git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix denial of service - memory corruption.
[samba.git] / source3 / libads / cldap.c
diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
index c37220c9030a6669e427a9a54bb6eb9bac10cc05..ac4e2cb3012ee4f872ba6c459930007c7df623e5 100644 (file)
--- a/source3/libads/cldap.c
+++ b/source3/libads/cldap.c
@@ -9,12 +9,12 @@
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.  
 */
@@ -24,10 +24,10 @@
 /*
   do a cldap netlogon query
 */
-static int send_cldap_netlogon(int sock, const char *domain, 
+static int send_cldap_netlogon(TALLOC_CTX *mem_ctx, int sock, const char *domain,
                               const char *hostname, unsigned ntversion)
 {
-       ASN1_DATA data;
+       ASN1_DATA *data;
        char ntver[4];
 #ifdef CLDAP_USER_QUERY
        char aac[4];
@@ -36,84 +36,76 @@ static int send_cldap_netlogon(int sock, const char *domain,
 #endif
        SIVAL(ntver, 0, ntversion);
 
-       memset(&data, 0, sizeof(data));
+       data = asn1_init(mem_ctx);
+       if (data == NULL) {
+               return -1;
+       }
 
-       asn1_push_tag(&data,ASN1_SEQUENCE(0));
-       asn1_write_Integer(&data, 4);
-       asn1_push_tag(&data, ASN1_APPLICATION(3));
-       asn1_write_OctetString(&data, NULL, 0);
-       asn1_write_enumerated(&data, 0);
-       asn1_write_enumerated(&data, 0);
-       asn1_write_Integer(&data, 0);
-       asn1_write_Integer(&data, 0);
-       asn1_write_BOOLEAN2(&data, False);
-       asn1_push_tag(&data, ASN1_CONTEXT(0));
+       asn1_push_tag(data,ASN1_SEQUENCE(0));
+       asn1_write_Integer(data, 4);
+       asn1_push_tag(data, ASN1_APPLICATION(3));
+       asn1_write_OctetString(data, NULL, 0);
+       asn1_write_enumerated(data, 0);
+       asn1_write_enumerated(data, 0);
+       asn1_write_Integer(data, 0);
+       asn1_write_Integer(data, 0);
+       asn1_write_BOOLEAN(data, False);
+       asn1_push_tag(data, ASN1_CONTEXT(0));
 
        if (domain) {
-               asn1_push_tag(&data, ASN1_CONTEXT(3));
-               asn1_write_OctetString(&data, "DnsDomain", 9);
-               asn1_write_OctetString(&data, domain, strlen(domain));
-               asn1_pop_tag(&data);
+               asn1_push_tag(data, ASN1_CONTEXT(3));
+               asn1_write_OctetString(data, "DnsDomain", 9);
+               asn1_write_OctetString(data, domain, strlen(domain));
+               asn1_pop_tag(data);
        }
 
-       asn1_push_tag(&data, ASN1_CONTEXT(3));
-       asn1_write_OctetString(&data, "Host", 4);
-       asn1_write_OctetString(&data, hostname, strlen(hostname));
-       asn1_pop_tag(&data);
+       asn1_push_tag(data, ASN1_CONTEXT(3));
+       asn1_write_OctetString(data, "Host", 4);
+       asn1_write_OctetString(data, hostname, strlen(hostname));
+       asn1_pop_tag(data);
 
 #ifdef CLDAP_USER_QUERY
-       asn1_push_tag(&data, ASN1_CONTEXT(3));
-       asn1_write_OctetString(&data, "User", 4);
-       asn1_write_OctetString(&data, "SAMBA$", 6);
-       asn1_pop_tag(&data);
-
-       asn1_push_tag(&data, ASN1_CONTEXT(3));
-       asn1_write_OctetString(&data, "AAC", 4);
-       asn1_write_OctetString(&data, aac, 4);
-       asn1_pop_tag(&data);
+       asn1_push_tag(data, ASN1_CONTEXT(3));
+       asn1_write_OctetString(data, "User", 4);
+       asn1_write_OctetString(data, "SAMBA$", 6);
+       asn1_pop_tag(data);
+
+       asn1_push_tag(data, ASN1_CONTEXT(3));
+       asn1_write_OctetString(data, "AAC", 4);
+       asn1_write_OctetString(data, aac, 4);
+       asn1_pop_tag(data);
 #endif
 
