bool smb_io_rpc_hdr(const char *desc, RPC_HDR *rpc, prs_struct *ps, int depth) { if (rpc == NULL) return False; prs_debug(ps, depth, desc, "smb_io_rpc_hdr"); depth++; if(!prs_uint8 ("major ", ps, depth, &rpc->major)) return False; if(!prs_uint8 ("minor ", ps, depth, &rpc->minor)) return False; if(!prs_uint8 ("pkt_type ", ps, depth, &rpc->pkt_type)) return False; if(!prs_uint8 ("flags ", ps, depth, &rpc->flags)) return False; /* We always marshall in little endian format. */ if (MARSHALLING(ps)) rpc->pack_type[0] = 0x10; if(!prs_uint8("pack_type0", ps, depth, &rpc->pack_type[0])) return False; if(!prs_uint8("pack_type1", ps, depth, &rpc->pack_type[1])) return False; if(!prs_uint8("pack_type2", ps, depth, &rpc->pack_type[2])) return False; if(!prs_uint8("pack_type3", ps, depth, &rpc->pack_type[3])) return False; /* * If reading and pack_type[0] == 0 then the data is in big-endian * format. Set the flag in the prs_struct to specify reverse-endainness. */ if (UNMARSHALLING(ps) && rpc->pack_type[0] == 0) { DEBUG(10,("smb_io_rpc_hdr: PDU data format is big-endian. Setting flag.\n")); prs_set_endian_data(ps, RPC_BIG_ENDIAN); } if(!prs_uint16("frag_len ", ps, depth, &rpc->frag_len)) return False; if(!prs_uint16("auth_len ", ps, depth, &rpc->auth_len)) return False; if(!prs_uint32("call_id ", ps, depth, &rpc->call_id)) return False; return True; }
static void process_complete_pdu(pipes_struct *p) { prs_struct rpc_in; size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN; char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN]; bool reply = False; if(p->fault_state) { DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n", get_pipe_name_from_iface(&p->syntax))); set_incoming_fault(p); setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); return; } prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL); /* * Ensure we're using the corrent endianness for both the * RPC header flags and the raw data we will be reading from. */ prs_set_endian_data( &rpc_in, p->endian); prs_set_endian_data( &p->in_data.data, p->endian); prs_give_memory( &rpc_in, data_p, (uint32)data_len, False); DEBUG(10,("process_complete_pdu: processing packet type %u\n", (unsigned int)p->hdr.pkt_type )); switch (p->hdr.pkt_type) { case RPC_REQUEST: reply = process_request_pdu(p, &rpc_in); break; case RPC_PING: /* CL request - ignore... */ DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n", (unsigned int)p->hdr.pkt_type, get_pipe_name_from_iface(&p->syntax))); break; case RPC_RESPONSE: /* No responses here. */ DEBUG(0,("process_complete_pdu: Error. RPC_RESPONSE received from client on pipe %s.\n", get_pipe_name_from_iface(&p->syntax))); break; case RPC_FAULT: case RPC_WORKING: /* CL request - reply to a ping when a call in process. */ case RPC_NOCALL: /* CL - server reply to a ping call. */ case RPC_REJECT: case RPC_ACK: case RPC_CL_CANCEL: case RPC_FACK: case RPC_CANCEL_ACK: DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n", (unsigned int)p->hdr.pkt_type, get_pipe_name_from_iface(&p->syntax))); break; case RPC_BIND: /* * We assume that a pipe bind is only in one pdu. */ if(pipe_init_outgoing_data(p)) { reply = api_pipe_bind_req(p, &rpc_in); } break; case RPC_BINDACK: case RPC_BINDNACK: DEBUG(0,("process_complete_pdu: Error. RPC_BINDACK/RPC_BINDNACK packet type %u received on pipe %s.\n", (unsigned int)p->hdr.pkt_type, get_pipe_name_from_iface(&p->syntax))); break; case RPC_ALTCONT: /* * We assume that a pipe bind is only in one pdu. */ if(pipe_init_outgoing_data(p)) { reply = api_pipe_alter_context(p, &rpc_in); } break; case RPC_ALTCONTRESP: DEBUG(0,("process_complete_pdu: Error. RPC_ALTCONTRESP on pipe %s: Should only be server -> client.\n", get_pipe_name_from_iface(&p->syntax))); break; case RPC_AUTH3: /* * The third packet in an NTLMSSP auth exchange. */ if(pipe_init_outgoing_data(p)) { reply = api_pipe_bind_auth3(p, &rpc_in); } break; case RPC_SHUTDOWN: DEBUG(0,("process_complete_pdu: Error. RPC_SHUTDOWN on pipe %s: Should only be server -> client.\n", get_pipe_name_from_iface(&p->syntax))); break; case RPC_CO_CANCEL: /* For now just free all client data and continue processing. */ DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n")); /* As we never do asynchronous RPC serving, we can never cancel a call (as far as I know). If we ever did we'd have to send a cancel_ack reply. For now, just free all client data and continue processing. */ reply = True; break; #if 0 /* Enable this if we're doing async rpc. */ /* We must check the call-id matches the outstanding callid. */ if(pipe_init_outgoing_data(p)) { /* Send a cancel_ack PDU reply. */ /* We should probably check the auth-verifier here. */ reply = setup_cancel_ack_reply(p, &rpc_in); } break; #endif case RPC_ORPHANED: /* We should probably check the auth-verifier here. For now just free all client data and continue processing. */ DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n")); reply = True; break; default: DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type )); break; } /* Reset to little endian. Probably don't need this but it won't hurt. */ prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN); if (!reply) { DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on " "pipe %s\n", get_pipe_name_from_iface(&p->syntax))); set_incoming_fault(p); setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR)); prs_mem_free(&rpc_in); } else { /* * Reset the lengths. We're ready for a new pdu. */ TALLOC_FREE(p->in_data.current_in_pdu); p->in_data.pdu_needed_len = 0; p->in_data.pdu_received_len = 0; } prs_mem_free(&rpc_in); }
