amazing. the improvements to NT continue, evidence for which shows up

now as "RPC fault" if the UNIHDR structure lengths do not exactly
match up to the length of the data stream.

so, all versions of samba prior to this one have an off-by-one bug
in unicode string lengths.

all versions of NT prior to NT 5 beta 2 could possibly have buffer
problems when receiving badly formatted UNICODE strings.
(This used to be commit 161eb6f511e161b63c1fa90a08c562fcf208344a)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 721e26135915aa3119990bdbc8ffc1721f8368df..d75ad6947fc3080ff59f3f09912d2e72597067f7 100644 (file)
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -339,6 +339,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr,
              ctr->switch_value));
 
   memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds));
+       dummy_rtn_creds.timestamp.time = time(NULL);
 
   /* store the parameters */
   make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname,

diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c
index 5144ef8c3118afd0e68bd57fe8ee3a8cf8e39767..4cb606688d4fb567241f937bf414dffc88b53ec0 100644 (file)
--- a/source3/rpc_parse/parse_misc.c
+++ b/source3/rpc_parse/parse_misc.c
@@ -395,7 +395,7 @@ void make_buf_unistr2(UNISTR2 *str, uint32 *ptr, char *buf)
        if (buf != NULL)
        {
                *ptr = 1;
-               make_unistr2(str, buf, strlen(buf));
+               make_unistr2(str, buf, strlen(buf)+1);
        }
        else
        {
@@ -475,10 +475,10 @@ creates a UNISTR2 structure.
 ********************************************************************/
 void make_unistr2(UNISTR2 *str, char *buf, int len)
 {
-       /* set up string lengths. add one if string is not null-terminated */
-       str->uni_max_len = len+1;
+       /* set up string lengths. */
+       str->uni_max_len = len;
        str->undoc       = 0;
-       str->uni_str_len = len+1;
+       str->uni_str_len = len;
 
        /* store the string (null-terminated 8 bit chars into 16 bit chars) */
        struni2(str->buffer, buf);
@@ -608,7 +608,7 @@ static void make_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name)
        if (logon_srv != NULL)
        {
                log->undoc_buffer = 1;
-               make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv));
+               make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1);
        }
        else
        {
@@ -618,7 +618,7 @@ static void make_clnt_srv(DOM_CLNT_SRV *log, char *logon_srv, char *comp_name)
        if (comp_name != NULL)
        {
                log->undoc_buffer2 = 1;
-               make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name));
+               make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1);
        }
        else
        {
@@ -665,12 +665,12 @@ void make_log_info(DOM_LOG_INFO *log, char *logon_srv, char *acct_name,
 
        log->undoc_buffer = 1;
 
-       make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv));
-       make_unistr2(&(log->uni_acct_name), acct_name, strlen(acct_name));
+       make_unistr2(&(log->uni_logon_srv), logon_srv, strlen(logon_srv)+1);
+       make_unistr2(&(log->uni_acct_name), acct_name, strlen(acct_name)+1);
 
        log->sec_chan = sec_chan;
 
-       make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name));
+       make_unistr2(&(log->uni_comp_name), comp_name, strlen(comp_name)+1);
 }
 
 /*******************************************************************

diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c
index d99c4baac6e40edf300e496c25ac99a024721bba..57fc73e516ef5cf5149b5ce57f1c7fa630762e68 100644 (file)
--- a/source3/rpc_parse/parse_net.c
+++ b/source3/rpc_parse/parse_net.c
@@ -116,7 +116,7 @@ static void make_netinfo_2(NETLOGON_INFO_2 *info, uint32 flags, uint32 pdc_statu
 
        if (trusted_dc_name != NULL)
        {
-               make_unistr2(&(info->uni_trusted_dc_name), trusted_dc_name, len_dc_name);
+               make_unistr2(&(info->uni_trusted_dc_name), trusted_dc_name, len_dc_name+1);
        }
        else
        {
@@ -294,7 +294,7 @@ void make_r_trust_dom(NET_R_TRUST_DOM_LIST *r_t,
                fstring domain_name;
                fstrcpy(domain_name, dom_name);
                strupper(domain_name);
-               make_unistr2(&(r_t->uni_trust_dom_name[i]), domain_name, strlen(domain_name));
+               make_unistr2(&(r_t->uni_trust_dom_name[i]), domain_name, strlen(domain_name)+1);
                /* the use of UNISTR2 here is non-standard. */
                r_t->uni_trust_dom_name[i].undoc = 0x1;
        }
@@ -354,8 +354,8 @@ void make_q_req_chal(NET_Q_REQ_CHAL *q_c,
 