-       asn1_push_tag(&data, ASN1_CONTEXT(3));
-       asn1_write_OctetString(&data, "NtVer", 5);
-       asn1_write_OctetString(&data, ntver, 4);
-       asn1_pop_tag(&data);
+       asn1_push_tag(data, ASN1_CONTEXT(3));
+       asn1_write_OctetString(data, "NtVer", 5);
+       asn1_write_OctetString(data, ntver, 4);
+       asn1_pop_tag(data);
 
-       asn1_pop_tag(&data);
+       asn1_pop_tag(data);
 
-       asn1_push_tag(&data,ASN1_SEQUENCE(0));
-       asn1_write_OctetString(&data, "NetLogon", 8);
-       asn1_pop_tag(&data);
-       asn1_pop_tag(&data);
-       asn1_pop_tag(&data);
+       asn1_push_tag(data,ASN1_SEQUENCE(0));
+       asn1_write_OctetString(data, "NetLogon", 8);
+       asn1_pop_tag(data);
+       asn1_pop_tag(data);
+       asn1_pop_tag(data);
 
-       if (data.has_error) {
-               DEBUG(2,("Failed to build cldap netlogon at offset %d\n", (int)data.ofs));
-               asn1_free(&data);
+       if (data->has_error) {
+               DEBUG(2,("Failed to build cldap netlogon at offset %d\n", (int)data->ofs));
+               asn1_free(data);
                return -1;
        }
 
-       if (write(sock, data.data, data.length) != (ssize_t)data.length) {
+       if (write(sock, data->data, data->length) != (ssize_t)data->length) {
                DEBUG(2,("failed to send cldap query (%s)\n", strerror(errno)));
-               asn1_free(&data);
+               asn1_free(data);
                return -1;
        }
 
-       asn1_free(&data);
+       asn1_free(data);
 
        return 0;
 }
 
-static SIG_ATOMIC_T gotalarm;
-                                                                                                                   
-/***************************************************************
- Signal function to tell us we timed out.
-****************************************************************/
-                                                                                                                   
-static void gotalarm_sig(void)
-{
-       gotalarm = 1;
-}
-                                                                                                                   
 /*
   receive a cldap netlogon reply
 */
@@ -123,17 +115,18 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
                               struct netlogon_samlogon_response **reply)
 {
        int ret;
-       ASN1_DATA data;
+       ASN1_DATA *data;
        DATA_BLOB blob = data_blob_null;
        DATA_BLOB os1 = data_blob_null;
        DATA_BLOB os2 = data_blob_null;
        DATA_BLOB os3 = data_blob_null;
        int i1;
-       /* half the time of a regular ldap timeout, not less than 3 seconds. */
-       unsigned int al_secs = MAX(3,lp_ldap_timeout()/2);
        struct netlogon_samlogon_response *r = NULL;
        NTSTATUS status;
 
+       fd_set r_fds;
+       struct timeval timeout;
+
        blob = data_blob(NULL, 8192);
        if (blob.data == NULL) {
                DEBUG(1, ("data_blob failed\n"));
@@ -141,47 +134,74 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
                return -1;
        }
 
-       /* Setup timeout */
-       gotalarm = 0;
-       CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
-       alarm(al_secs);
-       /* End setup timeout. */
-       ret = read(sock, blob.data, blob.length);
+       if (sock < 0 || sock >= FD_SETSIZE) {
+               errno = EBADF;
+               return -1;
+       }
+
+       FD_ZERO(&r_fds);
+       FD_SET(sock, &r_fds);
+
+       /*
+        * half the time of a regular ldap timeout, not less than 3 seconds.
+        */
+       timeout.tv_sec = MAX(3,lp_ldap_timeout()/2);
+       timeout.tv_usec = 0;
+
+       ret = sys_select(sock+1, &r_fds, NULL, NULL, &timeout);
+       if (ret == -1) {
+               DEBUG(10, ("select failed: %s\n", strerror(errno)));
+               data_blob_free(&blob);
+               return -1;
+       }
 
