ndr_syntax_id_buf_string(
892 : &pcontext->transfer_syntax, &buf1),
893 : ndr_syntax_id_buf_string(
894 : &c->u.pcontext.transfer_syntax, &buf2)));
895 0 : return false;
896 : }
897 :
898 8668 : return true;
899 : }
900 :
901 8268 : static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
902 : struct dcerpc_sec_vt *c)
903 : {
904 8268 : if (header2 == NULL) {
905 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
906 0 : DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
907 0 : return false;
908 : }
909 :
910 0 : return true;
911 : }
912 :
913 8268 : if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
914 0 : DEBUG(10, ("SEC_VT check Header2 failed\n"));
915 0 : return false;
916 : }
917 :
918 8268 : return true;
919 : }
920 :
921 833508 : bool dcerpc_sec_verification_trailer_check(
922 : const struct dcerpc_sec_verification_trailer *vt,
923 : const uint32_t *bitmask1,
924 : const struct dcerpc_sec_vt_pcontext *pcontext,
925 : const struct dcerpc_sec_vt_header2 *header2)
926 : {
927 6906 : size_t i;
928 :
929 833508 : if (!dcerpc_sec_vt_is_valid(vt)) {
930 0 : return false;
931 : }
932 :
933 860322 : for (i=0; i < vt->count.count; i++) {
934 1216 : bool ok;
935 26814 : struct dcerpc_sec_vt *c = &vt->commands[i];
936 :
937 26814 : switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
938 9269 : case DCERPC_SEC_VT_COMMAND_BITMASK1:
939 9269 : ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
940 9269 : if (!ok) {
941 0 : return false;
942 : }
943 8662 : break;
944 :
945 9277 : case DCERPC_SEC_VT_COMMAND_PCONTEXT:
946 9277 : ok = dcerpc_sec_vt_pctx_check(pcontext, c);
947 9277 : if (!ok) {
948 0 : return false;
949 : }
950 8668 : break;
951 :
952 8268 : case DCERPC_SEC_VT_COMMAND_HEADER2: {
953 8268 : ok = dcerpc_sec_vt_hdr2_check(header2, c);
954 8268 : if (!ok) {
955 0 : return false;
956 : }
957 8268 : break;
958 : }
959 :
960 0 : default:
961 0 : if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
962 0 : DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
963 0 : return false;
964 : }
965 :
966 0 : break;
967 : }
968 : }
969 :
970 826602 : return true;
971 : }
972 :
973 : static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
974 : .uuid = {
975 : .time_low = 0x6cb71c2c,
976 : .time_mid = 0x9812,
977 : .time_hi_and_version = 0x4540,
978 : .clock_seq = {0x00, 0x00},
979 : .node = {0x00,0x00,0x00,0x00,0x00,0x00}
980 : },
981 : .if_version = 1,
982 : };
983 :
984 74336 : bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
985 : {
986 1712 : uint8_t values[8];
987 74336 : uint64_t features = 0;
988 :
989 74336 : values[0] = s.uuid.clock_seq[0];
990 74336 : values[1] = s.uuid.clock_seq[1];
991 74336 : values[2] = s.uuid.node[0];
992 74336 : values[3] = s.uuid.node[1];
993 74336 : values[4] = s.uuid.node[2];
994 74336 : values[5] = s.uuid.node[3];
995 74336 : values[6] = s.uuid.node[4];
996 74336 : values[7] = s.uuid.node[5];
997 :
998 74336 : ZERO_STRUCT(s.uuid.clock_seq);
999 74336 : ZERO_STRUCT(s.uuid.node);
1000 :
1001 74336 : if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1002 55131 : if (_features != NULL) {
1003 55131 : *_features = 0;
1004 : }
1005 55131 : return false;
1006 : }
1007 :
1008 19205 : features = BVAL(values, 0);
1009 :
1010 19205 : if (_features != NULL) {
1011 19205 : *_features = features;
1012 : }
1013 :
1014 18353 : return true;
1015 : }
1016 :
1017 20191 : struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1018 : {
1019 20191 : struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1020 870 : uint8_t values[8];
1021 :
1022 20191 : SBVAL(values, 0, features);
1023 :
