The branch, v4-2-stable has been updated via c7c5fe1 VERSION: Disable git snapshots for the 4.2.14 release. via eb480ea WHATSNEW: Add release notes for Samba 4.2.14. via 13437f9 CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing via db256b6 CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing via b9200a6 CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing via 7e73588 ctdb-common: For AF_PACKET socket types, protocol is in network order via 8368f6f ctdb-common: Use documented names for protocol family in socket() via ea9ddb4 ctdb-common: Protocol argument must be in host order for socket() call via 434aaaf dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE via f772649 s4:rpc_server: use a variable for the max total reassembled request payload via d069b66 s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes via 6509689 dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE via 9c6e913 VERSION: Bump version up to 4.2.14... from f03201a VERSION: Disable git snapshots for the 4.2.13 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable - Log ----------------------------------------------------------------- commit c7c5fe127366aa8edb69247f80a4e015969cf1b3 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Jul 5 12:58:16 2016 +0200 VERSION: Disable git snapshots for the 4.2.14 release. CVE-2016-2119: Client side SMB2 signing downgrade. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit eb480ea5ee84ca73519b8b9667664cff0aa04e1f Author: Karolin Seeger <ksee...@samba.org> Date: Tue Jul 5 12:57:02 2016 +0200 WHATSNEW: Add release notes for Samba 4.2.14. CVE-2016-2119: Client side SMB2 signing downgrade. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 13437f93b7bf52eefe8dfa824e31b24722f9ea44 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 02:24:52 2016 +0200 CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit db256b6163fc010b4d895366327a81ee7e0eb24a Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 02:36:35 2016 +0200 CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit b9200a6fe1f2e78d714420d162e00590de6827b0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 11:26:57 2016 +0200 CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing Note real anonymous sessions (with "" as username) don't hit this as we don't even call smb2cli_session_set_session_key() in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 7e73588cdd3280a1866c27a9309cb5fc65b21a00 Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Mar 3 14:17:40 2016 +1100 ctdb-common: For AF_PACKET socket types, protocol is in network order BUG: https://bugzilla.samba.org/show_bug.cgi?id=11770 From man page of packet(7): protocol is the IEEE 802.3 protocol number in network byte order. See the <linux/if_ether.h> include file for a list of allowed protocols. When protocol is set to htons(ETH_P_ALL), then all protocols are received. Protocol argument was changed from network order to host order wrongly in commit 9f8395cb7d49b63a82f75bf504f5f83920102b29. Specifying "protocol" field to socket(AF_PACKET, ...) call only affects the packets that are recevied. So use protocol = 0 when sending raw packets. Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Martin Schwenke <mar...@meltin.net> Autobuild-User(master): Martin Schwenke <mart...@samba.org> Autobuild-Date(master): Fri Mar 4 12:58:50 CET 2016 on sn-devel-144 (cherry picked from commit f5b6a5b13406c245ab9cc8c1699483af9eb21f88) commit 8368f6fb9617f066d88deb41da902c5c59aa280e Author: Amitay Isaacs <ami...@gmail.com> Date: Fri Jan 29 00:06:18 2016 +1100 ctdb-common: Use documented names for protocol family in socket() Instead of using PF_*, use AF_*. https://bugzilla.samba.org/show_bug.cgi?id=11705 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit 9f94620a308a3b17c1886c2c4807b34b8d5edacb) commit ea9ddb4bc8d773efe6a8c08a6842cd80d2514032 Author: Amitay Isaacs <ami...@gmail.com> Date: Fri Jan 29 00:05:26 2016 +1100 ctdb-common: Protocol argument must be in host order for socket() call BUG: https://bugzilla.samba.org/show_bug.cgi?id=11705 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Volker Lendecke <v...@samba.org> (cherry picked from commit 9f8395cb7d49b63a82f75bf504f5f83920102b29) commit 434aaaf8351d3d762a1f57218d40ce648c13975c Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jun 22 20:38:01 2016 +0200 dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d9e242e9035c15e49b041afc61e5a4a08877f289) commit f77264943a29fcea842e9eb91fd96fa99768cc37 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jun 22 17:18:28 2016 +0200 s4:rpc_server: use a variable for the max total reassembled request payload We still use the same limit of 4 MByte (DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE) by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Jun 23 04:51:16 CEST 2016 on sn-devel-144 (cherry picked from commit 3f36d31c848496bf509db573e4c12821905b448d) commit d069b66aa91eec039638fff789a7e9d431e7877f Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jun 22 17:18:28 2016 +0200 s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte), The limit of DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte) was too strict for some workloads, e.g. DRSUAPI replication with large objects. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 7413e73c5331b760dc84b3843059230ec5fcfc7b) commit 65096890c7b2c4f8a28ac7548f253f04286f84f4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jun 22 16:58:03 2016 +0200 dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte), this limit is too strict for some workloads, e.g. DRSUAPI replication with large objects. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 281e11b53f676647997fb9ce21227782529a62ad) commit 9c6e91338b55d4d294edf695fe13186a4bca8996 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jun 15 12:23:43 2016 +0200 VERSION: Bump version up to 4.2.14... and re-enable git snapshots. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit c32d2de98c099c6707ad3314ea14d1de2358615d) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 83 ++++++++++++++++++++++++++++- ctdb/common/system_aix.c | 4 +- ctdb/common/system_common.c | 2 +- ctdb/common/system_freebsd.c | 4 +- ctdb/common/system_gnu.c | 4 +- ctdb/common/system_kfreebsd.c | 4 +- ctdb/common/system_linux.c | 10 ++-- ctdb/tools/ctdb.c | 4 +- ctdb/utils/smnotify/smnotify.c | 6 +-- libcli/smb/smbXcli_base.c | 19 ++++++- librpc/idl/dcerpc.idl | 18 ++++++- source3/libsmb/cliconnect.c | 3 ++ source3/script/tests/test_smbclient_ntlm.sh | 4 ++ source4/librpc/rpc/dcerpc.c | 5 +- source4/librpc/rpc/dcerpc.h | 3 ++ source4/rpc_server/dcerpc_server.c | 5 +- source4/rpc_server/dcerpc_server.h | 3 ++ 18 files changed, 154 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index fb30286..36439ad 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=2 -SAMBA_VERSION_RELEASE=13 +SAMBA_VERSION_RELEASE=14 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d061b6c..5ecf9e3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,83 @@ ============================== + Release Notes for Samba 4.2.14 + July 07, 2016 + ============================== + + +This is a security release in order to address the following defect: + +o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded) + +======= +Details +======= + +o CVE-2016-2119: + It's possible for an attacker to downgrade the required signing for + an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST + or SMB2_SESSION_FLAG_IS_NULL flags. + + This means that the attacker can impersonate a server being connected to by + Samba, and return malicious results. + + The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking + to domain controllers as a member server, and trusted domains as a domain + controller. These DCE/RPC connections were intended to protected by the + combination of "client ipc signing" and + "client ipc max protocol" in their effective default settings + ("mandatory" and "SMB3_11"). + + Additionally, management tools like net, samba-tool and rpcclient use DCERPC + over SMB2/3 connections. + + By default, other tools in Samba are unprotected, but rarely they are + configured to use smb signing, via the "client signing" parameter (the default + is "if_required"). Even more rarely the "client max protocol" is set to SMB2, + rather than the NT1 default. + + If both these conditions are met, then this issue would also apply to these + other tools, including command line tools like smbcacls, smbcquota, smbclient, + smbget and applications using libsmbclient. + + +Changes since 4.2.13: +--------------------- + +o Amitay Isaacs <ami...@gmail.com> + * BUG 11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel). + * BUG 11770: ctdb-common: For AF_PACKET socket types, protocol is in network + order. + + +o Stefan Metzmacher <me...@samba.org> + * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade. + * BUG 11948: Total dcerpc response payload more than 0x400000. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== Release Notes for Samba 4.2.13 June 17, 2016 ============================== @@ -50,8 +129,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.2.12 diff --git a/ctdb/common/system_aix.c b/ctdb/common/system_aix.c index 41f61ae..2637442 100644 --- a/ctdb/common/system_aix.c +++ b/ctdb/common/system_aix.c @@ -44,7 +44,7 @@ int ctdb_sys_open_sending_socket(void) int s, ret; uint32_t one = 1; - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n", strerror(errno))); @@ -121,7 +121,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n", strerror(errno))); diff --git a/ctdb/common/system_common.c b/ctdb/common/system_common.c index 899f3b5..3e30a6c 100644 --- a/ctdb/common/system_common.c +++ b/ctdb/common/system_common.c @@ -85,7 +85,7 @@ char *ctdb_sys_find_ifname(ctdb_sock_addr *addr) struct ifconf ifc; char *ptr; - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); diff --git a/ctdb/common/system_freebsd.c b/ctdb/common/system_freebsd.c index 9597a7a..02f7cce 100644 --- a/ctdb/common/system_freebsd.c +++ b/ctdb/common/system_freebsd.c @@ -158,7 +158,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip4pkt.tcp.th_sum = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); /* open a raw socket to send this segment from */ - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); @@ -208,7 +208,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip6pkt.tcp.th_win = htons(1234); ip6pkt.tcp.th_sum = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6); - s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW); + s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n")); return -1; diff --git a/ctdb/common/system_gnu.c b/ctdb/common/system_gnu.c index 2ab1399..1e0ae4c 100644 --- a/ctdb/common/system_gnu.c +++ b/ctdb/common/system_gnu.c @@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); /* open a raw socket to send this segment from */ - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); @@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip6pkt.tcp.window = htons(1234); ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6); - s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW); + s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n")); return -1; diff --git a/ctdb/common/system_kfreebsd.c b/ctdb/common/system_kfreebsd.c index 41aa4d6..7cb6d92 100644 --- a/ctdb/common/system_kfreebsd.c +++ b/ctdb/common/system_kfreebsd.c @@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); /* open a raw socket to send this segment from */ - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); @@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip6pkt.tcp.window = htons(1234); ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6); - s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW); + s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n")); return -1; diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c index fdb8d12..9872070 100644 --- a/ctdb/common/system_linux.c +++ b/ctdb/common/system_linux.c @@ -93,7 +93,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) switch (addr->ip.sin_family) { case AF_INET: - s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP)); + s = socket(AF_PACKET, SOCK_RAW, 0); if (s == -1){ DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); return -1; @@ -187,7 +187,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char *iface) close(s); break; case AF_INET6: - s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP)); + s = socket(AF_PACKET, SOCK_RAW, 0); if (s == -1){ DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); return -1; @@ -357,7 +357,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip); /* open a raw socket to send this segment from */ - s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n", strerror(errno))); @@ -406,7 +406,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest, ip6pkt.tcp.window = htons(1234); ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp, sizeof(ip6pkt.tcp), &ip6pkt.ip6); - s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW); + s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); if (s == -1) { DEBUG(DEBUG_CRIT, (__location__ " Failed to open sending socket\n")); return -1; @@ -568,7 +568,7 @@ bool ctdb_sys_check_iface_exists(const char *iface) int s; struct ifreq ifr; - s = socket(PF_PACKET, SOCK_RAW, 0); + s = socket(AF_PACKET, SOCK_RAW, 0); if (s == -1){ /* We dont know if the interface exists, so assume yes */ DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n")); diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c index c4490ac..6700119 100644 --- a/ctdb/tools/ctdb.c +++ b/ctdb/tools/ctdb.c @@ -4537,7 +4537,7 @@ static int control_chktcpport(struct ctdb_context *ctdb, int argc, const char ** port = atoi(argv[0]); - s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s == -1) { printf("Failed to open local socket\n"); return errno; @@ -4549,7 +4549,7 @@ static int control_chktcpport(struct ctdb_context *ctdb, int argc, const char ** } bzero(&sin, sizeof(sin)); - sin.sin_family = PF_INET; + sin.sin_family = AF_INET; sin.sin_port = htons(port); ret = bind(s, (struct sockaddr *)&sin, sizeof(sin)); close(s); diff --git a/ctdb/utils/smnotify/smnotify.c b/ctdb/utils/smnotify/smnotify.c index d7fd546..d5c5a4c 100644 --- a/ctdb/utils/smnotify/smnotify.c +++ b/ctdb/utils/smnotify/smnotify.c @@ -43,14 +43,14 @@ static int create_socket(const char *addr, int port) int s; struct sockaddr_in sock_in; - s = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); + s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) { printf("Failed to open local socket\n"); exit(10); } bzero(&sock_in, sizeof(sock_in)); - sock_in.sin_family = PF_INET; + sock_in.sin_family = AF_INET; sock_in.sin_port = htons(port); inet_aton(addr, &sock_in.sin_addr); if (bind(s, (struct sockaddr *)&sock_in, sizeof(sock_in)) == -1) { @@ -124,7 +124,7 @@ int main(int argc, const char *argv[]) /* Setup a sockaddr_in for the client we want to notify */ bzero(&sock_cl, sizeof(sock_cl)); - sock_cl.sin_family = PF_INET; + sock_cl.sin_family = AF_INET; sock_cl.sin_port = htons(clientport); inet_aton(client, &sock_cl.sin_addr); diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index b07fdad..6797207 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) return false; } + if (session->conn->mandatory_signing) { + return false; + } + if (session->conn->protocol >= PROTOCOL_SMB2_02) { if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { return true; @@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, const struct iovec *recv_iov) { struct smbXcli_conn *conn = session->conn; - uint16_t no_sign_flags; + uint16_t no_sign_flags = 0; uint8_t session_key[16]; bool check_signature = true; uint32_t