-       /* Teardown timeout. */
-       CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
-       alarm(0);
+       if (ret == 0) {
+               DEBUG(1,("no reply received to cldap netlogon "
+                       "(select timeout %u sec)\n",
+                       (unsigned int)timeout.tv_sec));
+               data_blob_free(&blob);
+               return -1;
+       }
 
+       ret = read(sock, blob.data, blob.length);
        if (ret <= 0) {
-               DEBUG(1,("no reply received to cldap netlogon\n"));
+               DEBUG(1,("no reply received to cldap netlogon "
+                       "(ret = %d: Error = %s)\n",
+                       ret,
+                       ret == -1 ? strerror(errno) : "" ));
                data_blob_free(&blob);
                return -1;
        }
        blob.length = ret;
 
-       asn1_load(&data, blob);
-       asn1_start_tag(&data, ASN1_SEQUENCE(0));
-       asn1_read_Integer(&data, &i1);
-       asn1_start_tag(&data, ASN1_APPLICATION(4));
-       asn1_read_OctetString(&data, &os1);
-       asn1_start_tag(&data, ASN1_SEQUENCE(0));
-       asn1_start_tag(&data, ASN1_SEQUENCE(0));
-       asn1_read_OctetString(&data, &os2);
-       asn1_start_tag(&data, ASN1_SET);
-       asn1_read_OctetString(&data, &os3);
-       asn1_end_tag(&data);
-       asn1_end_tag(&data);
-       asn1_end_tag(&data);
-       asn1_end_tag(&data);
-       asn1_end_tag(&data);
-
-       if (data.has_error) {
+       data = asn1_init(mem_ctx);
+       if (data == NULL) {
+               data_blob_free(&blob);
+               return -1;
+       }
+
+       asn1_load(data, blob);
+       asn1_start_tag(data, ASN1_SEQUENCE(0));
+       asn1_read_Integer(data, &i1);
+       asn1_start_tag(data, ASN1_APPLICATION(4));
+       asn1_read_OctetString(data, NULL, &os1);
+       asn1_start_tag(data, ASN1_SEQUENCE(0));
+       asn1_start_tag(data, ASN1_SEQUENCE(0));
+       asn1_read_OctetString(data, NULL, &os2);
+       asn1_start_tag(data, ASN1_SET);
+       asn1_read_OctetString(data, NULL, &os3);
+       asn1_end_tag(data);
+       asn1_end_tag(data);
+       asn1_end_tag(data);
+       asn1_end_tag(data);
+       asn1_end_tag(data);
+
+       if (data->has_error) {
                data_blob_free(&blob);
                data_blob_free(&os1);
                data_blob_free(&os2);
                data_blob_free(&os3);
-               asn1_free(&data);
+               asn1_free(data);
                DEBUG(1,("Failed to parse cldap reply\n"));
                return -1;
        }
@@ -193,6 +213,7 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
                data_blob_free(&os2);
                data_blob_free(&os3);
                data_blob_free(&blob);
+               asn1_free(data);
                return -1;
        }
 
@@ -202,6 +223,7 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
                data_blob_free(&os2);
                data_blob_free(&os3);
                data_blob_free(&blob);
+               asn1_free(data);
                TALLOC_FREE(r);
                return -1;
        }
@@ -212,8 +234,8 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
        data_blob_free(&os2);
        data_blob_free(&os3);
        data_blob_free(&blob);
-       
-       asn1_free(&data);
+
+       asn1_free(data);
 
        if (reply) {
                *reply = r;
@@ -239,12 +261,14 @@ bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
 
        sock = open_udp_socket(server, LDAP_PORT );
        if (sock == -1) {
-               DEBUG(2,("ads_cldap_netlogon: Failed to open udp socket to %s\n", 
-                        server));
+               DEBUG(2,("ads_cldap_netlogon: Failed to open udp socket to %s. "
+                       "Error %s\n",
+                       server,
+                       strerror(errno) ));
                return False;
        }
 
-       ret = send_cldap_netlogon(sock, realm, global_myname(), nt_version);
+       ret = send_cldap_netlogon(mem_ctx, sock, realm, global_myname(), nt_version);
        if (ret != 0) {
                close(sock);
                return False;
Samba Shared Repository