Bug 11948 - Total dcerpc response payload more than 0x400000
Summary: Total dcerpc response payload more than 0x400000
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.4.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-06-03 09:40 UTC by Evgeny Sinelnikov
Modified: 2016-07-08 07:16 UTC (History)
4 users (show)

See Also:

Patch from metze for master (5.89 KB, patch)
2016-06-22 22:40 UTC, Andrew Bartlett
abartlet: review+
Patches for v4-4-test (7.33 KB, patch)
2016-06-26 19:21 UTC, Stefan Metzmacher
metze: review? (gd)
metze: review? (abartlet)
asn: review+
Patches for v4-3-test (7.33 KB, patch)
2016-06-26 19:26 UTC, Stefan Metzmacher
metze: review? (gd)
metze: review? (abartlet)
asn: review+
Patches for v4-2-test (7.33 KB, patch)
2016-06-26 19:31 UTC, Stefan Metzmacher
metze: review? (gd)
metze: review? (abartlet)
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Sinelnikov 2016-06-03 09:40:11 UTC
During join Samba DC (version 4.4.3) into existing Windows domain (Windows 2012 R2 with schema 2008 R2 and Exchange) we got next problem:
Replicated 72 objects (12 linked attributes) for DC=xx,DC=xxx,DC=ru
Unexpected total payload 0x4010E0 > 0x400000 dcerpc response
ERROR(runtime): uncaught exception - (-1073610723, 'An RPC protocol
error occurred.')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 651, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1192, in join_DC
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1096, in do_join
  File "/usr/lib64/python2.7/site-packages/samba/join.py", line 838,
in join_replicate
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line
253, in replicate
    (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
checking sAMAccountName


This restrictions added for security issues in CVE-2015-5370 at 22ab56d5 commit.
Comment 1 Stefan Metzmacher 2016-06-03 11:04:21 UTC
(In reply to Evgeny Sinelnikov from comment #0)

> So we could think, that constant
> DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
> is not absolutelly right.
> It would be correct to simply increase this constant?

I'd try to avoid that without understand it.
I added some tests to verify that a server doesn't accept more than
4 Mbyte per pdu.

From [MS-RPCE] Maximum Server Input Data Size

  The combined length of the stub data for all fragments of a request SHOULD 
  not exceed 4 megabytes. If it exceeds 4 megabytes, the server implementation 
  SHOULD return a fault packet with the status field set to 0x00000005.<124>


  <124> Section This behavior can be turned off by higher-level 
  protocols or machine configuration. Note that the limit on Windows 2000 is 1 
  megabyte; Windows NT 4.0 does not implement such a limit.

I think we need to ask Microsoft about the limit for [MS-DRSR].

In our source3 code we use 15 MByte
#define MAX_RPC_DATA_SIZE (15*1024*1024)
Comment 2 Stefan Metzmacher 2016-06-03 11:08:22 UTC
(In reply to Stefan Metzmacher from comment #1)

We may also end up using different values on client and server
Comment 3 Evgeny Sinelnikov 2016-06-03 17:44:46 UTC
I change it to 0x800000 (8Mb) and it works for me now.
Comment 4 Andrew Bartlett 2016-06-22 22:38:36 UTC
*** Bug 11987 has been marked as a duplicate of this bug. ***
Comment 5 Andrew Bartlett 2016-06-22 22:40:09 UTC
Created attachment 12201 [details]
Patch from metze for master

This should be in master shortly.
Comment 6 Stefan Metzmacher 2016-06-26 19:21:31 UTC
Created attachment 12208 [details]
Patches for v4-4-test
Comment 7 Stefan Metzmacher 2016-06-26 19:26:54 UTC
Created attachment 12210 [details]
Patches for v4-3-test
Comment 8 Stefan Metzmacher 2016-06-26 19:31:52 UTC
Created attachment 12212 [details]
Patches for v4-2-test
Comment 9 Karolin Seeger 2016-06-28 11:04:16 UTC
Pushed to autobuild-v4-[4|3]-test.

4.2 is in the security fixes mode.
Or should this one be included in the next 4.2 security release?
Comment 10 Jeremy Allison 2016-06-28 18:09:03 UTC
This isn't a security fix for 4.2, so I don't think it should go in the security release. We can leave it as a feature fix for anyone shipping an AD-DC on 4.2.x.
Comment 11 Stefan Metzmacher 2016-06-29 21:06:15 UTC
(In reply to Jeremy Allison from comment #10)

It just means have a choice and need to revert to a pre-badlock version,
I don't think that's a good idea.
Comment 12 Jeremy Allison 2016-06-29 21:13:50 UTC
If it would mean losing the badlock protection then I'm OK with it as a security-fix for 4.2.next.
Comment 13 Andreas Schneider 2016-06-30 06:53:48 UTC
Comment on attachment 12208 [details]
Patches for v4-4-test

Comment 14 Karolin Seeger 2016-07-04 07:12:26 UTC
Pushed to v4-[4|3]-test and applied on v4-2-stable.
Comment 15 Karolin Seeger 2016-07-08 07:16:29 UTC
Pushed to all branches.
Closing out bug report.