From 846e014df8f302b609e4d2baca5e4ff57cb13049 Mon Sep 17 00:00:00 2001 From: Marios Makassikis Date: Sun, 6 Nov 2022 23:31:29 +0100 Subject: [PATCH 13/17] ksmbd-tools: mountd: Check ndr_write_* functions return value Mechanical change to exit early when an ndr_write_* function fails as it would write out of bounds. Signed-off-by: Marios Makassikis --- include/smbacl.h | 2 +- mountd/rpc.c | 255 ++++++++++++++++++------- mountd/rpc_lsarpc.c | 247 +++++++++++++++++------- mountd/rpc_samr.c | 443 +++++++++++++++++++++++++++++++++----------- mountd/rpc_srvsvc.c | 64 +++++-- mountd/rpc_wkssvc.c | 49 +++-- mountd/smbacl.c | 108 ++++++++--- 7 files changed, 875 insertions(+), 293 deletions(-) diff --git a/include/smbacl.h b/include/smbacl.h index b0fe131c9fac..a5551c91b241 100644 --- a/include/smbacl.h +++ b/include/smbacl.h @@ -73,7 +73,7 @@ struct smb_ace { void smb_init_domain_sid(struct smb_sid *sid); int smb_read_sid(struct ksmbd_dcerpc *dce, struct smb_sid *sid); -void smb_write_sid(struct ksmbd_dcerpc *dce, const struct smb_sid *src); +int smb_write_sid(struct ksmbd_dcerpc *dce, const struct smb_sid *src); void smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src); int smb_compare_sids(const struct smb_sid *ctsid, const struct smb_sid *cwsid); int build_sec_desc(struct ksmbd_dcerpc *dce, __u32 *secdesclen, int rid); diff --git a/mountd/rpc.c b/mountd/rpc.c index 4f0058888e39..4e0e78fdf5a9 100644 --- a/mountd/rpc.c +++ b/mountd/rpc.c @@ -325,7 +325,9 @@ int ndr_write_union_##name(struct ksmbd_dcerpc *dce, type value) \ int ret; \ \ ret = ndr_write_##name(dce, value); \ - ret |= ndr_write_##name(dce, value); \ + if (ret) \ + return ret; \ + ret = ndr_write_##name(dce, value); \ return ret; \ } @@ -428,9 +430,20 @@ int ndr_write_vstring(struct ksmbd_dcerpc *dce, void *value) * passed, including the terminator. */ ret = ndr_write_int32(dce, str_len); - ret |= ndr_write_int32(dce, 0); - ret |= ndr_write_int32(dce, str_len); - ret |= ndr_write_bytes(dce, out, bytes_written); + if (ret) + return ret; + + ret = ndr_write_int32(dce, 0); + if (ret) + return ret; + + ret = ndr_write_int32(dce, str_len); + if (ret) + return ret; + + ret = ndr_write_bytes(dce, out, bytes_written); + if (ret) + return ret; auto_align_offset(dce); return ret; @@ -453,9 +466,18 @@ int ndr_write_string(struct ksmbd_dcerpc *dce, char *str) return -EINVAL; ret = ndr_write_int32(dce, len); // max count - ret |= ndr_write_int32(dce, 0); - ret |= ndr_write_int32(dce, len); // actual count - ret |= ndr_write_bytes(dce, out, bytes_written); + if (ret) + return ret; + + ret = ndr_write_int32(dce, 0); + if (ret) + return ret; + + ret = ndr_write_int32(dce, len); // actual count + if (ret) + return ret; + + ret = ndr_write_bytes(dce, out, bytes_written); auto_align_offset(dce); return ret; @@ -478,9 +500,18 @@ int ndr_write_lsa_string(struct ksmbd_dcerpc *dce, char *str) return -EINVAL; ret = ndr_write_int32(dce, len + 1); // max count - ret |= ndr_write_int32(dce, 0); - ret |= ndr_write_int32(dce, len); // actual count - ret |= ndr_write_bytes(dce, out, bytes_written); + if (ret) + return ret; + + ret = ndr_write_int32(dce, 0); + if (ret) + return ret; + + ret = ndr_write_int32(dce, len); // actual count + if (ret) + return ret; + + ret = ndr_write_bytes(dce, out, bytes_written); auto_align_offset(dce); return ret; @@ -649,9 +680,14 @@ static int ndr_write_empty_array_of_struct(struct ksmbd_rpc_pipe *pipe) struct ksmbd_dcerpc *dce = pipe->dce; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -673,7 +709,8 @@ int ndr_write_array_of_structs(struct ksmbd_rpc_pipe *pipe) return ndr_write_empty_array_of_struct(pipe); max_entry_nr = __max_entries(dce, pipe); - ndr_write_int32(dce, max_entry_nr); + if (ndr_write_int32(dce, max_entry_nr)) + return KSMBD_RPC_EBAD_DATA; /* * ARRAY representation [per dimension] * max_count @@ -682,9 +719,14 @@ int ndr_write_array_of_structs(struct ksmbd_rpc_pipe *pipe) * element representation [1..N] * actual elements [1..N] */ - ndr_write_int32(dce, max_entry_nr); - ndr_write_int32(dce, 1); - ndr_write_int32(dce, max_entry_nr); + if (ndr_write_int32(dce, max_entry_nr)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, max_entry_nr)) + return KSMBD_RPC_EBAD_DATA; if (max_entry_nr == 0) { pr_err("DCERPC: can't fit any data, buffer is too small\n"); @@ -721,15 +763,40 @@ void rpc_destroy(void) static int dcerpc_hdr_write(struct ksmbd_dcerpc *dce, struct dcerpc_header *hdr) { - ndr_write_int8(dce, hdr->rpc_vers); - ndr_write_int8(dce, hdr->rpc_vers_minor); - ndr_write_int8(dce, hdr->ptype); - ndr_write_int8(dce, hdr->pfc_flags); - ndr_write_bytes(dce, &hdr->packed_drep, sizeof(hdr->packed_drep)); - ndr_write_int16(dce, hdr->frag_length); - ndr_write_int16(dce, hdr->auth_length); - ndr_write_int32(dce, hdr->call_id); - return 0; + int ret; + + ret = ndr_write_int8(dce, hdr->rpc_vers); + if (ret) + return ret; + + ret = ndr_write_int8(dce, hdr->rpc_vers_minor); + if (ret) + return ret; + + ret = ndr_write_int8(dce, hdr->ptype); + if (ret) + return ret; + + ret = ndr_write_int8(dce, hdr->pfc_flags); + if (ret) + return ret; + + ret = ndr_write_bytes(dce, &hdr->packed_drep, + sizeof(hdr->packed_drep)); + if (ret) + return ret; + + ret = ndr_write_int16(dce, hdr->frag_length); + if (ret) + return ret; + + ret = ndr_write_int16(dce, hdr->auth_length); + if (ret) + return ret; + + ret = ndr_write_int32(dce, hdr->call_id); + + return ret; } static int dcerpc_hdr_read(struct ksmbd_dcerpc *dce, @@ -776,11 +843,20 @@ static int dcerpc_hdr_read(struct ksmbd_dcerpc *dce, static int dcerpc_response_hdr_write(struct ksmbd_dcerpc *dce, struct dcerpc_response_header *hdr) { - ndr_write_int32(dce, hdr->alloc_hint); - ndr_write_int16(dce, hdr->context_id); - ndr_write_int8(dce, hdr->cancel_count); + int ret; + + ret = ndr_write_int32(dce, hdr->alloc_hint); + if (ret) + return ret; + + ret = ndr_write_int16(dce, hdr->context_id); + if (ret) + return ret; + + ret = ndr_write_int8(dce, hdr->cancel_count); auto_align_offset(dce); - return 0; + + return ret; } static int dcerpc_request_hdr_read(struct ksmbd_dcerpc *dce, @@ -797,7 +873,7 @@ static int dcerpc_request_hdr_read(struct ksmbd_dcerpc *dce, int dcerpc_write_headers(struct ksmbd_dcerpc *dce, int method_status) { - int payload_offset; + int payload_offset, ret; payload_offset = dce->offset; dce->offset = 0; @@ -807,13 +883,17 @@ int dcerpc_write_headers(struct ksmbd_dcerpc *dce, int method_status) dce->hdr.frag_length = payload_offset; if (method_status == KSMBD_RPC_EMORE_DATA) dce->hdr.pfc_flags = 0; - dcerpc_hdr_write(dce, &dce->hdr); + ret = dcerpc_hdr_write(dce, &dce->hdr); + if (ret) + return ret; /* cast req_hdr to resp_hdr and NULL out lower 2 bytes */ dce->req_hdr.opnum = 0; dce->resp_hdr.cancel_count = 0; dce->resp_hdr.alloc_hint = payload_offset; - dcerpc_response_hdr_write(dce, &dce->resp_hdr); + ret = dcerpc_response_hdr_write(dce, &dce->resp_hdr); + if (ret) + return ret; dce->offset = payload_offset; return 0; @@ -843,14 +923,36 @@ static int __dcerpc_read_syntax(struct ksmbd_dcerpc *dce, static int __dcerpc_write_syntax(struct ksmbd_dcerpc *dce, struct dcerpc_syntax *syn) { - ndr_write_int32(dce, syn->uuid.time_low); - ndr_write_int16(dce, syn->uuid.time_mid); - ndr_write_int16(dce, syn->uuid.time_hi_and_version); - ndr_write_bytes(dce, syn->uuid.clock_seq, sizeof(syn->uuid.clock_seq)); - ndr_write_bytes(dce, syn->uuid.node, sizeof(syn->uuid.node)); - ndr_write_int16(dce, syn->ver_major); - ndr_write_int16(dce, syn->ver_minor); - return 0; + int ret; + + ret = ndr_write_int32(dce, syn->uuid.time_low); + if (ret) + return ret; + + ret = ndr_write_int16(dce, syn->uuid.time_mid); + if (ret) + return ret; + + ret = ndr_write_int16(dce, syn->uuid.time_hi_and_version); + if (ret) + return ret; + + ret = ndr_write_bytes(dce, syn->uuid.clock_seq, + sizeof(syn->uuid.clock_seq)); + if (ret) + return ret; + + ret = ndr_write_bytes(dce, syn->uuid.node, sizeof(syn->uuid.node)); + if (ret) + return ret; + + ret = ndr_write_int16(dce, syn->ver_major); + if (ret) + return ret; + + ret = ndr_write_int16(dce, syn->ver_minor); + + return ret; } static void dcerpc_bind_req_free(struct dcerpc_bind_request *hdr) @@ -965,14 +1067,21 @@ static int dcerpc_bind_nack_return(struct ksmbd_rpc_pipe *pipe) dce->offset = sizeof(struct dcerpc_header); - ndr_write_int16(dce, - DCERPC_BIND_NAK_RSN_PROTOCOL_VERSION_NOT_SUPPORTED); - ndr_write_int8(dce, ARRAY_SIZE(known_syntaxes)); + if (ndr_write_int16(dce, + DCERPC_BIND_NAK_RSN_PROTOCOL_VERSION_NOT_SUPPORTED)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int8(dce, ARRAY_SIZE(known_syntaxes))) + return KSMBD_RPC_EBAD_DATA; + auto_align_offset(dce); for (i = 0; i < ARRAY_SIZE(known_syntaxes); i++) { - ndr_write_int8(dce, known_syntaxes[i].syn.ver_major); - ndr_write_int8(dce, known_syntaxes[i].syn.ver_minor); + if (ndr_write_int8(dce, known_syntaxes[i].syn.ver_major)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int8(dce, known_syntaxes[i].syn.ver_minor)) + return KSMBD_RPC_EBAD_DATA; } payload_offset = dce->offset; @@ -981,7 +1090,8 @@ static int dcerpc_bind_nack_return(struct ksmbd_rpc_pipe *pipe) dce->hdr.ptype = DCERPC_PTYPE_RPC_BINDNACK; dce->hdr.pfc_flags = DCERPC_PFC_FIRST_FRAG | DCERPC_PFC_LAST_FRAG; dce->hdr.frag_length = payload_offset; - dcerpc_hdr_write(dce, &dce->hdr); + if (dcerpc_hdr_write(dce, &dce->hdr)) + return KSMBD_RPC_EBAD_DATA; dce->offset = payload_offset; dce->rpc_resp->payload_sz = dce->offset; @@ -1002,9 +1112,14 @@ static int dcerpc_bind_ack_return(struct ksmbd_rpc_pipe *pipe) if (dce->bi_req.assoc_group_id == 0) dce->bi_req.assoc_group_id = 0x53f0; - ndr_write_int16(dce, dce->bi_req.max_xmit_frag_sz); - ndr_write_int16(dce, dce->bi_req.max_recv_frag_sz); - ndr_write_int32(dce, dce->bi_req.assoc_group_id); + if (ndr_write_int16(dce, dce->bi_req.max_xmit_frag_sz)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, dce->bi_req.max_recv_frag_sz)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, dce->bi_req.assoc_group_id)) + return KSMBD_RPC_EBAD_DATA; if (dce->bi_req.flags & KSMBD_RPC_SRVSVC_METHOD_INVOKE) addr = "\\PIPE\\srvsvc"; @@ -1018,16 +1133,24 @@ static int dcerpc_bind_ack_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FUNC; if (dce->hdr.ptype == DCERPC_PTYPE_RPC_ALTCONT) { - ndr_write_int16(dce, 0); - ndr_write_int16(dce, 0); + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; } else { - ndr_write_int16(dce, strlen(addr)); - ndr_write_bytes(dce, addr, strlen(addr)); + if (ndr_write_int16(dce, strlen(addr))) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_bytes(dce, addr, strlen(addr))) + return KSMBD_RPC_EBAD_DATA; } align_offset(dce, 4); /* [flag(NDR_ALIGN4)] DATA_BLOB _pad1; */ num_trans = dce->bi_req.num_contexts; - ndr_write_int8(dce, num_trans); + if (ndr_write_int8(dce, num_trans)) + return KSMBD_RPC_EBAD_DATA; + align_offset(dce, 2); for (i = 0; i < num_trans; i++) { @@ -1039,17 +1162,24 @@ static int dcerpc_bind_ack_return(struct ksmbd_rpc_pipe *pipe) if (result == -1) { result = DCERPC_BIND_ACK_RES_PROVIDER_REJECT; - ndr_write_union_int16(dce, result); + if (ndr_write_union_int16(dce, result)) + return KSMBD_RPC_EBAD_DATA; } else { - if (result == DCERPC_BIND_ACK_RES_ACCEPT) - ndr_write_union_int16(dce, result); + if (result == DCERPC_BIND_ACK_RES_ACCEPT) { + if (ndr_write_union_int16(dce, result)) + return KSMBD_RPC_EBAD_DATA; + } if (result == DCERPC_BIND_ACK_RES_NEGOTIATE_ACK) { - ndr_write_int16(dce, result); - ndr_write_int16(dce, 0x00); + if (ndr_write_int16(dce, result)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0x00)) + return KSMBD_RPC_EBAD_DATA; s = &negotiate_ack_PNIO_uuid; } } - __dcerpc_write_syntax(dce, s); + if (__dcerpc_write_syntax(dce, s)) + return KSMBD_RPC_EBAD_DATA; } payload_offset = dce->offset; @@ -1061,7 +1191,8 @@ static int dcerpc_bind_ack_return(struct ksmbd_rpc_pipe *pipe) dce->hdr.ptype = DCERPC_PTYPE_RPC_BINDACK; dce->hdr.pfc_flags = DCERPC_PFC_FIRST_FRAG | DCERPC_PFC_LAST_FRAG; dce->hdr.frag_length = payload_offset; - dcerpc_hdr_write(dce, &dce->hdr); + if (dcerpc_hdr_write(dce, &dce->hdr)) + return KSMBD_RPC_EBAD_DATA; dce->offset = payload_offset; dce->rpc_resp->payload_sz = dce->offset; diff --git a/mountd/rpc_lsarpc.c b/mountd/rpc_lsarpc.c index 46a4cc824b5b..8220e32c503e 100644 --- a/mountd/rpc_lsarpc.c +++ b/mountd/rpc_lsarpc.c @@ -83,11 +83,21 @@ static int lsa_domain_account_rep(struct ksmbd_dcerpc *dce, char *domain_name) len = strlen(domain_name); ret = ndr_write_int16(dce, len*2); // length - ret |= ndr_write_int16(dce, (len+1)*2); // size + if (ret) + return ret; + + ret = ndr_write_int16(dce, (len+1)*2); // size + if (ret) + return ret; + dce->num_pointers++; - ret |= ndr_write_int32(dce, dce->num_pointers); /* ref pointer for domain name*/ + ret = ndr_write_int32(dce, dce->num_pointers); /* ref pointer for domain name*/ + if (ret) + return ret; + dce->num_pointers++; - ret |= ndr_write_int32(dce, dce->num_pointers); /* ref pointer for sid*/ + ret = ndr_write_int32(dce, dce->num_pointers); /* ref pointer for sid*/ + return ret; } @@ -97,8 +107,15 @@ static int lsa_domain_account_data(struct ksmbd_dcerpc *dce, char *domain_name, int ret; ret = ndr_write_lsa_string(dce, domain_name); // domain string - ret |= ndr_write_int32(dce, sid->num_subauth); // count - smb_write_sid(dce, sid); // sid + if (ret) + return ret; + + ret = ndr_write_int32(dce, sid->num_subauth); // count + if (ret) + return ret; + + ret = smb_write_sid(dce, sid); // sid + return ret; } @@ -124,22 +141,43 @@ static int lsarpc_get_primary_domain_info_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FUNC; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, 1); // count - ndr_write_int16(dce, 0); - ndr_write_int16(dce, DS_ROLE_STANDALONE_SERVER); // role - ndr_write_int16(dce, 0); - ndr_write_int32(dce, 0); // flags + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 1)) // count + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, DS_ROLE_STANDALONE_SERVER)) // role + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) // flags + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 0); // NULL pointer : Pointer to Dns Domain - ndr_write_int32(dce, 0); // NULL pointer : Pointer to Forest + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) // NULL pointer : Pointer to Dns Domain + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) // NULL pointer : Pointer to Forest + return KSMBD_RPC_EBAD_DATA; + /* NULL Domain guid */ - for (i = 0; i < 16; i++) - ndr_write_int8(dce, 0); + for (i = 0; i < 16; i++) { + if (ndr_write_int8(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + } - ndr_write_vstring(dce, domain_name); // domain string + if (ndr_write_vstring(dce, domain_name)) // domain string + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -154,7 +192,8 @@ static int lsarpc_open_policy2_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_ENOMEM; /* write connect handle */ - ndr_write_bytes(dce, ph->handle, HANDLE_SIZE); + if (ndr_write_bytes(dce, ph->handle, HANDLE_SIZE)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -189,16 +228,25 @@ static int lsarpc_query_info_policy_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FUNC; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, LSA_POLICY_INFO_ACCOUNT_DOMAIN); // level - ndr_write_int16(dce, 0); + // ref pointer + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + // level + if (ndr_write_int16(dce, LSA_POLICY_INFO_ACCOUNT_DOMAIN)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; /* Domain, Sid ref pointer */ - lsa_domain_account_rep(dce, domain_name); + if (lsa_domain_account_rep(dce, domain_name)) + return KSMBD_RPC_EBAD_DATA; /* Pointer to domain, Sid */ smb_init_domain_sid(&sid); - lsa_domain_account_data(dce, domain_name, &sid); + if (lsa_domain_account_data(dce, domain_name, &sid)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -281,13 +329,21 @@ static int lsarpc_lookup_sid2_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FID; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, pipe->num_entries); // count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, pipe->num_entries)) // count + return KSMBD_RPC_EBAD_DATA; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 32); // max size - ndr_write_int32(dce, pipe->num_entries); // max count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 32)) // max size + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, pipe->num_entries)) // max count + return KSMBD_RPC_EBAD_DATA; for (i = 0; i < pipe->num_entries; i++) { struct lsarpc_names_info *ni; @@ -296,7 +352,8 @@ static int lsarpc_lookup_sid2_return(struct ksmbd_rpc_pipe *pipe) gpointer, i); if (ni->type == -1) rc = KSMBD_RPC_SOME_NOT_MAPPED; - lsa_domain_account_rep(dce, ni->domain_str); + if (lsa_domain_account_rep(dce, ni->domain_str)) + return KSMBD_RPC_EBAD_DATA; } for (i = 0; i < pipe->num_entries; i++) { @@ -304,14 +361,20 @@ static int lsarpc_lookup_sid2_return(struct ksmbd_rpc_pipe *pipe) ni = (struct lsarpc_names_info *)g_array_index(pipe->entries, gpointer, i); - lsa_domain_account_data(dce, ni->domain_str, &ni->sid); + if (lsa_domain_account_data(dce, ni->domain_str, &ni->sid)) + return KSMBD_RPC_EBAD_DATA; } /* Pointer to Names */ - ndr_write_int32(dce, pipe->num_entries); // count + if (ndr_write_int32(dce, pipe->num_entries)) // count + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; // ref pointer - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, pipe->num_entries); // max count + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, pipe->num_entries)) // max