From dbf6b64c77098331dae7c3600a12198770ed763c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Feb 2010 15:03:30 -0800 Subject: [PATCH] More fixes for bug #7146 - Samba miss-parses authenticated RPC packets. Ensure we calculate the space correctly (including the ss_padding_len) when constructing reply packets. Jeremy. (cherry picked from commit 11a87cd31eedaf4e43864bf51ac1f53bca53e327) --- source3/rpc_server/srv_pipe.c | 30 ++++++++++++++++-------------- 1 files changed, 16 insertions(+), 14 deletions(-) diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index bc0ad87..ab666fd 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -107,8 +107,15 @@ static bool create_next_pdu_ntlmssp(pipes_struct *p) return False; } - data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN - - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE; + if (data_len_left % SERVER_NDR_PADDING_SIZE) { + ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE); + DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n", + ss_padding_len )); + } + + data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN - + RPC_HDR_RESP_LEN - ss_padding_len - RPC_HDR_AUTH_LEN - + NTLMSSP_SIG_SIZE; /* * The amount we send is the minimum of the available @@ -132,12 +139,6 @@ static bool create_next_pdu_ntlmssp(pipes_struct *p) p->hdr.flags |= DCERPC_PFC_FLAG_LAST; } - if (data_len_left % SERVER_NDR_PADDING_SIZE) { - ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE); - DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n", - ss_padding_len )); - } - /* * Set up the header lengths. */ @@ -327,8 +328,14 @@ static bool create_next_pdu_schannel(pipes_struct *p) return False; } + if (data_len_left % SERVER_NDR_PADDING_SIZE) { + ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE); + DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n", + ss_padding_len )); + } + data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN - - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN + - RPC_HDR_RESP_LEN - ss_padding_len - RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; /* @@ -352,11 +359,6 @@ static bool create_next_pdu_schannel(pipes_struct *p) if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) { p->hdr.flags |= DCERPC_PFC_FLAG_LAST; } - if (data_len_left % SERVER_NDR_PADDING_SIZE) { - ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE); - DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n", - ss_padding_len )); - } p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len + RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN; -- 1.6.6.2