« Return to Thread: [Samba4][Patch]: padding dcerpc faults packets
[Samba4][Patch]: padding dcerpc faults packets
by Julien Kerihuel
::
Rate this Message:
Hi List,
I've noticed a difference between dcerpc faults sent from a real
Exchange server and dcerpc_server in Samba4.
Samba4 (after calculation) sends the dcerpc fault with a fraglen set to
28 bytes - which is the correct size - while Exchange appends 4 padding
bytes set to 0 and set the fraglen to 32 bytes. I can send some captures
if needed.
This difference matters when Outlook connects to an Exchange server and
requests for an unsupported operation. If for example we connect Outlook
2003 to Exchange 2000:
1. Outlook 2003 first tries to connect using EcDoConnectEx (0xa)
but Exchange 2000 doesn't support this operation.
2. Exchange 2000 sends a dcerpc fault with
dcerpc_fault_op_nrg_error.
3. Outlook 2003 tries to use EcDoConnect(0x0) instead and the
"real communication" starts.
The main problem is:
* If these 4 bytes are present, then Outlook retrogrades its
protocol version and calls EcDoConnect and everything is fine.
* If these 4 bytes are missing, then Outlook unexpectedly ends
the connection (FIN/ACK), then binds on the emsmdb server and
repeat the same operation over and over until Outlook stops and
display and error message box.
The attached patch adds a uint32_t padding field to the
dcesrv_call_state structure and if this field is defined, realloc the
fault blob with the specified number of padding bytes.
The scope of this patch is limited to dcesrv_fault -- doesn't seem to
occur with real RPC operations.
It is quite weird, but it makes Outlook happy ...
Cheers,
Julien.
--
Julien Kerihuel
j.kerihuel@...
OpenChange Project Manager
GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
[dcerpc_server_padding_bytes.diff]
diff --git a/source/rpc_server/dcerpc_server.c b/source/rpc_server/dcerpc_server.c
index beb795e..3fd3e54 100644
--- a/source/rpc_server/dcerpc_server.c
+++ b/source/rpc_server/dcerpc_server.c
@@ -468,6 +468,17 @@ static NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+
+ if (call->padding) {
+ rep->blob.data = talloc_realloc((TALLOC_CTX *)call,
+ rep->blob.data, uint8_t,
+ rep->blob.length + call->padding);
+ if (!rep->blob.data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memset(&rep->blob.data[rep->blob.length], call->padding, 0);
+ rep->blob.length += call->padding;
+ }
dcerpc_set_frag_length(&rep->blob, rep->blob.length);
diff --git a/source/rpc_server/dcerpc_server.h b/source/rpc_server/dcerpc_server.h
index 058dfe3..8a5ff55 100644
--- a/source/rpc_server/dcerpc_server.h
+++ b/source/rpc_server/dcerpc_server.h
@@ -128,6 +128,9 @@ struct dcesrv_call_state {
/* this is used by the boilerplate code to generate DCERPC faults */
uint32_t fault_code;
+
+ /* this is used to add custom padding bytes to replies */
+ uint32_t padding;
};
#define DCESRV_HANDLE_ANY 255
I've noticed a difference between dcerpc faults sent from a real
Exchange server and dcerpc_server in Samba4.
Samba4 (after calculation) sends the dcerpc fault with a fraglen set to
28 bytes - which is the correct size - while Exchange appends 4 padding
bytes set to 0 and set the fraglen to 32 bytes. I can send some captures
if needed.
This difference matters when Outlook connects to an Exchange server and
requests for an unsupported operation. If for example we connect Outlook
2003 to Exchange 2000:
1. Outlook 2003 first tries to connect using EcDoConnectEx (0xa)
but Exchange 2000 doesn't support this operation.
2. Exchange 2000 sends a dcerpc fault with
dcerpc_fault_op_nrg_error.
3. Outlook 2003 tries to use EcDoConnect(0x0) instead and the
"real communication" starts.
The main problem is:
* If these 4 bytes are present, then Outlook retrogrades its
protocol version and calls EcDoConnect and everything is fine.
* If these 4 bytes are missing, then Outlook unexpectedly ends
the connection (FIN/ACK), then binds on the emsmdb server and
repeat the same operation over and over until Outlook stops and
display and error message box.
The attached patch adds a uint32_t padding field to the
dcesrv_call_state structure and if this field is defined, realloc the
fault blob with the specified number of padding bytes.
The scope of this patch is limited to dcesrv_fault -- doesn't seem to
occur with real RPC operations.
It is quite weird, but it makes Outlook happy ...
Cheers,
Julien.
--
Julien Kerihuel
j.kerihuel@...
OpenChange Project Manager
GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
[dcerpc_server_padding_bytes.diff]
diff --git a/source/rpc_server/dcerpc_server.c b/source/rpc_server/dcerpc_server.c
index beb795e..3fd3e54 100644
--- a/source/rpc_server/dcerpc_server.c
+++ b/source/rpc_server/dcerpc_server.c
@@ -468,6 +468,17 @@ static NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+
+ if (call->padding) {
+ rep->blob.data = talloc_realloc((TALLOC_CTX *)call,
+ rep->blob.data, uint8_t,
+ rep->blob.length + call->padding);
+ if (!rep->blob.data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memset(&rep->blob.data[rep->blob.length], call->padding, 0);
+ rep->blob.length += call->padding;
+ }
dcerpc_set_frag_length(&rep->blob, rep->blob.length);
diff --git a/source/rpc_server/dcerpc_server.h b/source/rpc_server/dcerpc_server.h
index 058dfe3..8a5ff55 100644
--- a/source/rpc_server/dcerpc_server.h
+++ b/source/rpc_server/dcerpc_server.h
@@ -128,6 +128,9 @@ struct dcesrv_call_state {
/* this is used by the boilerplate code to generate DCERPC faults */
uint32_t fault_code;
+
+ /* this is used to add custom padding bytes to replies */
+ uint32_t padding;
};
#define DCESRV_HANDLE_ANY 255
signature.asc (196 bytes) « Return to Thread: [Samba4][Patch]: padding dcerpc faults packets
| Free Forum Powered by Nabble | Forum Help |