static ssize_t unmarshall_rpc_header(pipes_struct *p) { /* * Unmarshall the header to determine the needed length. */ prs_struct rpc_in; if(p->in_data.pdu_received_len != RPC_HEADER_LEN) { DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n")); set_incoming_fault(p); return -1; } prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL); prs_set_endian_data( &rpc_in, p->endian); prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0], p->in_data.pdu_received_len, False); /* * Unmarshall the header as this will tell us how much * data we need to read to get the complete pdu. * This also sets the endian flag in rpc_in. */ if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) { DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n")); set_incoming_fault(p); prs_mem_free(&rpc_in); return -1; } /* * Validate the RPC header. */ if(p->hdr.major != 5 && p->hdr.minor != 0) { DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n")); set_incoming_fault(p); prs_mem_free(&rpc_in); return -1; } /* * If there's not data in the incoming buffer this should be the start of a new RPC. */ if(prs_offset(&p->in_data.data) == 0) { /* * AS/U doesn't set FIRST flag in a BIND packet it seems. */ if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) { /* * Ensure that the FIRST flag is set. If not then we have * a stream missmatch. */ DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n")); set_incoming_fault(p); prs_mem_free(&rpc_in); return -1; } /* * If this is the first PDU then set the endianness * flag in the pipe. We will need this when parsing all * data in this RPC. */ p->endian = rpc_in.bigendian_data; DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n", p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" )); } else { /* * If this is *NOT* the first PDU then check the endianness * flag in the pipe is the same as that in the PDU. */ if (p->endian != rpc_in.bigendian_data) { DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian)); set_incoming_fault(p); prs_mem_free(&rpc_in); return -1; } } /* * Ensure that the pdu length is sane. */ if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) { DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n")); set_incoming_fault(p); prs_mem_free(&rpc_in); return -1; } DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type, (unsigned int)p->hdr.flags )); p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN; prs_mem_free(&rpc_in); p->in_data.current_in_pdu = TALLOC_REALLOC_ARRAY( p, p->in_data.current_in_pdu, uint8_t, p->hdr.frag_len); if (p->in_data.current_in_pdu == NULL) { DEBUG(0, ("talloc failed\n")); set_incoming_fault(p); return -1; } return 0; /* No extra data processed. */ }
static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, uint32 fragment_start, int len, int auth_len, uint8 pkt_type, int *pauth_padding_len) { /* * The following is that length of the data we must sign or seal. * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN * preceeding the auth_data. */ int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len; /* * The start of the data to sign/seal is just after the RPC headers. */ char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN; RPC_HDR_AUTH rhdr_auth; char *dp = prs_data_p(rdata) + fragment_start + len - RPC_HDR_AUTH_LEN - auth_len; prs_struct auth_verf; *pauth_padding_len = 0; if (auth_len == 0) { if (cli->pipe_auth_flags == 0) { /* move along, nothing to see here */ return True; } DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n")); return False; } DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n", pkt_type, len, auth_len, BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP), BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC), BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN), BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL))); if (dp - prs_data_p(rdata) > prs_data_size(rdata)) { DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n")); return False; } DEBUG(10,("rpc_auth_pipe: packet:\n")); dump_data(100, dp, auth_len); prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL); /* The endinness must be preserved. JRA. */ prs_set_endian_data( &auth_verf, rdata->bigendian_data); /* Point this new parse struct at the auth section of the main parse struct - rather than copying it. Avoids needing to free it on every error */ prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */); prs_set_offset(&auth_verf, 