The Samba-Bugzilla – Attachment 15943 Details for
Bug 14359
RPC handles cannot be differentiated in source3 RPC server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for v4.12 branch
rpchandle-fix-bug-14359-v4.12.patch (text/plain), 15.41 KB, created by
Alexander Bokovoy
on 2020-04-29 07:41:50 UTC
(
hide
)
Description:
patch for v4.12 branch
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2020-04-29 07:41:50 UTC
Size:
15.41 KB
patch
obsolete
>From 9b29e5f726321e2b68e795ec6887c1207e9eac04 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Tue, 28 Apr 2020 21:59:46 +0300 >Subject: [PATCH] s3: pass DCE RPC handle type to create_policy_hnd > >Various RPC services expect policy handles of a specific type. > >s3 RPC server did not allow to create policy handles with a specific >type while actually requiring that policy handle type itself in some >places. > >Make sure we are able to specify the policy on-wire handle type when >creating the policy handle. The changes follow s4 DCE RPC server >implementation. > >The original logic to always set on-wire handle type to 0 can be tracked >down to commit fdeea341ed1bae670382e45eb731db1b5838ad21 when we didn't >really know about differences in on-wire handle types. > >All but LSA trusted domain RPC calls do not check the on-wire handle >type in s3 RPC server. > >Fixes trusted domain operations when Samba RPC client attempts to call >s3 RPC server to perform lsa_lsaRSetForestTrustInformation in FreeIPA. >This fix is a pre-requisite for FreeIPA-FreeIPA forest trust. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14359 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Tue Apr 28 22:55:29 UTC 2020 on sn-devel-184 > >(cherry picked from commit c7a4578d06427a82ead287f0c5248c1a54cc9336) >--- > source3/rpc_server/epmapper/srv_epmapper.c | 7 +- > source3/rpc_server/eventlog/srv_eventlog_nt.c | 2 +- > source3/rpc_server/lsa/srv_lsa_nt.c | 2 +- > source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 2 +- > source3/rpc_server/rpc_handles.c | 30 ++++--- > source3/rpc_server/rpc_pipes.h | 19 +++-- > source3/rpc_server/samr/srv_samr_nt.c | 84 ++++++++++++++----- > source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +- > source3/rpc_server/svcctl/srv_svcctl_nt.c | 2 +- > source3/rpc_server/winreg/srv_winreg_nt.c | 6 +- > 10 files changed, 108 insertions(+), 48 deletions(-) > >diff --git a/source3/rpc_server/epmapper/srv_epmapper.c b/source3/rpc_server/epmapper/srv_epmapper.c >index 1785cbbcfff..eaa8f065401 100644 >--- a/source3/rpc_server/epmapper/srv_epmapper.c >+++ b/source3/rpc_server/epmapper/srv_epmapper.c >@@ -27,6 +27,9 @@ > #include "srv_epmapper.h" > #include "auth.h" > >+/* handle types for this module */ >+enum handle_types {HTYPE_LOOKUP}; >+ > typedef uint32_t error_status_t; > > /* An endpoint combined with an interface description */ >@@ -680,7 +683,7 @@ error_status_t _epm_Lookup(struct pipes_struct *p, > goto done; > } > >- ok = create_policy_hnd(p, r->out.entry_handle, eps); >+ ok = create_policy_hnd(p, r->out.entry_handle, HTYPE_LOOKUP, eps); > if (!ok) { > rc = EPMAPPER_STATUS_NO_MEMORY; > goto done; >@@ -1072,7 +1075,7 @@ error_status_t _epm_Map(struct pipes_struct *p, > } > /* end of "some algorithm" */ > >- ok = create_policy_hnd(p, r->out.entry_handle, eps); >+ ok = create_policy_hnd(p, r->out.entry_handle, HTYPE_LOOKUP, eps); > if (!ok) { > rc = EPMAPPER_STATUS_NO_MEMORY; > goto done; >diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c >index 9d8322adf34..3c6474269f0 100644 >--- a/source3/rpc_server/eventlog/srv_eventlog_nt.c >+++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c >@@ -270,7 +270,7 @@ static NTSTATUS elog_open( struct pipes_struct * p, const char *logname, struct > > /* create the policy handle */ > >- if ( !create_policy_hnd( p, hnd, elog ) ) { >+ if ( !create_policy_hnd( p, hnd, 0, elog ) ) { > TALLOC_FREE(elog); > return