count + return KSMBD_RPC_EBAD_DATA; for (i = 0; i < pipe->num_entries; i++) { struct lsarpc_names_info *ni; @@ -319,18 +382,31 @@ static int lsarpc_lookup_sid2_return(struct ksmbd_rpc_pipe *pipe) ni = (struct lsarpc_names_info *)g_array_index(pipe->entries, gpointer, i); - ndr_write_int16(dce, ni->type); // sid type - ndr_write_int16(dce, 0); + if (ndr_write_int16(dce, ni->type)) // sid type + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + if (ni->user) len = strlen(ni->user->name); else len = strlen("None"); - ndr_write_int16(dce, len*2); // length - ndr_write_int16(dce, len*2); // size + if (ndr_write_int16(dce, len*2)) // length + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, len*2)) // size + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; // ref pointer - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, ni->index); // sid index - ndr_write_int32(dce, 0); // unknown + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, ni->index)) // sid index + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) // unknown + return KSMBD_RPC_EBAD_DATA; } for (i = 0; i < pipe->num_entries; i++) { @@ -341,10 +417,14 @@ static int lsarpc_lookup_sid2_return(struct ksmbd_rpc_pipe *pipe) gpointer, i); if (ni->user) username = ni->user->name; - ndr_write_string(dce, username); // username + if (ndr_write_string(dce, username)) // username + return KSMBD_RPC_EBAD_DATA; + } - ndr_write_int32(dce, pipe->num_entries); // count + if (ndr_write_int32(dce, pipe->num_entries)) // count + return KSMBD_RPC_EBAD_DATA; + if (pipe->entry_processed) { for (i = 0; i < pipe->num_entries; i++) pipe->entry_processed(pipe, 0); @@ -421,30 +501,52 @@ static int lsarpc_lookup_names3_return(struct ksmbd_rpc_pipe *pipe) /* Domain list */ dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; - ndr_write_int32(dce, 1); // domain count + if (ndr_write_int32(dce, 1)) // domain count + return KSMBD_RPC_EBAD_DATA; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 32); // max size - ndr_write_int32(dce, 1); // max count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + if (ndr_write_int32(dce, 32)) // max size + return KSMBD_RPC_EBAD_DATA; + if (ndr_write_int32(dce, 1)) // max count + return KSMBD_RPC_EBAD_DATA; + + if (lsa_domain_account_rep(dce, domain_name)) + return KSMBD_RPC_EBAD_DATA; - lsa_domain_account_rep(dce, domain_name); smb_init_domain_sid(&sid); - lsa_domain_account_data(dce, domain_name, &sid); + if (lsa_domain_account_data(dce, domain_name, &sid)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, pipe->num_entries)) // count + return KSMBD_RPC_EBAD_DATA; - ndr_write_int32(dce, pipe->num_entries); // count dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // sid ref id - ndr_write_int32(dce, pipe->num_entries); // count + if (ndr_write_int32(dce, dce->num_pointers)) // sid ref id + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, pipe->num_entries)) // count + return KSMBD_RPC_EBAD_DATA; for (i = 0; i < pipe->num_entries; i++) { - ndr_write_int16(dce, SID_TYPE_USER); // sid type - ndr_write_int16(dce, 0); + if (ndr_write_int16(dce, SID_TYPE_USER)) // sid type + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int16(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, i); // sid index - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, i)) // sid index + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; } for (i = 0; i < pipe->num_entries; i++) { @@ -453,11 +555,17 @@ static int lsarpc_lookup_names3_return(struct ksmbd_rpc_pipe *pipe) ni = (struct lsarpc_names_info *)g_array_index(pipe->entries, gpointer, i); ni->sid.sub_auth[ni->sid.num_subauth++] = ni->user->uid; - ndr_write_int32(dce, ni->sid.num_subauth); // sid auth count - smb_write_sid(dce, &ni->sid); // sid + + if (ndr_write_int32(dce, ni->sid.num_subauth)) // sid auth count + return KSMBD_RPC_EBAD_DATA; + + if (smb_write_sid(dce, &ni->sid)) // sid + return KSMBD_RPC_EBAD_DATA; } - ndr_write_int32(dce, pipe->num_entries); + if (ndr_write_int32(dce, pipe->num_entries)) + return KSMBD_RPC_EBAD_DATA; + if (pipe->entry_processed) { for (i = 0; i < pipe->num_entries; i++) pipe->entry_processed(pipe, 0); @@ -487,9 +595,15 @@ static int lsarpc_close_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FID; lsarpc_ph_free(ph); - ndr_write_int64(dce, 0); - ndr_write_int64(dce, 0); - ndr_write_int32(dce, 0); + if (ndr_write_int64(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int64(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + return KSMBD_RPC_OK; } @@ -564,8 +678,11 @@ static int lsarpc_return(struct ksmbd_rpc_pipe *pipe, /* * [out] DWORD Return value/code */ - ndr_write_int32(dce, status); - dcerpc_write_headers(dce, status); + if (ndr_write_int32(dce, status)) + return KSMBD_RPC_EBAD_DATA; + + if (dcerpc_write_headers(dce, status)) + return KSMBD_RPC_EBAD_DATA; dce->rpc_resp->payload_sz = dce->offset; return status; diff --git a/mountd/rpc_samr.c b/mountd/rpc_samr.c index 0c577c16fb71..d5a15d5bb769 100644 --- a/mountd/rpc_samr.c +++ b/mountd/rpc_samr.c @@ -105,16 +105,22 @@ static int samr_connect5_return(struct ksmbd_rpc_pipe *pipe) struct ksmbd_dcerpc *dce = pipe->dce; struct connect_handle *ch; - ndr_write_union_int32(dce, dce->sm_req.level); //level out - ndr_write_int32(dce, dce->sm_req.client_version); //client version - ndr_write_int32(dce, 0); //reserved + if (ndr_write_union_int32(dce, dce->sm_req.level)) //level out + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, dce->sm_req.client_version)) //client version + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) //reserved + return KSMBD_RPC_EBAD_DATA; ch = samr_ch_alloc(pipe->id); if (!ch) return KSMBD_RPC_ENOMEM; /* write connect handle */ - ndr_write_bytes(dce, ch->handle, HANDLE_SIZE); + if (ndr_write_bytes(dce, ch->handle, HANDLE_SIZE)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -139,21 +145,32 @@ int samr_ndr_write_domain_array(struct ksmbd_rpc_pipe *pipe) size_t name_len; ret = ndr_write_int32(dce, i); + if (ret) + return ret; entry = g_array_index(domain_entries, gpointer, i); name_len = strlen((char *)entry); - ret |= ndr_write_int16(dce, name_len*2); - ret |= ndr_write_int16(dce, name_len*2); + ret = ndr_write_int16(dce, name_len*2); + if (ret) + return ret; + + ret = ndr_write_int16(dce, name_len*2); + if (ret) + return ret; /* ref pointer for name entry */ dce->num_pointers++; - ret |= ndr_write_int32(dce, dce->num_pointers); + ret = ndr_write_int32(dce, dce->num_pointers); + if (ret) + return ret; } for (i = 0; i < num_domain_entries; i++) { gpointer entry; entry = g_array_index(domain_entries, gpointer, i); - ret |= ndr_write_string(dce, (char *)entry); + ret = ndr_write_string(dce, (char *)entry); + if (ret) + return ret; } return ret; @@ -163,27 +180,37 @@ static int samr_enum_domain_return(struct ksmbd_rpc_pipe *pipe) { struct ksmbd_dcerpc *dce = pipe->dce; struct connect_handle *ch; - int status; ch = samr_ch_lookup(dce->sm_req.handle); if (!ch) return KSMBD_RPC_EBAD_FID; /* Resume Handle */ - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, num_domain_entries); // Sam entry count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, num_domain_entries)) // Sam entry count + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, num_domain_entries); // Sam max entry count - status = samr_ndr_write_domain_array(pipe); + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, num_domain_entries)) // Sam max entry count + return KSMBD_RPC_EBAD_DATA; + + if (samr_ndr_write_domain_array(pipe)) + return KSMBD_RPC_EBAD_DATA; /* [out] DWORD* Num Entries */ - ndr_write_int32(dce, num_domain_entries); + if (ndr_write_int32(dce, num_domain_entries)) + return KSMBD_RPC_EBAD_DATA; - return status; + return KSMBD_RPC_OK; } static int samr_lookup_domain_invoke(struct ksmbd_rpc_pipe *pipe) @@ -217,8 +244,11 @@ static int samr_lookup_domain_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FID; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, 4); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 4)) + return KSMBD_RPC_EBAD_DATA; for (i = 0; i < num_domain_entries; i++) { gpointer entry; @@ -226,7 +256,8 @@ static int samr_lookup_domain_return(struct ksmbd_rpc_pipe *pipe) entry = g_array_index(domain_entries, gpointer, i); if (!strcmp(STR_VAL(dce->sm_req.name), (char *)entry)) { smb_init_domain_sid(&sid); - smb_write_sid(dce, &sid); + if (smb_write_sid(dce, &sid)) + return KSMBD_RPC_EBAD_DATA; } } @@ -252,7 +283,8 @@ static int samr_open_domain_return(struct ksmbd_rpc_pipe *pipe) if (!ch) return KSMBD_RPC_EBAD_FID; ch->refcount++; - ndr_write_bytes(dce, ch->handle, HANDLE_SIZE); + if (ndr_write_bytes(dce, ch->handle, HANDLE_SIZE)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -303,17 +335,31 @@ static int samr_lookup_names_return(struct ksmbd_rpc_pipe *pipe) if (!ch->user) return KSMBD_RPC_EACCESS_DENIED; - ndr_write_int32(dce, 1); // count + if (ndr_write_int32(dce, 1)) // count + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 1); // count - ndr_write_int32(dce, ch->user->uid); // RID + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) // count + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, ch->user->uid)) // RID + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) + return KSMBD_RPC_EBAD_DATA; - ndr_write_int32(dce, 1); dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, 1); - ndr_write_int32(dce, 1); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -347,7 +393,8 @@ static int samr_open_user_return(struct ksmbd_rpc_pipe *pipe) if (dce->sm_req.rid != ch->user->uid) return KSMBD_RPC_EBAD_FID; - ndr_write_bytes(dce, ch->handle, HANDLE_SIZE); + if (ndr_write_bytes(dce, ch->handle, HANDLE_SIZE)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -369,7 +416,7 @@ static int samr_query_user_info_return(struct ksmbd_rpc_pipe *pipe) char *home_dir; g_autofree char *profile_path = NULL; char hostname[NAME_MAX]; - int home_dir_len, i; + int home_dir_len, i, ret; ch = samr_ch_lookup(dce->sm_req.handle); if (!ch) @@ -403,114 +450,263 @@ static int samr_query_user_info_return(struct ksmbd_rpc_pipe *pipe) strcat(profile_path, "profile"); dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, 0x15); // info - ndr_write_int16(dce, 0); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0x15); // info + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; /* * Last Logon/Logoff/Password change, Acct Expiry, * Allow Passworkd Change, Force Password Change. */ - for (i = 0; i < 6; i++) - ndr_write_int64(dce, 0); + for (i = 0; i < 6; i++) { + ret = ndr_write_int64(dce, 0); + if (ret) + goto out; + } - ndr_write_int16(dce, strlen(ch->user->name)*2); // account name length - ndr_write_int16(dce, strlen(ch->user->name)*2); + ret = ndr_write_int16(dce, strlen(ch->user->name)*2); // account name length + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(ch->user->name)*2); + if (ret) + goto out; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, strlen(ch->user->name)*2); // full name length - ndr_write_int16(dce, strlen(ch->user->name)*2); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(ch->user->name)*2); // full name length + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(ch->user->name)*2); + if (ret) + goto out; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, strlen(home_dir)*2); // home directory length - ndr_write_int16(dce, strlen(home_dir)*2); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(home_dir)*2); // home directory length + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(home_dir)*2); + if (ret) + goto out; /* Home Drive, Logon Script */ for (i = 0; i < 2; i++) { dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, 