The branch, v4-2-stable has been updated
via c7c5fe1 VERSION: Disable git snapshots for the 4.2.14 release.
via eb480ea WHATSNEW: Add release notes for Samba 4.2.14.
via 13437f9 CVE-2016-2019: s3:selftest: add regression tests for guest
logins and mandatory signing
via db256b6 CVE-2016-2019: s3:libsmb: add comment regarding
smbXcli_session_is_guest() with mandatory signing
via b9200a6 CVE-2016-2019: libcli/smb: don't allow guest sessions if we
require signing
via 7e73588 ctdb-common: For AF_PACKET socket types, protocol is in
network order
via 8368f6f ctdb-common: Use documented names for protocol family in
socket()
via ea9ddb4 ctdb-common: Protocol argument must be in host order for
socket() call
via 434aaaf dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
via f772649 s4:rpc_server: use a variable for the max total reassembled
request payload
via d069b66 s4:librpc/rpc: allow a total reassembled response payload
of 240 MBytes
via 6509689 dcerpc.idl: add
DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
via 9c6e913 VERSION: Bump version up to 4.2.14...
from f03201a VERSION: Disable git snapshots for the 4.2.13 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable
- Log -----------------------------------------------------------------
commit c7c5fe127366aa8edb69247f80a4e015969cf1b3
Author: Karolin Seeger <ksee...@samba.org>
Date: Tue Jul 5 12:58:16 2016 +0200
VERSION: Disable git snapshots for the 4.2.14 release.
CVE-2016-2119: Client side SMB2 signing downgrade.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit eb480ea5ee84ca73519b8b9667664cff0aa04e1f
Author: Karolin Seeger <ksee...@samba.org>
Date: Tue Jul 5 12:57:02 2016 +0200
WHATSNEW: Add release notes for Samba 4.2.14.
CVE-2016-2119: Client side SMB2 signing downgrade.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit 13437f93b7bf52eefe8dfa824e31b24722f9ea44
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 02:24:52 2016 +0200
CVE-2016-2019: s3:selftest: add regression tests for guest logins and
mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit db256b6163fc010b4d895366327a81ee7e0eb24a
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Apr 28 02:36:35 2016 +0200
CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest()
with mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit b9200a6fe1f2e78d714420d162e00590de6827b0
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 20 11:26:57 2016 +0200
CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
Note real anonymous sessions (with "" as username) don't hit this
as we don't even call smb2cli_session_set_session_key() in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 7e73588cdd3280a1866c27a9309cb5fc65b21a00
Author: Amitay Isaacs <ami...@gmail.com>
Date: Thu Mar 3 14:17:40 2016 +1100
ctdb-common: For AF_PACKET socket types, protocol is in network order
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11770
From man page of packet(7):
protocol is the IEEE 802.3
protocol number in network byte order. See the <linux/if_ether.h>
include file for a list of allowed protocols. When protocol is set to
htons(ETH_P_ALL), then all protocols are received.
Protocol argument was changed from network order to host order wrongly
in commit 9f8395cb7d49b63a82f75bf504f5f83920102b29.
Specifying "protocol" field to socket(AF_PACKET, ...) call only affects
the packets that are recevied. So use protocol = 0 when sending raw
packets.
Signed-off-by: Amitay Isaacs <ami...@gmail.com>
Reviewed-by: Martin Schwenke <mar...@meltin.net>
Autobuild-User(master): Martin Schwenke <mart...@samba.org>
Autobuild-Date(master): Fri Mar 4 12:58:50 CET 2016 on sn-devel-144
(cherry picked from commit f5b6a5b13406c245ab9cc8c1699483af9eb21f88)
commit 8368f6fb9617f066d88deb41da902c5c59aa280e
Author: Amitay Isaacs <ami...@gmail.com>
Date: Fri Jan 29 00:06:18 2016 +1100
ctdb-common: Use documented names for protocol family in socket()
Instead of using PF_*, use AF_*.
