[SCM] Samba Shared Repository - branch master updated

Günther Deschner Tue, 20 Oct 2009 18:14:43 -0700

The branch, master has been updated
       via  4b6cfbb... s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite 
windows client loop.
       via  209a65b... s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows 
client loop.
      from  48520b2... s4-smbtorture: test whether an lsa_EnumTrustDom 
implementation would hang up a client.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4b6cfbb6d27eea07400d0eacb08b2f69724b19ca
Author: GÃ¼nther Deschner <[email protected]>
Date:   Wed Oct 21 02:18:54 2009 +0200

    s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop.
    
    Found by RPC-LSA-TRUSTED-DOMAIN torture test.
    
    Guenther

commit 209a65bc6f783055f3f6a8cea3fb36587d346511
Author: GÃ¼nther Deschner <[email protected]>
Date:   Wed Oct 21 02:17:32 2009 +0200

    s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop.
    
    Found by RPC-LSA-TRUSTED-DOMAIN torture test.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_lsa_nt.c     |    9 +++++++++
 source4/rpc_server/lsa/dcesrv_lsa.c |    9 +++++++++
 2 files changed, 18 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 23ea045..a9a4fa5 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -477,6 +477,15 @@ NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
                return STATUS_MORE_ENTRIES;
        }
 
+       /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+        * always be larger than the previous input resume handle, in
+        * particular when hitting the last query it is vital to set the
+        * resume handle correctly to avoid infinite client loops, as
+        * seen e.g. with Windows XP SP3 when resume handle is 0 and
+        * status is NT_STATUS_OK - gd */
+
+       *r->out.resume_handle = (uint32_t)-1;
+
        return NT_STATUS_OK;
 }
 
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c 
b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0e6a55e..e35f2d8 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1660,6 +1660,15 @@ static NTSTATUS dcesrv_lsa_EnumTrustDom(struct 
dcesrv_call_state *dce_call, TALL
                return STATUS_MORE_ENTRIES;
        }
 
+       /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+        * always be larger than the previous input resume handle, in
+        * particular when hitting the last query it is vital to set the
+        * resume handle correctly to avoid infinite client loops, as
+        * seen e.g. with Windows XP SP3 when resume handle is 0 and
+        * status is NT_STATUS_OK - gd */
+
+       *r->out.resume_handle = (uint32_t)-1;
+
        return NT_STATUS_OK;
 }
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to