0); { int auth_type; int auth_level; if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) { DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n")); return False; } /* Let the caller know how much padding at the end of the data */ *pauth_padding_len = rhdr_auth.padding; /* Check it's the type of reply we were expecting to decode */ get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level); if (rhdr_auth.auth_type != auth_type) { DEBUG(0, ("BAD auth type %d (should be %d)\n", rhdr_auth.auth_type, auth_type)); return False; } if (rhdr_auth.auth_level != auth_level) { DEBUG(0, ("BAD auth level %d (should be %d)\n", rhdr_auth.auth_level, auth_level)); return False; } } if (pkt_type == RPC_BINDACK) { if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) { /* copy the next auth_len bytes into a buffer for later use */ DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len); BOOL store_ok; /* save the reply away, for use a little later */ prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len); store_ok = (NT_STATUS_IS_OK(ntlmssp_store_response(cli->ntlmssp_pipe_state, ntlmssp_verf))); data_blob_free(&ntlmssp_verf); return store_ok; } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) { /* nothing to do here - we don't seem to be able to validate the bindack based on VL's comments */ return True; } } if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) { NTSTATUS nt_status; DATA_BLOB sig; if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) || (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) { if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) { DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len)); return False; } sig = data_blob(NULL, auth_len); prs_copy_data_out((char *)sig.data, &auth_verf, auth_len); } /* * Unseal any sealed data in the PDU, not including the * 8 byte auth_header or the auth_data. */ /* * Now unseal and check the auth verifier in the auth_data at * the end of the packet. */ if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) { if (data_len < 0) { DEBUG(1, ("Can't unseal - data_len < 0!!\n")); return False; } nt_status = ntlmssp_unseal_packet(cli->ntlmssp_pipe_state, (unsigned char *)reply_data, data_len, &sig); } else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) { nt_status = ntlmssp_check_packet(cli->ntlmssp_pipe_state, (const unsigned char *)reply_data, data_len, &sig); } data_blob_free(&sig); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("rpc_auth_pipe: could not validate " "incoming NTLMSSP packet!\n")); return False; } } if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) { RPC_AUTH_NETSEC_CHK chk; if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) { DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len)); return False; } if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", &chk, &auth_verf, 0)) { DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling " "RPC_AUTH_NETSECK_CHK failed\n")); return False; } if (!netsec_decode(&cli->auth_info, cli->pipe_auth_flags, SENDER_IS_ACCEPTOR, &chk, reply_data, data_len)) { DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n")); return False; } cli->auth_info.seq_num++; } return True; }
static ssize_t process_complete_pdu(pipes_struct *p) { prs_struct rpc_in; size_t data_len = p->in_data.pdu_received_len; char *data_p = (char *)&p->in_data.current_in_pdu[0]; BOOL reply = False; if(p->fault_state) { DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n", p->name )); set_incoming_fault(p); setup_fault_pdu(p, NT_STATUS(0x1c010002)); return (ssize_t)data_len; } prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL); /* * Ensure we're using the corrent endianness for both the * RPC header flags and the raw data we will be reading from. */ prs_set_endian_data( &rpc_in, p->endian); prs_set_endian_data( &p->in_data.data, p->endian); prs_give_memory( &rpc_in, data_p, (uint32)data_len, False); DEBUG(10,("process_complete_pdu: processing packet type %u\n", (unsigned int)p->hdr.pkt_type )); switch (p->hdr.pkt_type) { case RPC_BIND: case RPC_ALTCONT: /* * We assume that a pipe bind is only in one pdu. */ if(pipe_init_outgoing_data(p)) reply = api_pipe_bind_req(p, &rpc_in); break; case RPC_BINDRESP: /* * We assume that a pipe bind_resp is only in one pdu. */ if(pipe_init_outgoing_data(p)) reply = api_pipe_bind_auth_resp(p, &rpc_in); break; case RPC_REQUEST: reply = process_request_pdu(p, &rpc_in); break; default: DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type )); break; } /* Reset to little endian. Probably don't need this but it won't hurt. */ prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN); if (!reply) { DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name)); set_incoming_fault(p); setup_fault_pdu(p, NT_STATUS(0x1c010002)); prs_mem_free(&rpc_in); } else { /* * Reset the lengths. We're ready for a new pdu. */ p->in_data.pdu_needed_len = 0; p->in_data.pdu_received_len = 0; } prs_mem_free(&rpc_in); return (ssize_t)data_len; }