$OpenBSD: patch-source3_smbd_lanman_c,v 1.3 2014/06/26 11:43:54 sthen Exp $

- DCE-RPC fragment length field is incorrectly checked.
  CVE-2013-4408
- Password lockout not enforced for SAMR password changes.
  CVE-2013-4496
- CVE-2014-0244 (Denial of service - CPU loop)
- CVE-2014-3493 (Denial of service - Server crash/memory corruption).

--- source3/smbd/lanman.c.orig	Wed May  8 18:16:26 2013
+++ source3/smbd/lanman.c	Wed Jun 25 15:01:30 2014
@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
 		return 0;
 	}
 	l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
-	if (l == -1) {
+	if (l == 0) {
 		return 0;
 	}
 	(*dst) += l;
@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *
 		return 0;
 	}
 	l = push_ascii(*dst,src,*n, STR_TERMINATE);
-	if (l == -1) {
+	if (l == 0) {
 		return 0;
 	}
 	(*dst) += l;
@@ -2628,6 +2628,14 @@ static bool api_NetUserGetGroups(struct smbd_server_co
 			  nt_errstr(result)));
 		goto close_domain;
 	}
+	if (rid.count != 1) {
+		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+		goto close_domain;
+	}
+	if (type.count != 1) {
+		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+		goto close_domain;
+	}
 
 	if (type.ids[0] != SID_NAME_USER) {
 		DEBUG(10, ("%s is a %s, not a user\n", UserName,
@@ -2939,259 +2947,6 @@ static bool api_NetRemoteTOD(struct smbd_server_connec
 }
 