https://bugzilla.samba.org/show_bug.cgi?id=11705
Signed-off-by: Amitay Isaacs <ami...@gmail.com>
Reviewed-by: Volker Lendecke <v...@samba.org>
(cherry picked from commit 9f94620a308a3b17c1886c2c4807b34b8d5edacb)
commit ea9ddb4bc8d773efe6a8c08a6842cd80d2514032
Author: Amitay Isaacs <ami...@gmail.com>
Date: Fri Jan 29 00:05:26 2016 +1100
ctdb-common: Protocol argument must be in host order for socket() call
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11705
Signed-off-by: Amitay Isaacs <ami...@gmail.com>
Reviewed-by: Volker Lendecke <v...@samba.org>
(cherry picked from commit 9f8395cb7d49b63a82f75bf504f5f83920102b29)
commit 434aaaf8351d3d762a1f57218d40ce648c13975c
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jun 22 20:38:01 2016 +0200
dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
(cherry picked from commit d9e242e9035c15e49b041afc61e5a4a08877f289)
commit f77264943a29fcea842e9eb91fd96fa99768cc37
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jun 22 17:18:28 2016 +0200
s4:rpc_server: use a variable for the max total reassembled request payload
We still use the same limit of 4 MByte
(DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE)
by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Jun 23 04:51:16 CEST 2016 on sn-devel-144
(cherry picked from commit 3f36d31c848496bf509db573e4c12821905b448d)
commit d069b66aa91eec039638fff789a7e9d431e7877f
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jun 22 17:18:28 2016 +0200
s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte),
The limit of DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte) was too
strict for some workloads, e.g. DRSUAPI replication with large objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 7413e73c5331b760dc84b3843059230ec5fcfc7b)
commit 65096890c7b2c4f8a28ac7548f253f04286f84f4
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jun 22 16:58:03 2016 +0200
dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte),
this limit is too strict for some workloads, e.g. DRSUAPI replication
with large objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 281e11b53f676647997fb9ce21227782529a62ad)
commit 9c6e91338b55d4d294edf695fe13186a4bca8996
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Jun 15 12:23:43 2016 +0200
VERSION: Bump version up to 4.2.14...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
(cherry picked from commit c32d2de98c099c6707ad3314ea14d1de2358615d)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 83 ++++++++++++++++++++++++++++-
ctdb/common/system_aix.c | 4 +-
ctdb/common/system_common.c | 2 +-
ctdb/common/system_freebsd.c | 4 +-
ctdb/common/system_gnu.c | 4 +-
ctdb/common/system_kfreebsd.c | 4 +-
ctdb/common/system_linux.c | 10 ++--
ctdb/tools/ctdb.c | 4 +-
ctdb/utils/smnotify/smnotify.c | 6 +--
libcli/smb/smbXcli_base.c | 19 ++++++-
librpc/idl/dcerpc.idl | 18 ++++++-
source3/libsmb/cliconnect.c | 3 ++
source3/script/tests/test_smbclient_ntlm.sh | 4 ++
source4/librpc/rpc/dcerpc.c | 5 +-
source4/librpc/rpc/dcerpc.h | 3 ++
source4/rpc_server/dcerpc_server.c | 5 +-
source4/rpc_server/dcerpc_server.h | 3 ++
18 files changed, 154 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index fb30286..36439ad 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d061b6c..5ecf9e3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,83 @@
==============================
+ Release Notes for Samba 4.2.14
+ July 07, 2016
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when
talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the
default
+ is "if_required"). Even more rarely the "client max protocol" is set to
SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota,
smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.2.13:
+---------------------
+
+o Amitay Isaacs <ami...@gmail.com>
+ * BUG 11705: Fix sockets with htons(IPPROTO_RAW) and CVE-2015-8543 (Kernel).
+ * BUG 11770: ctdb-common: For AF_PACKET socket types, protocol is in network
+ order.
+
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.2.13
June 17, 2016
==============================
@@ -50,8 +129,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.2.12
diff --git a/ctdb/common/system_aix.c b/ctdb/common/system_aix.c
index 41f61ae..2637442 100644
--- a/ctdb/common/system_aix.c
+++ b/ctdb/common/system_aix.c
@@ -44,7 +44,7 @@ int ctdb_sys_open_sending_socket(void)
int s, ret;
uint32_t one = 1;
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n",
strerror(errno)));
@@ -121,7 +121,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(" failed to open raw socket (%s)\n",
strerror(errno)));
diff --git a/ctdb/common/system_common.c b/ctdb/common/system_common.c
index 899f3b5..3e30a6c 100644
--- a/ctdb/common/system_common.c
+++ b/ctdb/common/system_common.c
@@ -85,7 +85,7 @@ char *ctdb_sys_find_ifname(ctdb_sock_addr *addr)
struct ifconf ifc;
char *ptr;
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket
(%s)\n",
strerror(errno)));
diff --git a/ctdb/common/system_freebsd.c b/ctdb/common/system_freebsd.c
index 9597a7a..02f7cce 100644
--- a/ctdb/common/system_freebsd.c
+++ b/ctdb/common/system_freebsd.c
@@ -158,7 +158,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.th_sum = tcp_checksum((uint16_t *)&ip4pkt.tcp,
sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket (%s)\n",
strerror(errno)));