hdr_flags; @@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return NT_STATUS_INVALID_PARAMETER_MIX; } - no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; + if (!conn->mandatory_signing) { + /* + * only allow guest sessions without + * mandatory signing. + * + * If we try an authentication with username != "" + * and the server let us in without verifying the + * password we don't have a negotiated session key + * for signing. + */ + no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; + } if (session->smb2->session_flags & no_sign_flags) { session->smb2->should_sign = false; diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl index 015eb3d..527804d 100644 --- a/librpc/idl/dcerpc.idl +++ b/librpc/idl/dcerpc.idl @@ -535,7 +535,23 @@ interface dcerpc const uint32 DCERPC_FRAG_MAX_SIZE = 5840; const uint8 DCERPC_AUTH_LEN_OFFSET = 10; const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16; - const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */ + + /* + * See [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size + * 4 MByte is the default limit of reassembled request payload + */ + const uint32 DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE = 0x400000; + + /* + * See [MS-RPCE] 3.3.2.5.2 Handling Responses + * + * Indicates that Windows accepts up to 0x7FFFFFFF ~2 GByte + * + * talloc has a limit of 256 MByte, so we need to use something smaller. + * + * For now we try our luck with 240 MByte. + */ + const uint32 DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE = 0xf000000; /* 240 MByte */ /* little-endian flag */ const uint8 DCERPC_DREP_LE = 0x10; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 420fe3c..3de3796 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) * have a negotiated session key. * * So just pretend we are completely done. + * + * Note that smbXcli_session_is_guest() + * always returns false if we require signing. */ state->blob_in = data_blob_null; state->local_ready = true; diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh index b8fc564..33a927f 100755 --- a/source3/script/tests/test_smbclient_ntlm.sh +++ b/source3/script/tests/test_smbclient_ntlm.sh @@ -37,4 +37,8 @@ else testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS + + testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS + testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS + testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS fi diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 8274991..4225e1d 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -155,6 +155,7 @@ static struct dcecli_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx, */ c->srv_max_xmit_frag = 5840; c->srv_max_recv_frag = 5840; + c->max_total_response_size = DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE; c->pending = NULL; c->io_trigger = tevent_create_immediate(c); @@ -1575,10 +1576,10 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c, length = pkt->u.response.stub_and_verifier.length; - if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) { + if (req->payload.length + length > c->max_total_response_size) { DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n", (unsigned)req->payload.length + length, - DCERPC_NCACN_PAYLOAD_MAX_SIZE)); + (unsigned)c->max_total_response_size)); dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR); return; } diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 1b0eb7d..0c5a819 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -107,6 +107,9 @@ struct dcecli_connection { /* the next context_id to be assigned */ uint32_t next_context_id; + + /* The maximum total payload of reassembled response pdus */ + size_t max_total_response_size; }; /* diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 278e1af..8439d84 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -408,6 +408,7 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx, p->allow_bind = true; p->max_recv_frag = 5840; p->max_xmit_frag = 5840; + p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE; *_p = p; return NT_STATUS_OK; @@ -1532,7 +1533,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, /* * Up to 4 MByte are allowed by all fragments */ - available = DCERPC_NCACN_PAYLOAD_MAX_SIZE; + available = dce_conn->max_total_request_size; if (er->stub_and_verifier.length > available) { dcesrv_call_disconnect_after(existing, "dcesrv_auth_request - existing payload too large"); @@ -1585,7 +1586,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, /* * Up to 4 MByte are allowed by all fragments */ - if (call->pkt.u.request.alloc_hint > DCERPC_NCACN_PAYLOAD_MAX_SIZE) { + if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) { dcesrv_call_disconnect_after(call, "dcesrv_auth_request - initial alloc hint too large"); return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED); diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h index 15b25ea..72cb1bb 100644 --- a/source4/rpc_server/dcerpc_server.h +++ b/source4/rpc_server/dcerpc_server.h @@ -273,6 +273,9 @@ struct dcesrv_connection { /* the association group the connection belongs to */ struct dcesrv_assoc_group *assoc_group; + + /* The maximum total payload of reassembled request pdus */ + size_t max_total_request_size; }; -- Samba Shared Repository