1024 20191 : s.uuid.clock_seq[0] = values[0];
1025 20191 : s.uuid.clock_seq[1] = values[1];
1026 20191 : s.uuid.node[0] = values[2];
1027 20191 : s.uuid.node[1] = values[3];
1028 20191 : s.uuid.node[2] = values[4];
1029 20191 : s.uuid.node[3] = values[5];
1030 20191 : s.uuid.node[4] = values[6];
1031 20191 : s.uuid.node[5] = values[7];
1032 :
1033 20191 : return s;
1034 : }
1035 :
1036 190 : NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1037 : {
1038 190 : *session_key = data_blob_null;
1039 :
1040 : /* this took quite a few CPU cycles to find ... */
1041 190 : session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1042 190 : session_key->length = 16;
1043 190 : return NT_STATUS_OK;
1044 : }
1045 :
1046 : /*
1047 : push a ncacn_packet into a blob, potentially with auth info
1048 : */
1049 90558 : NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1050 : TALLOC_CTX *mem_ctx,
1051 : struct ncacn_packet *pkt,
1052 : struct dcerpc_auth *auth_info)
1053 : {
1054 2325 : struct ndr_push *ndr;
1055 2325 : enum ndr_err_code ndr_err;
1056 :
1057 90558 : ndr = ndr_push_init_ctx(mem_ctx);
1058 90558 : if (!ndr) {
1059 0 : return NT_STATUS_NO_MEMORY;
1060 : }
1061 :
1062 90558 : if (auth_info) {
1063 29783 : pkt->auth_length = auth_info->credentials.length;
1064 : } else {
1065 60775 : pkt->auth_length = 0;
1066 : }
1067 :
1068 90558 : ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1069 90558 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1070 0 : return ndr_map_error2ntstatus(ndr_err);
1071 : }
1072 :
1073 90558 : if (auth_info) {
1074 : #if 0
1075 : /* the s3 rpc server doesn't handle auth padding in
1076 : bind requests. Use zero auth padding to keep us
1077 : working with old servers */
1078 : uint32_t offset = ndr->offset;
1079 : ndr_err = ndr_push_align(ndr, 16);
1080 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1081 : return ndr_map_error2ntstatus(ndr_err);
1082 : }
1083 : auth_info->auth_pad_length = ndr->offset - offset;
1084 : #else
1085 29783 : auth_info->auth_pad_length = 0;
1086 : #endif
1087 29783 : ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1088 29783 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1089 0 : return ndr_map_error2ntstatus(ndr_err);
1090 : }
1091 : }
1092 :
1093 90558 : *blob = ndr_push_blob(ndr);
1094 :
1095 : /* fill in the frag length */
1096 90558 : dcerpc_set_frag_length(blob, blob->length);
1097 :
1098 90558 : return NT_STATUS_OK;
1099 : }
1100 :
1101 : /*
1102 : log a rpc packet in a format suitable for ndrdump. This is especially useful
1103 : for sealed packets, where ethereal cannot easily see the contents
1104 :
1105 : this triggers if "dcesrv:stubs directory" is set and present
1106 : for all packets that fail to parse
1107 : */
1108 2102 : void dcerpc_log_packet(const char *packet_log_dir,
1109 : const char *interface_name,
1110 : uint32_t opnum, ndr_flags_type flags,
1111 : const DATA_BLOB *pkt,
1112 : const char *why)
1113 : {
1114 2102 : const int num_examples = 20;
1115 4 : int i;
1116 :
1117 2102 : if (packet_log_dir == NULL) {
1118 2098 : return;
1119 : }
1120 :
1121 0 : for (i=0;i<num_examples;i++) {
1122 0 : char *name=NULL;
1123 0 : int ret;
1124 0 : bool saved;
1125 0 : ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1126 : packet_log_dir, interface_name, opnum, i,
1127 0 : (flags&NDR_IN)?"in":"out",
1128 : why);
1129 0 : if (ret == -1) {
1130 0 : return;
1131 : }
1132 :
1133 0 : saved = file_save(name, pkt->data, pkt->length);
1134 0 : if (saved) {
1135 0 : DBG_DEBUG("Logged rpc packet to %s\n", name);
1136 0 : free(name);
1137 0 : break;
1138 : }
1139 0 : free(name);
1140 : }
1141 : }
|