@@ -208,7 +208,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.th_win = htons(1234);
ip6pkt.tcp.th_sum = tcp_checksum6((uint16_t *)&ip6pkt.tcp,
sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open
sending socket\n"));
return -1;
diff --git a/ctdb/common/system_gnu.c b/ctdb/common/system_gnu.c
index 2ab1399..1e0ae4c 100644
--- a/ctdb/common/system_gnu.c
+++ b/ctdb/common/system_gnu.c
@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp,
sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket (%s)\n",
strerror(errno)));
@@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp,
sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open
sending socket\n"));
return -1;
diff --git a/ctdb/common/system_kfreebsd.c b/ctdb/common/system_kfreebsd.c
index 41aa4d6..7cb6d92 100644
--- a/ctdb/common/system_kfreebsd.c
+++ b/ctdb/common/system_kfreebsd.c
@@ -156,7 +156,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp,
sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket (%s)\n",
strerror(errno)));
@@ -203,7 +203,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp,
sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open
sending socket\n"));
return -1;
diff --git a/ctdb/common/system_linux.c b/ctdb/common/system_linux.c
index fdb8d12..9872070 100644
--- a/ctdb/common/system_linux.c
+++ b/ctdb/common/system_linux.c
@@ -93,7 +93,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const char
*iface)
switch (addr->ip.sin_family) {
case AF_INET:
- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP));
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket\n"));
return -1;
@@ -187,7 +187,7 @@ int ctdb_sys_send_arp(const ctdb_sock_addr *addr, const
char *iface)
close(s);
break;
case AF_INET6:
- s = socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_ARP));
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket\n"));
return -1;
@@ -357,7 +357,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip4pkt.tcp.check = tcp_checksum((uint16_t *)&ip4pkt.tcp,
sizeof(ip4pkt.tcp), &ip4pkt.ip);
/* open a raw socket to send this segment from */
- s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+ s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw
socket (%s)\n",
strerror(errno)));
@@ -406,7 +406,7 @@ int ctdb_sys_send_tcp(const ctdb_sock_addr *dest,
ip6pkt.tcp.window = htons(1234);
ip6pkt.tcp.check = tcp_checksum6((uint16_t *)&ip6pkt.tcp,
sizeof(ip6pkt.tcp), &ip6pkt.ip6);
- s = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
DEBUG(DEBUG_CRIT, (__location__ " Failed to open
sending socket\n"));
return -1;
@@ -568,7 +568,7 @@ bool ctdb_sys_check_iface_exists(const char *iface)
int s;
struct ifreq ifr;
- s = socket(PF_PACKET, SOCK_RAW, 0);
+ s = socket(AF_PACKET, SOCK_RAW, 0);
if (s == -1){
/* We dont know if the interface exists, so assume yes */
DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket\n"));
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index c4490ac..6700119 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -4537,7 +4537,7 @@ static int control_chktcpport(struct ctdb_context *ctdb,
int argc, const char **
port = atoi(argv[0]);
- s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == -1) {
printf("Failed to open local socket\n");
return errno;
@@ -4549,7 +4549,7 @@ static int control_chktcpport(struct ctdb_context *ctdb,
int argc, const char **
}
bzero(&sin, sizeof(sin));
- sin.sin_family = PF_INET;
+ sin.sin_family = AF_INET;
sin.sin_port = htons(port);
ret = bind(s, (struct sockaddr *)&sin, sizeof(sin));
close(s);
diff --git a/ctdb/utils/smnotify/smnotify.c b/ctdb/utils/smnotify/smnotify.c
index d7fd546..d5c5a4c 100644
--- a/ctdb/utils/smnotify/smnotify.c
+++ b/ctdb/utils/smnotify/smnotify.c
@@ -43,14 +43,14 @@ static int create_socket(const char *addr, int port)
int s;
struct sockaddr_in sock_in;
- s = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (s == -1) {
printf("Failed to open local socket\n");
exit(10);
}
bzero(&sock_in, sizeof(sock_in));
- sock_in.sin_family = PF_INET;
+ sock_in.sin_family = AF_INET;
sock_in.sin_port = htons(port);
inet_aton(addr, &sock_in.sin_addr);
if (bind(s, (struct sockaddr *)&sock_in, sizeof(sock_in)) == -1) {
@@ -124,7 +124,7 @@ int main(int argc, const char *argv[])
/* Setup a sockaddr_in for the client we want to notify */
bzero(&sock_cl, sizeof(sock_cl));
- sock_cl.sin_family = PF_INET;
+ sock_cl.sin_family = AF_INET;
sock_cl.sin_port = htons(clientport);
inet_aton(client, &sock_cl.sin_addr);
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b07fdad..6797207 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session
*session)
return false;
}
+ if (session->conn->mandatory_signing) {
+ return false;
+ }
+
if (session->conn->protocol >= PROTOCOL_SMB2_02) {
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
return true;
@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct
smbXcli_session *session,
const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
- uint16_t no_sign_flags;
+ uint16_t no_sign_flags = 0;
uint8_t session_key[16];
bool check_signature = true;
uint32_t hdr_flags;
@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct
smbXcli_session *session,
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
+ if (!conn->mandatory_signing) {
+ /*
+ * only allow guest sessions without
+ * mandatory signing.