NT_STATUS_NO_MEMORY; > } >diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c >index 4adb3b2bf6c..614cc06261a 100644 >--- a/source3/rpc_server/lsa/srv_lsa_nt.c >+++ b/source3/rpc_server/lsa/srv_lsa_nt.c >@@ -371,7 +371,7 @@ static NTSTATUS create_lsa_policy_handle(TALLOC_CTX *mem_ctx, > } > } > >- if (!create_policy_hnd(p, handle, info)) { >+ if (!create_policy_hnd(p, handle, type, info)) { > talloc_free(info); > ZERO_STRUCTP(handle); > return NT_STATUS_NO_MEMORY; >diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c >index 04287008a5c..cfccd38a4c6 100644 >--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c >+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c >@@ -140,7 +140,7 @@ static NTSTATUS create_mdssvc_policy_handle(TALLOC_CTX *mem_ctx, > return NT_STATUS_UNSUCCESSFUL; > } > >- if (!create_policy_hnd(p, handle, mds_ctx)) { >+ if (!create_policy_hnd(p, handle, 0, mds_ctx)) { > talloc_free(mds_ctx); > ZERO_STRUCTP(handle); > return NT_STATUS_NO_MEMORY; >diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c >index 453dab6905f..700cc64d26a 100644 >--- a/source3/rpc_server/rpc_handles.c >+++ b/source3/rpc_server/rpc_handles.c >@@ -250,8 +250,11 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta > data_ptr is TALLOC_FREE()'ed > ****************************************************************************/ > >-static struct dcesrv_handle_old *create_rpc_handle_internal(struct pipes_struct *p, >- struct policy_handle *hnd, void *data_ptr) >+static struct dcesrv_handle_old *create_rpc_handle_internal( >+ struct pipes_struct *p, >+ struct policy_handle *hnd, >+ uint8_t handle_type, >+ void *data_ptr) > { > struct dcesrv_handle_old *rpc_hnd = NULL; > static uint32_t pol_hnd_low = 0; >@@ -279,8 +282,7 @@ static struct dcesrv_handle_old *create_rpc_handle_internal(struct pipes_struct > pol_hnd_high++; > } > >- /* first bit must be null */ >- SIVAL(&rpc_hnd->wire_handle.handle_type, 0 , 0); >+ SIVAL(&rpc_hnd->wire_handle.handle_type, 0 , handle_type); > > /* second bit is incrementing */ > SIVAL(&rpc_hnd->wire_handle.uuid.time_low, 0 , pol_hnd_low); >@@ -307,12 +309,14 @@ static struct dcesrv_handle_old *create_rpc_handle_internal(struct pipes_struct > return rpc_hnd; > } > >-bool create_policy_hnd(struct pipes_struct *p, struct policy_handle *hnd, >- void *data_ptr) >+bool create_policy_hnd(struct pipes_struct *p, >+ struct policy_handle *hnd, >+ uint8_t handle_type, >+ void *data_ptr) > { > struct dcesrv_handle_old *rpc_hnd = NULL; > >- rpc_hnd = create_rpc_handle_internal(p, hnd, data_ptr); >+ rpc_hnd = create_rpc_handle_internal(p, hnd, handle_type, data_ptr); > if (rpc_hnd == NULL) { > return false; > } >@@ -450,9 +454,13 @@ bool pipe_access_check(struct pipes_struct *p) > return True; > } > >-void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd, >- uint32_t access_granted, size_t data_size, >- const char *type, NTSTATUS *pstatus) >+void *_policy_handle_create(struct pipes_struct *p, >+ struct policy_handle *hnd, >+ uint8_t handle_type, >+ uint32_t access_granted, >+ size_t data_size, >+ const char *type, >+ NTSTATUS *pstatus) > { > struct dcesrv_handle_old *rpc_hnd = NULL; > void *data; >@@ -474,7 +482,7 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd, > } > talloc_set_name_const(data, type); > >- rpc_hnd = create_rpc_handle_internal(p, hnd, data); >+ rpc_hnd = create_rpc_handle_internal(p, hnd, handle_type, data); > if (rpc_hnd == NULL) { > TALLOC_FREE(data); > *pstatus = NT_STATUS_NO_MEMORY; >diff --git a/source3/rpc_server/rpc_pipes.h b/source3/rpc_server/rpc_pipes.h >index 8a8f8e58169..5cdf2fdf6a2 100644 >--- a/source3/rpc_server/rpc_pipes.h >+++ b/source3/rpc_server/rpc_pipes.h >@@ -199,18 +199,25 @@ int close_internal_rpc_pipe_hnd(struct pipes_struct *p); > > size_t num_pipe_handles(struct pipes_struct *p); > bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *syntax); >-bool