The Samba-Bugzilla – Attachment 18122 Details for
Bug 15465
rpcd_lsad/netlogon/LogonControl2Ex can dereference a client-supplied pointer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch (for master)
netlogon-fix.patch (text/plain), 5.02 KB, created by
Noel Power
on 2023-09-25 10:06:54 UTC
(
hide
)
Description:
patch (for master)
Filename:
MIME Type:
Creator:
Noel Power
Created:
2023-09-25 10:06:54 UTC
Size:
5.02 KB
patch
obsolete
>From 16851785550adfd913592dc4db76a7c5d2d7165e Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 10:30:30 +0100 >Subject: [PATCH 1/3] s4/torture: Prepare to handle Level 4 check with unknown > func code > >A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test >to use levels 1 - 4 (current test just tests 1 - 3). A side affect of >this test is that the following test will now test passing an unknown >function code against against Level 4 (previously level 3). > >Unfortunately s4 and s3 netlogon server results differ when handling >a level 4 request with an unknown function code. > s3 server returns WERR_NOT_SUPPORTED and > s4 server returns WERR_INVALID_PARAMETER. > >For level 3 both return WERR_NOT_SUPPORTED. > >MS-NRPC doesn't seem to specifically indicate the required response in >this case. > >this commit modifies the test to cater for either response (for either >level) A future commit could explore the test response combinations more >thorougly. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > source4/torture/rpc/netlogon.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 07e63612e81..35eda5f99f5 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -4087,7 +4087,10 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex"); > switch (secure_channel_type) { > case SEC_CHAN_NULL: >- torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "LogonControl2Ex"); >+ torture_assert(tctx, >+ W_ERROR_EQUAL(r.out.result, WERR_NOT_SUPPORTED) || >+ W_ERROR_EQUAL(r.out.result, WERR_INVALID_PARAMETER), >+ "LogonControl2Ex"); > break; > default: > torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2Ex"); >-- >2.35.3 > > >From b8483f7f09db23be11970b8745cd886f81548cf4 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Sun, 24 Sep 2023 01:03:37 +0100 >Subject: [PATCH 2/3] s4/torture: Test with level 4 with > NETLOGON_CONTROL_SET_DBFLAG function > >Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG > >This change triggers a core dump in the server and so we add a knownfail >here. Following commit will fix (and remove known fail) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > selftest/knownfail.d/netlogon.admin | 1 + > source4/torture/rpc/netlogon.c | 3 ++- > 2 files changed, 3 insertions(+), 1 deletion(-) > create mode 100644 selftest/knownfail.d/netlogon.admin > >diff --git a/selftest/knownfail.d/netlogon.admin b/selftest/knownfail.d/netlogon.admin >new file mode 100644 >index 00000000000..054eefb3186 >--- /dev/null >+++ b/selftest/knownfail.d/netlogon.admin >@@ -0,0 +1 @@ >+^samba3.rpc.netlogon.admin.admin.LogonControl2Ex.nt4_dc >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 35eda5f99f5..5572d8abe82 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -3993,6 +3993,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, > /* > try a netlogon LogonControl2Ex > */ >+ > static bool test_LogonControl2Ex(struct torture_context *tctx, > struct dcerpc_pipe *p, > struct cli_credentials *machine_credentials) >@@ -4066,7 +4067,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx, > r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG; > r.in.data = &data; > >- for (i=1;i<4;i++) { >+ for (i=1;i<=4;i++) { > r.in.level = i; > > torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n", >-- >2.35.3 > > >From 74da37f25356c4ae26bf9e162882911ebd00d31f Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 25 Sep 2023 09:58:33 +0100 >Subject: [PATCH 3/3] s3/rpc_server: Fix dereference of client pointer > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465 >Signed-off-by: Noel Power <noel.power@suse.com> >--- > selftest/knownfail.d/netlogon.admin | 1 - > source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +++ > 2 files changed, 3 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/netlogon.admin > >diff --git a/selftest/knownfail.d/netlogon.admin b/selftest/knownfail.d/netlogon.admin >deleted file mode 100644 >index 054eefb3186..00000000000 >--- a/selftest/knownfail.d/netlogon.admin >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.rpc.netlogon.admin.admin.LogonControl2Ex.nt4_dc >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 7c4b3b92983..0992ad4ef3a 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -389,6 +389,9 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p, > r->out.query->info3 = info3; > break; > case 4: >+ if (r->in.function_code != NETLOGON_CONTROL_FIND_USER) { >+ return WERR_INVALID_PARAMETER; >+ } > info4 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_4); > W_ERROR_HAVE_NO_MEMORY(info4); > >-- >2.35.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18122">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15465
:
18116
| 18122