+ *
+ * If we try an authentication with username != ""
+ * and the server let us in without verifying the
+ * password we don't have a negotiated session key
+ * for signing.
+ */
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
+ }
if (session->smb2->session_flags & no_sign_flags) {
session->smb2->should_sign = false;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 015eb3d..527804d 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -535,7 +535,23 @@ interface dcerpc
const uint32 DCERPC_FRAG_MAX_SIZE = 5840;
const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
- const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
+
+ /*
+ * See [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size
+ * 4 MByte is the default limit of reassembled request payload
+ */
+ const uint32 DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE = 0x400000;
+
+ /*
+ * See [MS-RPCE] 3.3.2.5.2 Handling Responses
+ *
+ * Indicates that Windows accepts up to 0x7FFFFFFF ~2 GByte
+ *
+ * talloc has a limit of 256 MByte, so we need to use something smaller.
+ *
+ * For now we try our luck with 240 MByte.
+ */
+ const uint32 DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE = 0xf000000; /* 240
MByte */
/* little-endian flag */
const uint8 DCERPC_DREP_LE = 0x10;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 420fe3c..3de3796 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct
tevent_req *subreq)
* have a negotiated session key.
*
* So just pretend we are completely done.
+ *
+ * Note that smbXcli_session_is_guest()
+ * always returns false if we require signing.
*/
state->blob_in = data_blob_null;
state->local_ready = true;
diff --git a/source3/script/tests/test_smbclient_ntlm.sh
b/source3/script/tests/test_smbclient_ntlm.sh
index b8fc564..33a927f 100755
--- a/source3/script/tests/test_smbclient_ntlm.sh
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -37,4 +37,8 @@ else
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT
//$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT
//$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1
--option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c
quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1
--signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3
--signing=required -c quit $ADDARGS
fi
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 8274991..4225e1d 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -155,6 +155,7 @@ static struct dcecli_connection
*dcerpc_connection_init(TALLOC_CTX *mem_ctx,
*/
c->srv_max_xmit_frag = 5840;
c->srv_max_recv_frag = 5840;
+ c->max_total_response_size = DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE;
c->pending = NULL;
c->io_trigger = tevent_create_immediate(c);
@@ -1575,10 +1576,10 @@ static void dcerpc_request_recv_data(struct
dcecli_connection *c,
length = pkt->u.response.stub_and_verifier.length;
- if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (req->payload.length + length > c->max_total_response_size) {
DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc
response\n",
(unsigned)req->payload.length + length,
- DCERPC_NCACN_PAYLOAD_MAX_SIZE));
+ (unsigned)c->max_total_response_size));
dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
return;
}
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 1b0eb7d..0c5a819 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -107,6 +107,9 @@ struct dcecli_connection {
/* the next context_id to be assigned */
uint32_t next_context_id;
+
+ /* The maximum total payload of reassembled response pdus */
+ size_t max_total_response_size;
};
/*
diff --git a/source4/rpc_server/dcerpc_server.c
b/source4/rpc_server/dcerpc_server.c
index 278e1af..8439d84 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -408,6 +408,7 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct
dcesrv_context *dce_ctx,
p->allow_bind = true;
p->max_recv_frag = 5840;
p->max_xmit_frag = 5840;
+ p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
*_p = p;
return NT_STATUS_OK;
@@ -1532,7 +1533,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct
dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- available = DCERPC_NCACN_PAYLOAD_MAX_SIZE;
+ available = dce_conn->max_total_request_size;
if (er->stub_and_verifier.length > available) {
dcesrv_call_disconnect_after(existing,
"dcesrv_auth_request - existing payload too
large");
@@ -1585,7 +1586,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct
dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- if (call->pkt.u.request.alloc_hint >
DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (call->pkt.u.request.alloc_hint >
dce_conn->max_total_request_size) {
dcesrv_call_disconnect_after(call,
"dcesrv_auth_request - initial alloc hint too
large");
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
diff --git a/source4/rpc_server/dcerpc_server.h
b/source4/rpc_server/dcerpc_server.h
index 15b25ea..72cb1bb 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -273,6 +273,9 @@ struct dcesrv_connection {
/* the association group the connection belongs to */
struct dcesrv_assoc_group *assoc_group;
+
+ /* The maximum total payload of reassembled request pdus */
+ size_t max_total_request_size;
};
--
Samba Shared Repository
