Attachment 9795 Details for Bug 10481 – v4-0-test patch

v4-0-test patch

look40 (text/plain), 5.43 KB, created by Andreas Schneider on 2014-03-20 17:52:46 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andreas Schneider

Created: 2014-03-20 17:52:46 UTC

Size: 5.43 KB

patch

obsolete

>From f8137298421f543ccdd713e898dcca7f168a6c7d Mon Sep 17 00:00:00 2001
>From: Gregor Beck <gbeck@sernet.de>
>Date: Thu, 9 Jan 2014 10:15:31 +0100
>Subject: [PATCH 1/2] s3:rpc_server: minor refactoring of process_request_pdu()
>
>Signed-off-by: Gregor Beck <gbeck@sernet.de>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>(cherry picked from commit b5f30205931a4b9d0b3b257d5855869e606f8b63)
>---
> source3/rpc_server/srv_pipe.c | 25 ++++++++++---------------
> 1 file changed, 10 insertions(+), 15 deletions(-)
>
>diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
>index 4a7f4ab..9f2062a 100644
>--- a/source3/rpc_server/srv_pipe.c
>+++ b/source3/rpc_server/srv_pipe.c
>@@ -1559,24 +1559,19 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
> 		}
> 	}
> 
>-	if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
>-		bool ret = False;
>-		/*
>-		 * Ok - we finally have a complete RPC stream.
>-		 * Call the rpc command to process it.
>-		 */
>-
>-		/*
>-		 * Process the complete data stream here.
>-		 */
>-		if (pipe_init_outgoing_data(p)) {
>-			ret = api_pipe_request(p, pkt);
>-		}
>+	if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
>+		return true;
>+	}
> 
>-		return ret;
>+	/*
>+	 * Ok - we finally have a complete RPC stream.
>+	 * Call the rpc command to process it.
>+	 */
>+	if (!pipe_init_outgoing_data(p)) {
>+		return false;
> 	}
> 
>-	return True;
>+	return api_pipe_request(p, pkt);
> }
> 
> /****************************************************************************
>-- 
>1.9.0
>
>
>From 079b3b591a04dd6d8cc970bbe0347f46c0a67c48 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@cryptomilk.org>
>Date: Thu, 20 Mar 2014 14:45:01 +0100
>Subject: [PATCH 2/2] s3-rpc_server: Fix handling of fragmented rpc requests.
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>We need to call pipe_init_outgoing_data() as the first thing in
>process_complete_pdu(). Otherwise the caller may use uninitialized
>memory and tries to write a response into the socket.
>
>The problem happens only if a real socket is used, which means
>in all cases for master and only with external rpc daemons in v4-0
>and v4-1.
>
>The problem looks like this in the logs.
>
>    [2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
>      Processing packet type 0
>    [2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
>      Checking request auth.
>    [2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
>      Sending 1 fragments in a total of 0 bytes
>    [2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
>      Sending PDU number: 0, PDU Length: 4294967228
>    [2014/03/20 14:49:35.531801,  2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
>      Writev failed!
>    [2014/03/20 14:49:35.531845,  2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
>      Fatal error(Message too long). Terminating client(127.0.0.1) connection!
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
>
>Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
>Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
>Reviewed-by: Guenther Deschner <gd@samba.org
>
>Autobuild-User(master): GÃ¼nther Deschner <gd@samba.org>
>Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
>
>(cherry picked from commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7)
>---
> source3/rpc_server/srv_pipe.c | 19 +++++++------------
> 1 file changed, 7 insertions(+), 12 deletions(-)
>
>diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
>index 9f2062a..643d606 100644
>--- a/source3/rpc_server/srv_pipe.c
>+++ b/source3/rpc_server/srv_pipe.c
>@@ -1567,9 +1567,6 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
> 	 * Ok - we finally have a complete RPC stream.
> 	 * Call the rpc command to process it.
> 	 */
>-	if (!pipe_init_outgoing_data(p)) {
>-		return false;
>-	}
> 
> 	return api_pipe_request(p, pkt);
> }
>@@ -1619,6 +1616,10 @@ void process_complete_pdu(struct pipes_struct *p)
> 
> 	DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
> 
>+	if (!pipe_init_outgoing_data(p)) {
>+		goto done;
>+	}
>+
> 	switch (pkt->ptype) {
> 	case DCERPC_PKT_REQUEST:
> 		reply = process_request_pdu(p, pkt);
>@@ -1651,9 +1652,7 @@ void process_complete_pdu(struct pipes_struct *p)
> 		/*
> 		 * We assume that a pipe bind is only in one pdu.
> 		 */
>-		if (pipe_init_outgoing_data(p)) {
>-			reply = api_pipe_bind_req(p, pkt);
>-		}
>+		reply = api_pipe_bind_req(p, pkt);
> 		break;
> 
> 	case DCERPC_PKT_BIND_ACK:
>@@ -1668,9 +1667,7 @@ void process_complete_pdu(struct pipes_struct *p)
> 		/*
> 		 * We assume that a pipe bind is only in one pdu.
> 		 */
>-		if (pipe_init_outgoing_data(p)) {
>-			reply = api_pipe_alter_context(p, pkt);
>-		}
>+		reply = api_pipe_alter_context(p, pkt);
> 		break;
> 
> 	case DCERPC_PKT_ALTER_RESP:
>@@ -1682,9 +1679,7 @@ void process_complete_pdu(struct pipes_struct *p)
> 		/*
> 		 * The third packet in an auth exchange.
> 		 */
>-		if (pipe_init_outgoing_data(p)) {
>-			reply = api_pipe_bind_auth3(p, pkt);
>-		}
>+		reply = api_pipe_bind_auth3(p, pkt);
> 		break;
> 
> 	case DCERPC_PKT_SHUTDOWN:
>-- 
>1.9.0
>

Flags:

metze: review+
gd: review+

Actions: View

Attachments on bug 10481: 9738 | 9739 | 9740 | 9794 | 9795