0); - ndr_write_int16(dce, 0); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; } dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, strlen(profile_path)*2); //profile path length - ndr_write_int16(dce, strlen(profile_path)*2); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(profile_path)*2); //profile path length + if (ret) + goto out; + + ret = ndr_write_int16(dce, strlen(profile_path)*2); + if (ret) + goto out; + /* Description, Workstations, Comments, Parameters */ for (i = 0; i < 4; i++) { dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int16(dce, 0); - ndr_write_int16(dce, 0); + ret = ndr_write_int32(dce, dce->num_pointers); // ref pointer + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; } dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); + ret = ndr_write_int32(dce, dce->num_pointers); + if (ret) + goto out; + /* Lm, Nt, Password and Private*/ for (i = 0; i < 3; i++) { - ndr_write_int16(dce, 0); - ndr_write_int16(dce, 0); - ndr_write_int32(dce, 0); + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; } - ndr_write_int32(dce, 0); // buf count + ret = ndr_write_int32(dce, 0); // buf count + if (ret) + goto out; + /* Pointer to Buffer */ - ndr_write_int32(dce, 0); - ndr_write_int32(dce, ch->user->uid); // rid - ndr_write_int32(dce, 513); // primary gid - ndr_write_int32(dce, 0x00000010); // Acct Flags : Acb Normal - ndr_write_int32(dce, 0x00FFFFFF); // Fields Present - ndr_write_int16(dce, 168); // logon hours - ndr_write_int16(dce, 0); + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, ch->user->uid); // rid + if (ret) + goto out; + + ret = ndr_write_int32(dce, 513); // primary gid + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0x00000010); // Acct Flags : Acb Normal + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0x00FFFFFF); // Fields Present + if (ret) + goto out; + + ret = ndr_write_int16(dce, 168); // logon hours + if (ret) + goto out; + + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; /* Pointers to Bits */ dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); //ref pointer + ret = ndr_write_int32(dce, dce->num_pointers); //ref pointer + if (ret) + goto out; /* Bad Password/Logon Count/Country Code/Code Page */ - for (i = 0; i < 4; i++) - ndr_write_int16(dce, 0); + for (i = 0; i < 4; i++) { + ret = ndr_write_int16(dce, 0); + if (ret) + goto out; + } + /* Lm/Nt Password Set, Password Expired/etc */ - ndr_write_int8(dce, 0); - ndr_write_int8(dce, 0); - ndr_write_int8(dce, 0); - ndr_write_int8(dce, 0); - - ndr_write_string(dce, ch->user->name); - ndr_write_string(dce, ch->user->name); - ndr_write_string(dce, home_dir); + ret = ndr_write_int8(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int8(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int8(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int8(dce, 0); + if (ret) + goto out; + + + ret = ndr_write_string(dce, ch->user->name); + if (ret) + goto out; + + ret = ndr_write_string(dce, ch->user->name); + if (ret) + goto out; + + ret = ndr_write_string(dce, home_dir); + if (ret) + goto out; + /* Home Drive, Logon Script */ for (i = 0; i < 2; i++) { - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 0); + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; } - ndr_write_string(dce, profile_path); + ret = ndr_write_string(dce, profile_path); + if (ret) + goto out; /* Description, Workstations, Comments, Parameters */ for (i = 0; i < 4; i++) { - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 0); + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; } /* Logon Hours */ - ndr_write_int32(dce, 1260); - ndr_write_int32(dce, 0); - ndr_write_int32(dce, 21); + ret = ndr_write_int32(dce, 1260); + if (ret) + goto out; - for (i = 0; i < 21; i++) - ndr_write_int8(dce, 0xff); + ret = ndr_write_int32(dce, 0); + if (ret) + goto out; + ret = ndr_write_int32(dce, 21); + if (ret) + goto out; + + for (i = 0; i < 21; i++) { + ret = ndr_write_int8(dce, 0xff); + if (ret) + break; + } + +out: g_free(home_dir); - return KSMBD_RPC_OK; + return ret ? KSMBD_RPC_EBAD_DATA: KSMBD_RPC_OK; } static int samr_query_security_invoke(struct ksmbd_rpc_pipe *pipe) @@ -535,17 +731,24 @@ static int samr_query_security_return(struct ksmbd_rpc_pipe *pipe) curr_offset = dce->offset; dce->offset += 16; - build_sec_desc(dce, &sec_desc_len, ch->user->uid); + if (build_sec_desc(dce, &sec_desc_len, ch->user->uid)) + return KSMBD_RPC_EBAD_DATA; + payload_offset = dce->offset; dce->offset = curr_offset; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, sec_desc_len); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + if (ndr_write_int32(dce, sec_desc_len)) + return KSMBD_RPC_EBAD_DATA; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, sec_desc_len); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, sec_desc_len)) + return KSMBD_RPC_EBAD_DATA; dce->offset = payload_offset; @@ -572,13 +775,24 @@ static int samr_get_group_for_user_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EBAD_FID; dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 1); // count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) // count + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 1); // max count - ndr_write_int32(dce, 513); // group rid - ndr_write_int32(dce, 0x00000007); // attributes + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 1)) // max count + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 513)) // group rid + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0x00000007)) // attributes + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -602,10 +816,15 @@ static int samr_get_alias_membership_return(struct ksmbd_rpc_pipe *pipe) if (!ch) return KSMBD_RPC_EBAD_FID; - ndr_write_int32(dce, 0); // count + if (ndr_write_int32(dce, 0)) // count + return KSMBD_RPC_EBAD_DATA; + dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); // ref