Bug 11982 - Invalid auth_pad_length is not ignored for BIND_* and ALTER_* pdus
Summary: Invalid auth_pad_length is not ignored for BIND_* and ALTER_* pdus
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.4.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 12000 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-06-20 12:23 UTC by Stefan Metzmacher
Modified: 2016-08-05 07:38 UTC (History)
5 users (show)

See Also:


Attachments
Possible patches for master (8.09 KB, patch)
2016-06-20 20:28 UTC, Stefan Metzmacher
gd: review+
Details
Patches for v4-4-test (38.43 KB, patch)
2016-06-26 19:22 UTC, Stefan Metzmacher
gd: review+
metze: review? (abartlet)
Details
Patches for v4-3-test (38.43 KB, patch)
2016-06-26 19:28 UTC, Stefan Metzmacher
gd: review+
metze: review? (abartlet)
Details
Patches for v4-2-test (13.66 KB, patch)
2016-06-26 19:32 UTC, Stefan Metzmacher
gd: review+
Details
Patches for v4-2-test (38.43 KB, patch)
2016-08-03 07:48 UTC, Stefan Metzmacher
metze: review? (gd)
metze: review? (abartlet)
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-06-20 12:23:14 UTC
Older Samba servers (<= 3.5.x) reply with auth_pad_length = 8 (or other invalid values) in BIND_ACK and ALTER_RESP messages.

The fixes for CVE-2015-5370 make our client side too strict,
we no longer ignore these invalid values.
Comment 1 Stefan Metzmacher 2016-06-20 20:28:34 UTC
Created attachment 12192 [details]
Possible patches for master
Comment 2 Stefan Metzmacher 2016-06-26 19:22:52 UTC
Created attachment 12209 [details]
Patches for v4-4-test
Comment 3 Stefan Metzmacher 2016-06-26 19:28:31 UTC
Created attachment 12211 [details]
Patches for v4-3-test
Comment 4 Stefan Metzmacher 2016-06-26 19:32:54 UTC
Created attachment 12213 [details]
Patches for v4-2-test
Comment 5 Guenther Deschner 2016-06-27 13:56:51 UTC
Comment on attachment 12209 [details]
Patches for v4-4-test

LGTM
Comment 6 Guenther Deschner 2016-06-27 13:57:11 UTC
Comment on attachment 12211 [details]
Patches for v4-3-test

LGTM
Comment 7 Guenther Deschner 2016-06-27 13:57:27 UTC
Comment on attachment 12213 [details]
Patches for v4-2-test

LGTM
Comment 8 Karolin Seeger 2016-06-28 11:06:12 UTC
Pushed to autobuild-v4-[4|3]-test.

4.2 is in the security fixes only mode.
Should these patches be included in the next 4.2 security release?
Comment 9 Stefan Metzmacher 2016-06-29 18:38:57 UTC
*** Bug 12000 has been marked as a duplicate of this bug. ***
Comment 10 Stefan Metzmacher 2016-06-29 20:52:08 UTC
(In reply to Karolin Seeger from comment #8)

I'd propose that, because otherwise people need to downgrade to
a version before the badlock fixes, see bug #11982.
Comment 11 Karolin Seeger 2016-08-02 07:29:26 UTC
(In reply to Karolin Seeger from comment #8)
Pushed to v4-3-test and v4-4-test.
Comment 12 Karolin Seeger 2016-08-02 07:31:19 UTC
Patch for 4.2 does not apply on current v4-2-test branch.
Re-assigning to metze.
Comment 13 Stefan Metzmacher 2016-08-03 07:48:10 UTC
Created attachment 12308 [details]
Patches for v4-2-test
Comment 14 Ralph Böhme 2016-08-03 08:08:57 UTC
Reassigning to Karolin for inclusion in 4.2
Comment 15 Karolin Seeger 2016-08-03 09:42:08 UTC
(In reply to Ralph Böhme from comment #14)
Pushed to autobuild-v4-2-test and applied on v4-2-stable.

Thanks!
Comment 16 Karolin Seeger 2016-08-05 07:38:43 UTC
(In reply to Karolin Seeger from comment #15)
Pushed to v4-2-test.
Closing out bug report.

Thanks!