CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
new file mode 100644 (file)
index 0000000..408af50
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="client ipc max protocol"
+                 context="G"
+                 type="enum"
+                 function="_client_ipc_max_protocol"
+                 enumlist="enum_protocol"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>The value of the parameter (a string) is the highest
+    protocol level that will be supported for IPC$ connections as DCERPC transport.</para>
+
+    <para>Normally this option should not be set as the automatic
+    negotiation phase in the SMB protocol takes care of choosing
+    the appropriate protocol.</para>
+
+    <para>The value <constant>default</constant> refers to the latest
+    supported protocol, currently <constant>SMB3_11</constant>.</para>
+
+    <para>See <smbconfoption name="client max protocol"/> for a full list
+    of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
+    are silently upgraded to NT1.</para>
+</description>
+
+<related>client ipc min protocol</related>
+<related>client min protocol</related>
+<related>client max protocol</related>
+
+<value type="default">default</value>
+<value type="example">SMB2_10</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml b/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
new file mode 100644 (file)
index 0000000..fc04b78
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="client ipc min protocol"
+                 context="G"
+                 type="enum"
+                 function="_client_ipc_min_protocol"
+                 enumlist="enum_protocol"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This setting controls the minimum protocol version that the
+       will be attempted to use for IPC$ connections as DCERPC transport.</para>
+
+       <para>Normally this option should not be set as the automatic
+       negotiation phase in the SMB protocol takes care of choosing
+       the appropriate protocol.</para>
+
+       <para>The value <constant>default</constant> refers to the higher value
+       of <constant>NT1</constant> and the effective value of
+       <smbconfoption name="client min protocol"/>.</para>
+
+       <para>See <smbconfoption name="client max protocol"/>  for a full list
+       of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
+       are silently upgraded to NT1.</para>
+</description>
+
+<related>client ipc max protocol</related>
+<related>client min protocol</related>
+<related>client max protocol</related>
+<value type="default">default</value>
+<value type="example">SMB3_11</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index 240ba1ac917be9a8068a539b755d817f8c54a361..0131331b876efd1bf6fa302ad547d8d9980ba94e 100644 (file)
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -79,13 +79,16 @@
     negotiation phase in the SMB protocol takes care of choosing 
     the appropriate protocol.</para>
 
-    <para>The value <constant>default</constant> refers to the default protocol in each
-    part of the code, currently <constant>NT1</constant> in the client tools and
-    <constant>SMB3_02</constant> in winbindd.</para>
+    <para>The value <constant>default</constant> refers to <constant>NT1</constant>.</para>
+
+    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+    <smbconfoption name="client ipc max protocol"/> option.</para>
 </description>
 
 <related>server max protocol</related>
 <related>client min protocol</related>
+<related>client ipc min protocol</related>
+<related>client ipc max protocol</related>
 
 <value type="default">default</value>
 <value type="example">LANMAN1</value>

diff --git a/docs-xml/smbdotconf/protocol/clientminprotocol.xml b/docs-xml/smbdotconf/protocol/clientminprotocol.xml
index ac0d460a2e4b22c2fcb08eae00a47634ca814643..fb8f87e4016afaa057b14cbf756d2925c46c874d 100644 (file)
--- a/docs-xml/smbdotconf/protocol/clientminprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientminprotocol.xml
@@ -13,10 +13,16 @@
 
        <para>See <related>client max protocol</related> for a full list
        of available protocols.</para>
+
+       <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+       <smbconfoption name="client ipc min protocol"/> option.</para>
 </description>
 
 <related>client max protocol</related>
 <related>server min protocol</related>
+<related>client ipc min protocol</related>
+<related>client ipc max protocol</related>
+
 <value type="default">CORE</value>
 <value type="example">NT1</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5c9f6a1114d286f038edff5b7c5e03b24956a5cf..6247f88c19df5135cdc72814f546635e4f6ed51b 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2614,6 +2614,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
        lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
        lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
+       lpcfg_do_global_parameter(lp_ctx, "client ipc min protocol", "default");
+       lpcfg_do_global_parameter(lp_ctx, "client ipc max protocol", "default");
        lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
        lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
        lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@@ -3319,6 +3321,30 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
        return client_max_protocol;
 }
 
+int lpcfg_client_ipc_min_protocol(struct loadparm_context *lp_ctx)
+{
+       int client_ipc_min_protocol = lpcfg__client_ipc_min_protocol(lp_ctx);
+       if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
+               client_ipc_min_protocol = lpcfg_client_min_protocol(lp_ctx);
+       }
+       if (client_ipc_min_protocol < PROTOCOL_NT1) {
+               return PROTOCOL_NT1;
+       }
+       return client_ipc_min_protocol;
+}
+
+int lpcfg_client_ipc_max_protocol(struct loadparm_context *lp_ctx)
+{
+       int client_ipc_max_protocol = lpcfg__client_ipc_max_protocol(lp_ctx);
+       if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
+               return PROTOCOL_LATEST;
+       }
+       if (client_ipc_max_protocol < PROTOCOL_NT1) {
+               return PROTOCOL_NT1;
+       }
+       return client_ipc_max_protocol;
+}
+
 bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
 {
        bool allowed = true;

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 8cdbadfbb0d677bf1025db839487b6d5e5e17171..5b7ceaa9cd78373a454ca183d328f11cee9c311e 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -897,6 +897,8 @@ const char *lp_idmap_default_backend (void);
 int lp_security(void);
 int lp_client_max_protocol(void);
 int lp_winbindd_max_protocol(void);
+int lp_client_ipc_min_protocol(void);
+int lp_client_ipc_max_protocol(void);
 int lp_smb2_max_credits(void);
 int lp_cups_encrypt(void);
 bool lp_widelinks(int );

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 17cbaff577aea3448231c2310dac74484b8e28e9..bcd3322c77a7d704a6d7f01b5b71a0316aba9825 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -639,6 +639,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.server_min_protocol = PROTOCOL_LANMAN1;
        Globals._client_max_protocol = PROTOCOL_DEFAULT;
        Globals.client_min_protocol = PROTOCOL_CORE;
+       Globals._client_ipc_max_protocol = PROTOCOL_DEFAULT;
+       Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
        Globals._security = SEC_AUTO;
        Globals.encrypt_passwords = true;
        Globals.client_schannel = Auto;
@@ -4444,6 +4446,30 @@ int lp_winbindd_max_protocol(void)
        return client_max_protocol;
 }
 
+int lp_client_ipc_min_protocol(void)
+{
+       int client_ipc_min_protocol = lp__client_ipc_min_protocol();
+       if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
+               client_ipc_min_protocol = lp_client_min_protocol();
+       }
+       if (client_ipc_min_protocol < PROTOCOL_NT1) {
+               return PROTOCOL_NT1;
+       }
+       return client_ipc_min_protocol;
+}
+
+int lp_client_ipc_max_protocol(void)
+{
+       int client_ipc_max_protocol = lp__client_ipc_max_protocol();
+       if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
+               return PROTOCOL_LATEST;
+       }
+       if (client_ipc_max_protocol < PROTOCOL_NT1) {
+               return PROTOCOL_NT1;
+       }
+       return client_ipc_max_protocol;
+}
+
 struct loadparm_global * get_globals(void)
 {
        return &Globals;