pointer - ndr_write_int32(dce, 0); // max count + if (ndr_write_int32(dce, dce->num_pointers)) // ref pointer + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) // max count + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -634,9 +853,14 @@ static int samr_close_return(struct ksmbd_rpc_pipe *pipe) samr_ch_free(ch); /* write connect handle */ - ndr_write_int64(dce, 0); - ndr_write_int64(dce, 0); - ndr_write_int32(dce, 0); + if (ndr_write_int64(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int64(dce, 0)) + return KSMBD_RPC_EBAD_DATA; + + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; return KSMBD_RPC_OK; } @@ -751,8 +975,11 @@ static int samr_return(struct ksmbd_rpc_pipe *pipe, /* * [out] DWORD Return value/code */ - ndr_write_int32(dce, status); - dcerpc_write_headers(dce, status); + if (ndr_write_int32(dce, status)) + return KSMBD_RPC_EBAD_DATA; + + if (dcerpc_write_headers(dce, status)) + return KSMBD_RPC_EBAD_DATA; dce->rpc_resp->payload_sz = dce->offset; return status; diff --git a/mountd/rpc_srvsvc.c b/mountd/rpc_srvsvc.c index 450ccaf8b433..c1449623c083 100644 --- a/mountd/rpc_srvsvc.c +++ b/mountd/rpc_srvsvc.c @@ -82,10 +82,15 @@ static int __share_entry_rep_ctr1(struct ksmbd_dcerpc *dce, gpointer entry) dce->num_pointers++; ret = ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ - ret |= ndr_write_int32(dce, __share_type(share)); + if (ret) + return ret; + + ret = ndr_write_int32(dce, __share_type(share)); + if (ret) + return ret; + dce->num_pointers++; - ret |= ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ - return ret; + return ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ } static int __share_entry_data_ctr0(struct ksmbd_dcerpc *dce, gpointer entry) @@ -101,8 +106,10 @@ static int __share_entry_data_ctr1(struct ksmbd_dcerpc *dce, gpointer entry) int ret; ret = ndr_write_vstring(dce, share->name); - ret |= ndr_write_vstring(dce, share->comment); - return ret; + if (ret) + return ret; + + return ndr_write_vstring(dce, share->comment); } static int __share_entry_null_rep_ctr0(struct ksmbd_dcerpc *dce, @@ -117,8 +124,15 @@ static int __share_entry_null_rep_ctr1(struct ksmbd_dcerpc *dce, int ret; ret = ndr_write_int32(dce, 0); /* ref pointer */ - ret |= ndr_write_int32(dce, 0); - ret |= ndr_write_int32(dce, 0); /* ref pointer */ + if (ret) + return ret; + + ret = ndr_write_int32(dce, 0); + if (ret) + return ret; + + ret = ndr_write_int32(dce, 0); /* ref pointer */ + return ret; } @@ -207,26 +221,35 @@ static int srvsvc_share_enum_all_return(struct ksmbd_rpc_pipe *pipe) struct ksmbd_dcerpc *dce = pipe->dce; int status = KSMBD_RPC_OK; - ndr_write_union_int32(dce, dce->si_req.level); + if (ndr_write_union_int32(dce, dce->si_req.level)) + return KSMBD_RPC_EBAD_DATA; status = ndr_write_array_of_structs(pipe); + if (status == KSMBD_RPC_EBAD_DATA) + return status; /* * [out] DWORD* TotalEntries * [out, unique] DWORD* ResumeHandle */ - ndr_write_int32(dce, pipe->num_processed); + if (ndr_write_int32(dce, pipe->num_processed)) + return KSMBD_RPC_EBAD_DATA; if (status == KSMBD_RPC_EMORE_DATA) { dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, 0x01); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + if (ndr_write_int32(dce, 0x01)) + return KSMBD_RPC_EBAD_DATA; /* Have pending data, set RETURN_READY again */ dce->flags |= KSMBD_DCERPC_RETURN_READY; } else { dce->num_pointers++; - ndr_write_int32(dce, dce->num_pointers); - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, dce->num_pointers)) + return KSMBD_RPC_EBAD_DATA; + if (ndr_write_int32(dce, 0)) + return KSMBD_RPC_EBAD_DATA; } + return status; } @@ -234,7 +257,9 @@ static int srvsvc_share_get_info_return(struct ksmbd_rpc_pipe *pipe) { struct ksmbd_dcerpc *dce = pipe->dce; - ndr_write_union_int32(dce, dce->si_req.level); + if (ndr_write_union_int32(dce, dce->si_req.level)) + return KSMBD_RPC_EBAD_DATA; + if (pipe->num_entries) return __ndr_write_array_of_structs(pipe, pipe->num_entries); @@ -255,7 +280,8 @@ static int srvsvc_share_get_info_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EINVALID_LEVEL; } - dce->entry_rep(dce, NULL); + if (dce->entry_rep(dce, NULL)) + return KSMBD_RPC_EBAD_DATA; if (!rpc_restricted_context(dce->rpc_req)) return KSMBD_RPC_EINVALID_PARAMETER; @@ -385,10 +411,14 @@ static int srvsvc_share_info_return(struct ksmbd_rpc_pipe *pipe) /* * [out] DWORD Return value/code */ - ndr_write_int32(dce, status); - dcerpc_write_headers(dce, status); + if (ndr_write_int32(dce, status)) + return KSMBD_RPC_EBAD_DATA; + + if (dcerpc_write_headers(dce, status)) + return KSMBD_RPC_EBAD_DATA; dce->rpc_resp->payload_sz = dce->offset; + return KSMBD_RPC_OK; } diff --git a/mountd/rpc_wkssvc.c b/mountd/rpc_wkssvc.c index 207f0428169b..db32dbd11613 100644 --- a/mountd/rpc_wkssvc.c +++ b/mountd/rpc_wkssvc.c @@ -41,19 +41,30 @@ static int __netwksta_entry_rep_ctr100(struct ksmbd_dcerpc *dce, int ret = 0; /* srvsvc_PlatformId */ - ret |= ndr_write_int32(dce, WKSSVC_PLATFORM_ID_NT); + ret = ndr_write_int32(dce, WKSSVC_PLATFORM_ID_NT); + if (ret) + return ret; /* server_name */ dce->num_pointers++; - ret |= ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ - dce->num_pointers++; + ret = ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ + if (ret) + return ret; + /* domain_name */ - ret |= ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ + dce->num_pointers++; + ret = ndr_write_int32(dce, dce->num_pointers); /* ref pointer */ + if (ret) + return ret; /* version_major */ - ret |= ndr_write_int32(dce, WKSSVC_VERSION_MAJOR); + ret = ndr_write_int32(dce, WKSSVC_VERSION_MAJOR); + if (ret) + return ret; + /* version_minor */ - ret |= ndr_write_int32(dce, WKSSVC_VERSION_MINOR); + ret = ndr_write_int32(dce, WKSSVC_VERSION_MINOR); + return ret; } @@ -65,16 +76,19 @@ static int __netwksta_entry_data_ctr100(struct ksmbd_dcerpc *dce, /* * Umm... Hmm... Huh... */ - ret |= ndr_write_vstring(dce, STR_VAL(dce->wi_req.server_name)); - ret |= ndr_write_vstring(dce, global_conf.work_group); - return ret; + ret = ndr_write_vstring(dce, STR_VAL(dce->wi_req.server_name)); + if (ret) + return ret; + + return ndr_write_vstring(dce, global_conf.work_group); } static int wkssvc_netwksta_get_info_return(struct ksmbd_rpc_pipe *pipe) { struct ksmbd_dcerpc *dce = pipe->dce; - ndr_write_union_int32(dce, dce->wi_req.level); + if (ndr_write_union_int32(dce, dce->wi_req.level)) + return KSMBD_RPC_EBAD_DATA; if (dce->wi_req.level != 100) { pr_err("Unsupported wksta info level (read): %d\n", @@ -83,8 +97,12 @@ static int wkssvc_netwksta_get_info_return(struct ksmbd_rpc_pipe *pipe) return KSMBD_RPC_EINVALID_LEVEL; } - dce->entry_rep(dce, NULL); - dce->entry_data(dce, NULL); + if (dce->entry_rep(dce, NULL)) + return KSMBD_RPC_EBAD_DATA; + + if (dce->entry_data(dce, NULL)) + return KSMBD_RPC_EBAD_DATA; + return KSMBD_RPC_OK; } @@ -123,8 +141,11 @@ static int wkssvc_netwksta_info_return(struct ksmbd_rpc_pipe *pipe) /* * [out] DWORD Return value/code */ - ndr_write_int32(dce, status); - dcerpc_write_headers(dce, status); + if (ndr_write_int32(dce, status)) + return KSMBD_RPC_EBAD_DATA; + + if (dcerpc_write_headers(dce, status)) + return KSMBD_RPC_EBAD_DATA; dce->rpc_resp->payload_sz = dce->offset; return KSMBD_RPC_OK; diff --git a/mountd/smbacl.c b/mountd/smbacl.c index b4f08777b164..2793f7625191 100644 --- a/mountd/smbacl.c +++ b/mountd/smbacl.c @@ -48,16 +48,26 @@ int smb_read_sid(struct ksmbd_dcerpc *dce, struct smb_sid *sid) return 0; } -void smb_write_sid(struct ksmbd_dcerpc *dce, const struct smb_sid *src) +int smb_write_sid(struct ksmbd_dcerpc *dce, const struct smb_sid *src) { int i; - ndr_write_int8(dce, src->revision); - ndr_write_int8(dce, src->num_subauth); - for (i = 0; i < NUM_AUTHS; ++i) - ndr_write_int8(dce, src->authority[i]); - for (i = 0; i < src->num_subauth; ++i) - ndr_write_int32(dce, src->sub_auth[i]); + if (ndr_write_int8(dce, src->revision)) + return -ENOMEM; + + if (ndr_write_int8(dce, src->num_subauth)) + return -ENOMEM; + + for (i = 0; i < NUM_AUTHS; ++i) { + if (ndr_write_int8(dce, src->authority[i])) + return -ENOMEM; + } + for (i = 0; i < src->num_subauth; ++i) { + if (ndr_write_int32(dce, src->sub_auth[i])) + return -ENOMEM; + } + + return 0; } void smb_copy_sid(struct smb_sid *dst, const struct smb_sid *src) @@ -191,38 +201,69 @@ static int smb_set_ace(struct ksmbd_dcerpc *dce, int access_req, int rid, struct smb_sid sid = {0}; memcpy(&sid, rsid, sizeof(struct smb_sid)); - ndr_write_int8(dce, ACCESS_ALLOWED); // ace type - ndr_write_int8(dce, 0); // ace flags + // ace type + if (ndr_write_int8(dce, ACCESS_ALLOWED)) + return -ENOMEM; + + // ace flags + if (ndr_write_int8(dce, 0)) + return -ENOMEM; + size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (sid.num_subauth * 4); if (rid) size += 4; - ndr_write_int16(dce, size); // ace size - ndr_write_int32(dce, access_req); // ace access required + + // ace size + if (ndr_write_int16(dce, size)) + return -ENOMEM; + + // ace access required + if (ndr_write_int32(dce, access_req)) + return -ENOMEM; + if (rid) sid.sub_auth[sid.num_subauth++] = rid; - smb_write_sid(dce, &sid); + + if (smb_write_sid(dce, &sid)) + return -ENOMEM; return size; } static int set_dacl(struct ksmbd_dcerpc *dce, int rid) { - int size = 0, i; + int size = 0, i, ret; struct smb_sid owner_domain; /* Other */ - size += smb_set_ace(dce, 0x0002035b, 0, &sid_everyone); + ret = smb_set_ace(dce, 0x0002035b, 0, &sid_everyone); + if (ret < 0) + return ret; + size += ret; + /* Local Group Administrators */ - size += smb_set_ace(dce, 0x000f07ff, 544, &sid_local_group); + ret = smb_set_ace(dce, 0x000f07ff, 544, &sid_local_group); + if (ret < 0) + return ret; + size += ret; + /* Local Group Account Operators */ - size += smb_set_ace(dce, 0x000f07ff, 548, &sid_local_group); + ret = smb_set_ace(dce, 0x000f07ff, 548, &sid_local_group); + if (ret < 0) + return ret; + size += ret; + /* Owner RID */ memcpy(&owner_domain, &sid_domain, sizeof(struct smb_sid)); for (i = 0; i < 3; ++i) { owner_domain.sub_auth[i + 1] = global_conf.gen_subauth[i]; owner_domain.num_subauth++; } - size += smb_set_ace(dce, 0x00020044, rid, &owner_domain); + + ret = smb_set_ace(dce, 0x00020044, rid, &owner_domain); + if (ret < 0) + return ret; + size += ret; return size; } @@ -233,33 +274,48 @@ int build_sec_desc(struct ksmbd_dcerpc *dce, __u32 *secdesclen, int rid) int acl_size; /* NT Security Descriptor : Revision */ - ndr_write_int16(dce, 1); + if (ndr_write_int16(dce, 1)) + return -ENOMEM; /* ACL Type */ - ndr_write_int16(dce, SELF_RELATIVE | DACL_PRESENT); + if (ndr_write_int16(dce, SELF_RELATIVE | DACL_PRESENT)) + return -ENOMEM; /* Offset to owner SID */ - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, 0)) + return -ENOMEM; + /* Offset to group SID */ - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, 0)) + return -ENOMEM; + /* Offset to SACL */ - ndr_write_int32(dce, 0); + if (ndr_write_int32(dce, 0)) + return -ENOMEM; + /* Offset to DACL */ - ndr_write_int32(dce, sizeof(struct smb_ntsd)); + if (ndr_write_int32(dce, sizeof(struct smb_ntsd))) + return -ENOMEM; /* DACL Revision */ - ndr_write_int16(dce, 2); + if (ndr_write_int16(dce, 2)) + return -ENOMEM; + acl_size_offset = dce->offset; dce->offset += 2; /* Number of ACEs */ - ndr_write_int32(dce, 4); + if (ndr_write_int32(dce, 4)) + return -ENOMEM; acl_size = set_dacl(dce, rid) + sizeof(struct smb_acl); + if (acl_size < 0) + return -ENOMEM; /* ACL Size */ l_offset = dce->offset; dce->offset = acl_size_offset; - ndr_write_int16(dce, acl_size); + if (ndr_write_int16(dce, acl_size)) + return -ENOMEM; dce->offset = l_offset; *secdesclen = sizeof(struct smb_ntsd) + acl_size; -- 2.25.1