 /****************************************************************************
- Set the user password.
-*****************************************************************************/
-
-static bool api_SetUserPassword(struct smbd_server_connection *sconn,
-				connection_struct *conn,uint16 vuid,
-				char *param, int tpscnt,
-				char *data, int tdscnt,
-				int mdrcnt,int mprcnt,
-				char **rdata,char **rparam,
-				int *rdata_len,int *rparam_len)
-{
-	char *np = get_safe_str_ptr(param,tpscnt,param,2);
-	char *p = NULL;
-	fstring user;
-	fstring pass1,pass2;
-	TALLOC_CTX *mem_ctx = talloc_tos();
-	NTSTATUS status, result;
-	struct rpc_pipe_client *cli = NULL;
-	struct policy_handle connect_handle, domain_handle, user_handle;
-	struct lsa_String domain_name;
-	struct dom_sid2 *domain_sid;
-	struct lsa_String names;
-	struct samr_Ids rids;
-	struct samr_Ids types;
-	struct samr_Password old_lm_hash;
-	struct samr_Password new_lm_hash;
-	int errcode = NERR_badpass;
-	uint32_t rid;
-	int encrypted;
-	int min_pwd_length;
-	struct dcerpc_binding_handle *b = NULL;
-
-	/* Skip 2 strings. */
-	p = skip_string(param,tpscnt,np);
-	p = skip_string(param,tpscnt,p);
-
-	if (!np || !p) {
-		return False;
-	}
-
-	/* Do we have a string ? */
-	if (skip_string(param,tpscnt,p) == NULL) {
-		return False;
-	}
-	pull_ascii_fstring(user,p);
-
-	p = skip_string(param,tpscnt,p);
-	if (!p) {
-		return False;
-	}
-
-	memset(pass1,'\0',sizeof(pass1));
-	memset(pass2,'\0',sizeof(pass2));
-	/*
-	 * We use 31 here not 32 as we're checking
-	 * the last byte we want to access is safe.
-	 */
-	if (!is_offset_safe(param,tpscnt,p,31)) {
-		return False;
-	}
-	memcpy(pass1,p,16);
-	memcpy(pass2,p+16,16);
-
-	encrypted = get_safe_SVAL(param,tpscnt,p+32,0,-1);
-	if (encrypted == -1) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-
-	min_pwd_length = get_safe_SVAL(param,tpscnt,p+34,0,-1);
-	if (min_pwd_length == -1) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-
-	*rparam_len = 4;
-	*rparam = smb_realloc_limit(*rparam,*rparam_len);
-	if (!*rparam) {
-		return False;
-	}
-
-	*rdata_len = 0;
-
-	DEBUG(3,("Set password for <%s> (encrypted: %d, min_pwd_length: %d)\n",
-		user, encrypted, min_pwd_length));
-
-	ZERO_STRUCT(connect_handle);
-	ZERO_STRUCT(domain_handle);
-	ZERO_STRUCT(user_handle);
-
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
-					conn->session_info,
-					&conn->sconn->client_id,
-					conn->sconn->msg_ctx,
-					&cli);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("api_SetUserPassword: could not connect to samr: %s\n",
-			  nt_errstr(status)));
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-
-	b = cli->binding_handle;
-
-	status = dcerpc_samr_Connect2(b, mem_ctx,
-				      global_myname(),
-				      SAMR_ACCESS_CONNECT_TO_SERVER |
-				      SAMR_ACCESS_ENUM_DOMAINS |
-				      SAMR_ACCESS_LOOKUP_DOMAIN,
-				      &connect_handle,
-				      &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	init_lsa_String(&domain_name, get_global_sam_name());
-
-	status = dcerpc_samr_LookupDomain(b, mem_ctx,
-					  &connect_handle,
-					  &domain_name,
-					  &domain_sid,
-					  &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	status = dcerpc_samr_OpenDomain(b, mem_ctx,
-					&connect_handle,
-					SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
-					domain_sid,
-					&domain_handle,
-					&result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	init_lsa_String(&names, user);
-
-	status = dcerpc_samr_LookupNames(b, mem_ctx,
-					 &domain_handle,
-					 1,
-					 &names,
-					 &rids,
-					 &types,
-					 &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	if (rids.count != 1) {
-		errcode = W_ERROR_V(WERR_NO_SUCH_USER);
-		goto out;
-	}
-	if (rids.count != types.count) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-	if (types.ids[0] != SID_NAME_USER) {
-		errcode = W_ERROR_V(WERR_INVALID_PARAM);
-		goto out;
-	}
-
-	rid = rids.ids[0];
-
-	status = dcerpc_samr_OpenUser(b, mem_ctx,
-				      &domain_handle,
-				      SAMR_USER_ACCESS_CHANGE_PASSWORD,
-				      rid,
-				      &user_handle,
-				      &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	if (encrypted == 0) {
-		E_deshash(pass1, old_lm_hash.hash);
-		E_deshash(pass2, new_lm_hash.hash);
-	} else {
-		ZERO_STRUCT(old_lm_hash);
-		ZERO_STRUCT(new_lm_hash);
-		memcpy(old_lm_hash.hash, pass1, MIN(strlen(pass1), 16));
-		memcpy(new_lm_hash.hash, pass1, MIN(strlen(pass2), 16));
-	}
-
-	status = dcerpc_samr_ChangePasswordUser(b, mem_ctx,
-						&user_handle,
-						true, /* lm_present */
-						&old_lm_hash,
-						&new_lm_hash,
-						false, /* nt_present */
-						NULL, /* old_nt_crypted */
-						NULL, /* new_nt_crypted */
-						false, /* cross1_present */
-						NULL, /* nt_cross */
-						false, /* cross2_present */
-						NULL, /* lm_cross */
-						&result);
-	if (!NT_STATUS_IS_OK(status)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(status));
-		goto out;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		errcode = W_ERROR_V(ntstatus_to_werror(result));
-		goto out;
-	}
-
-	errcode = NERR_Success;
- out:
-
-	if (b && is_valid_policy_hnd(&user_handle)) {
-		dcerpc_samr_Close(b, mem_ctx, &user_handle, &result);
-	}
-	if (b && is_valid_policy_hnd(&domain_handle)) {
-		dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result);
-	}
-	if (b && is_valid_policy_hnd(&connect_handle)) {
-		dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result);
-	}
-
-	memset((char *)pass1,'\0',sizeof(fstring));
-	memset((char *)pass2,'\0',sizeof(fstring));
-
-	SSVAL(*rparam,0,errcode);
-	SSVAL(*rparam,2,0);		/* converter word */
-	return(True);
-}
-
-/****************************************************************************
   Set the user password (SamOEM version - gets plaintext).
 ****************************************************************************/
 
@@ -5782,7 +5537,6 @@ static const struct {
 	{"NetServerEnum2",	RAP_NetServerEnum2,	api_RNetServerEnum2}, /* anon OK */
 	{"NetServerEnum3",	RAP_NetServerEnum3,	api_RNetServerEnum3}, /* anon OK */
 	{"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms},
-	{"SetUserPassword",	RAP_WUserPasswordSet2,	api_SetUserPassword},
 	{"WWkstaUserLogon",	RAP_WWkstaUserLogon,	api_WWkstaUserLogon},
 	{"PrintJobInfo",	RAP_WPrintJobSetInfo,	api_PrintJobInfo},
 	{"WPrintDriverEnum",	RAP_WPrintDriverEnum,	api_WPrintDriverEnum},