create_policy_hnd(struct pipes_struct *p, struct policy_handle *hnd, void *data_ptr); >+bool create_policy_hnd(struct pipes_struct *p, >+ struct policy_handle *hnd, >+ uint8_t handle_type, >+ void *data_ptr); > bool find_policy_by_hnd(struct pipes_struct *p, const struct policy_handle *hnd, > void **data_p); > bool close_policy_hnd(struct pipes_struct *p, struct policy_handle *hnd); > void close_policy_by_pipe(struct pipes_struct *p); > bool pipe_access_check(struct pipes_struct *p); > >-void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd, >- uint32_t access_granted, size_t data_size, >- const char *type, NTSTATUS *pstatus); >-#define policy_handle_create(_p, _hnd, _access, _type, _pstatus) \ >- (_type *)_policy_handle_create((_p), (_hnd), (_access), sizeof(_type), #_type, \ >+void *_policy_handle_create(struct pipes_struct *p, >+ struct policy_handle *hnd, >+ uint8_t handle_type, >+ uint32_t access_granted, >+ size_t data_size, >+ const char *type, >+ NTSTATUS *pstatus); >+#define policy_handle_create(_p, _hnd, _hnd_type, _access, _type, _pstatus) \ >+ (_type *)_policy_handle_create((_p), (_hnd), (_hnd_type), (_access), sizeof(_type), #_type, \ > (_pstatus)) > > void *_policy_handle_find(struct pipes_struct *p, >diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c >index ee3a5660358..1ebced46bb3 100644 >--- a/source3/rpc_server/samr/srv_samr_nt.c >+++ b/source3/rpc_server/samr/srv_samr_nt.c >@@ -65,6 +65,14 @@ > #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */ > #define MAX_SAM_ENTRIES_W95 50 > >+enum samr_handle { >+ SAMR_HANDLE_CONNECT, >+ SAMR_HANDLE_DOMAIN, >+ SAMR_HANDLE_USER, >+ SAMR_HANDLE_GROUP, >+ SAMR_HANDLE_ALIAS >+}; >+ > struct samr_connect_info { > uint8_t dummy; > }; >@@ -498,8 +506,12 @@ NTSTATUS _samr_OpenDomain(struct pipes_struct *p, > return NT_STATUS_NO_SUCH_DOMAIN; > } > >- dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted, >- struct samr_domain_info, &status); >+ dinfo = policy_handle_create(p, >+ r->out.domain_handle, >+ SAMR_HANDLE_DOMAIN, >+ acc_granted, >+ struct samr_domain_info, >+ &status); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -2221,8 +2233,12 @@ NTSTATUS _samr_OpenUser(struct pipes_struct *p, > /* If we did the rid admins hack above, allow access. */ > acc_granted |= extra_access; > >- uinfo = policy_handle_create(p, r->out.user_handle, acc_granted, >- struct samr_user_info, &nt_status); >+ uinfo = policy_handle_create(p, >+ r->out.user_handle, >+ SAMR_HANDLE_USER, >+ acc_granted, >+ struct samr_user_info, >+ &nt_status); > if (!NT_STATUS_IS_OK(nt_status)) { > return nt_status; > } >@@ -3790,8 +3806,12 @@ NTSTATUS _samr_CreateUser2(struct pipes_struct *p, > return nt_status; > } > >- uinfo = policy_handle_create(p, r->out.user_handle, acc_granted, >- struct samr_user_info, &nt_status); >+ uinfo = policy_handle_create(p, >+ r->out.user_handle, >+ SAMR_HANDLE_USER, >+ acc_granted, >+ struct samr_user_info, >+ &nt_status); > if (!NT_STATUS_IS_OK(nt_status)) { > return nt_status; > } >@@ -3859,9 +3879,12 @@ NTSTATUS _samr_Connect(struct pipes_struct *p, > > /* set up the SAMR connect_anon response */ > >- (void)policy_handle_create(p, &hnd, acc_granted, >- struct samr_connect_info, >- &status); >+ (void)policy_handle_create(p, >+ &hnd, >+ SAMR_HANDLE_CONNECT, >+ acc_granted, >+ struct samr_connect_info, >+ &status); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3923,8 +3946,12 @@ NTSTATUS _samr_Connect2(struct pipes_struct *p, > if ( !NT_STATUS_IS_OK(nt_status) ) > return nt_status; > >- (void)policy_handle_create(p, &hnd, acc_granted, >- struct samr_connect_info, &nt_status); >+ (void)policy_handle_create(p, >+ &hnd, >+ SAMR_HANDLE_CONNECT, >+ acc_granted, >+ struct samr_connect_info, >+ &nt_status); > if (!NT_STATUS_IS_OK(nt_status)) { > return nt_status; > } >@@ -4160,8 +4187,12 @@ NTSTATUS _samr_OpenAlias(struct pipes_struct *p, > > } > >- ainfo = policy_handle_create(p, r->out.alias_handle, acc_granted, >- struct samr_alias_info, &status); >+ ainfo = policy_handle_create(p, >+ r->out.alias_handle, >+ SAMR_HANDLE_ALIAS, >+ acc_granted, >+ struct samr_alias_info, >+ &status); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -5906,9 +5937,12 @@ NTSTATUS _samr_CreateDomainGroup(struct pipes_struct *p, > if ( !NT_STATUS_IS_OK(status) ) > return status; > >- ginfo = policy_handle_create(p, r->out.group_handle, >- GENERIC_RIGHTS_GROUP_ALL_ACCESS, >- struct samr_group_info, &status); >+ ginfo = policy_handle_create(p, >+ r->out.group_handle, >+ SAMR_HANDLE_GROUP, >+ GENERIC_RIGHTS_GROUP_ALL_ACCESS, >+ struct samr_group_info, >+ &status); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -5980,9 +6014,12 @@ NTSTATUS _samr_CreateDomAlias(struct pipes_struct *p, > return NT_STATUS_ACCESS_DENIED; > } > >- ainfo = policy_handle_create(p, r->out.alias_handle, >- GENERIC_RIGHTS_ALIAS_ALL_ACCESS, >- struct samr_alias_info, &result); >+ ainfo = policy_handle_create(p, >+ r->out.alias_handle, >+ SAMR_HANDLE_ALIAS, >+ GENERIC_RIGHTS_ALIAS_ALL_ACCESS, >+ struct samr_alias_info, >+ &result); > if (!NT_STATUS_IS_OK(result)) { > return result; > } >@@ -6386,9 +6423,12 @@ NTSTATUS _samr_OpenGroup(struct pipes_struct *p, > > TALLOC_FREE(map); > >- ginfo = policy_handle_create(p, r->out.group_handle, >- acc_granted, >- struct samr_group_info, &status); >+ ginfo = policy_handle_create(p, >+ r->out.group_handle, >+ SAMR_HANDLE_GROUP, >+ acc_granted, >+ struct samr_group_info, >+ &status); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c >index d92963ec32a..c80fc2aac2d 100644 >--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c >+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c >@@ -715,7 +715,7 @@ static WERROR open_printer_hnd(struct pipes_struct *p, > talloc_set_destructor(new_printer, printer_entry_destructor); > > /* This also steals the printer_handle on the policy_handle */ >- if (!create_policy_hnd(p, hnd, new_printer)) { >+ if (!create_policy_hnd(p, hnd, 0, new_printer)) { > TALLOC_FREE(new_printer); > return WERR_INVALID_HANDLE; > } >diff --git a/source3/rpc_server/svcctl/srv_svcctl_nt.c b/source3/rpc_server/svcctl/srv_svcctl_nt.c >index ae787066873..9ba6fbb1fce 100644 >--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c >+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c >@@ -257,7 +257,7 @@ static WERROR create_open_service_handle(struct pipes_struct *p, > > /* store the SERVICE_INFO and create an open handle */ > >- if ( !create_policy_hnd( p, handle, info ) ) { >+ if ( !create_policy_hnd( p, handle, 0, info ) ) { > result = WERR_ACCESS_DENIED; > goto done; > } >diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c >index 6c3270d886a..d67608fdd76 100644 >--- a/source3/rpc_server/winreg/srv_winreg_nt.c >+++ b/source3/rpc_server/winreg/srv_winreg_nt.c >@@ -34,6 +34,8 @@ > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_RPC_SRV > >+enum handle_types { HTYPE_REGVAL, HTYPE_REGKEY }; >+ > /****************************************************************** > Find a registry key handle and return a struct registry_key * > *****************************************************************/ >@@ -81,7 +83,7 @@ static WERROR open_registry_key(struct pipes_struct *p, > return result; > } > >- if ( !create_policy_hnd( p, hnd, key ) ) { >+ if ( !create_policy_hnd( p, hnd, HTYPE_REGKEY, key ) ) { > return WERR_FILE_NOT_FOUND; > } > >@@ -710,7 +712,7 @@ WERROR _winreg_CreateKey(struct pipes_struct *p, > return result; > } > >- if (!create_policy_hnd(p, r->out.new_handle, new_key)) { >+ if (!create_policy_hnd(p, r->out.new_handle, HTYPE_REGKEY, new_key)) { > TALLOC_FREE(new_key); > return WERR_FILE_NOT_FOUND; > } >-- >2.25.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15943">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14359
:
15943
|
15944
|
15945
|
15946