        q_c->undoc_buffer = 1; /* don't know what this buffer is */
 
-       make_unistr2(&(q_c->uni_logon_srv ), logon_srv , strlen(logon_srv ));
-       make_unistr2(&(q_c->uni_logon_clnt), logon_clnt, strlen(logon_clnt));
+       make_unistr2(&(q_c->uni_logon_srv ), logon_srv , strlen(logon_srv )+1);
+       make_unistr2(&(q_c->uni_logon_clnt), logon_clnt, strlen(logon_clnt)+1);
 
        memcpy(q_c->clnt_chal.data, clnt_chal->data, sizeof(clnt_chal->data));
 
@@ -377,7 +377,7 @@ void net_io_q_req_chal(char *desc,  NET_Q_REQ_CHAL *q_c, prs_struct *ps, int dep
     
        prs_uint32("undoc_buffer", ps, depth, &(q_c->undoc_buffer));
 
-       smb_io_unistr2("", &(q_c->uni_logon_srv), True, ps, depth); /* logon server unicode string */
+       smb_io_unistr2("", &(q_c->uni_logon_srv ), True, ps, depth); /* logon server unicode string */
        smb_io_unistr2("", &(q_c->uni_logon_clnt), True, ps, depth); /* logon client unicode string */
 
        old_align = ps->align;

diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c
index f09af387e48bb326552b5537acc04ed337048363..ba6a8d355685eaa36a2cba9821d122ecb340b66a 100644 (file)
--- a/source3/rpc_parse/parse_samr.c
+++ b/source3/rpc_parse/parse_samr.c
@@ -2694,7 +2694,7 @@ void make_samr_q_connect(SAMR_Q_CONNECT *q_u,
 
        /* make PDC server name \\server */
        q_u->ptr_srv_name = len_srv_name > 0 ? 1 : 0; 
-       make_unistr2(&(q_u->uni_srv_name), srv_name, len_srv_name);  
+       make_unistr2(&(q_u->uni_srv_name), srv_name, len_srv_name+1);  
 
        /* example values: 0x0000 0002 */
        q_u->unknown_0 = unknown_0; 

diff --git a/source3/rpc_parse/parse_srv.c b/source3/rpc_parse/parse_srv.c
index 27b1ec2257fc711f6e8373402cd907483de8091d..adc4249072e2b9ab9737a5f14c4ce3e4a3af35c0 100644 (file)
--- a/source3/rpc_parse/parse_srv.c
+++ b/source3/rpc_parse/parse_srv.c
@@ -1377,6 +1377,7 @@ static void srv_io_info_ctr(char *desc,  SRV_INFO_CTR *ctr, prs_struct *ps, int
                                break;
                        }
                }
+               prs_align(ps);
        }
 }
 

diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c
index 74d06d1bcae02901c17b248abb4157c1e3e2c727..034e4dd33657e25606361895bb33ad6eedc6cd4b 100644 (file)
--- a/source3/rpc_server/srv_samr.c
+++ b/source3/rpc_server/srv_samr.c
@@ -418,7 +418,7 @@ static void samr_reply_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_u,
 
        got_grps = True;
        num_entries = 1;
-       make_unistr2(&(pass[0].uni_user_name), dummy_group, strlen(dummy_group));
+       make_unistr2(&(pass[0].uni_user_name), dummy_group, strlen(dummy_group)-1);
        pass[0].user_rid = DOMAIN_GROUP_RID_ADMINS;
 
        if (r_e.status == 0 && got_grps)
@@ -481,7 +481,7 @@ static void samr_reply_enum_dom_aliases(SAMR_Q_ENUM_DOM_ALIASES *q_u,
                char *name;
                while (num_entries < MAX_SAM_ENTRIES && ((name = builtin_alias_rids[num_entries].name) != NULL))
                {
-                       make_unistr2(&(pass[num_entries].uni_user_name), name, strlen(name));
+                       make_unistr2(&(pass[num_entries].uni_user_name), name, strlen(name)-1);
                        pass[num_entries].user_rid = builtin_alias_rids[num_entries].rid;
                        num_entries++;
                }