samba - Apr 2020 - pad length mismatch error message

Hi Andrew,
> Thanks for reporting this. Firstly, don't worry about 'attr'
packages
> or how Bind9 or DNS is configured etc, this is an error in our core RPC
> server, and not something that is able to be configured (neither at
> build nor runtime).
> 
> A client, and we don't include enough information in the message as to
> which, so you will need to turn up the log level, is sending an RPC
> packet that we don't like the end of.  
> 
> In particular, we expected 44 bytes of authentication trailer (the
> authentication data in RPC is not in a header, but a trailer at the end
> of the packet), probably enough to contain the signature for the
> packet, but the client sent nothing. 
> 
> We need to work out why that was, and if it matters.  
> 
Thanks for the clarification and explanation what's causing this in general.
I will keep monitoring and looking for the client to replicate it.

> Once you work out what client is changing this, then send me a network
> capture and matching Samba log (use "debug hires timestamp =
Yes", "log
> level = 4") and I'll add it to my backlog to look into.  If you
are
> able to trigger it on demand, and have time, please do confirm if this
> is Samba 4.12 regression by trying Samba 4.11.
We have updated to Samba 4.12. last friday and I checked the old logs before
that.
The error message also appeared with Samba 4.11, which we had before.

Best regards
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200423/659c06e1/smime.bin>

Hi Andrew,
> Once you work out what client is changing this, then send me a network
> capture and matching Samba log (use "debug hires timestamp =
Yes", "log
> level = 4") and I'll add it to my backlog to look into.
I think I was able to identify and reproduce the occurrence of the error
message:

1. You have a new Windows 10 client
2. The computer MUST NOT be in the computer list in the AC-DC
3. You join the Windows client to the domain and reboot
4. About when the login screen appears on the Windows client, the error message
pops up.

If the computer is already listed in the AD-DC, you can remove and rejoin the
Windows Client as much as you want without the error.
And if the computer object is new, it also only happens I would say 4 out of 5
times.

I was able to record the logs with your suggested loglevel and a corresponding
tcpdump. I will send it to you separately, maybe it helps.

Since everything else is working fine (join, login etc) this is definitely not a
critical issue IMHO.

Thanks so far and best regards
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200423/58f823b1/smime.bin>

On Thu, 2020-04-23 at 12:28 +0200, von Obernitz, Daniel via samba
wrote:
> Hi Andrew,
> 
> > Once you work out what client is changing this, then send me a
> > network
> > capture and matching Samba log (use "debug hires timestamp =
Yes",
> > "log
> > level = 4") and I'll add it to my backlog to look into.
> 
> I think I was able to identify and reproduce the occurrence of the
> error message:
> 
> 1. You have a new Windows 10 client
> 2. The computer MUST NOT be in the computer list in the AC-DC
> 3. You join the Windows client to the domain and reboot
> 4. About when the login screen appears on the Windows client, the
> error message pops up.
> 
> If the computer is already listed in the AD-DC, you can remove and
> rejoin the Windows Client as much as you want without the error.
> And if the computer object is new, it also only happens I would say 4
> out of 5 times.
> 
> I was able to record the logs with your suggested loglevel and a
> corresponding tcpdump. I will send it to you separately, maybe it
> helps.
> 
> Since everything else is working fine (join, login etc) this is
> definitely not a critical issue IMHO.
The code in question goes back to the 'BadLock' patches in 2016.  I
think this is probably a strange codepath on the windows client. 

I'm going to at least propose a patch to make the messages provide some
more info for the next person who needs to look at this.

The only thing that makes sense is that the difference - 44, is the
length of a single ctx_list in:
dcerpc_bind {
 ...
 dcerpc_ctx_list ctx_list[num_contexts];
 ...
}

The client is sending 3 items in ctx_list, but only putting 2 in the
header, so we don't look for the last 44 bytes.  Rather than just look
from the end for the authentication trailer, we assert that everything
must add up. 

If we didn't fail here, we would fail trying to parse the SPNEGO.  We
use the NDR_REMAINING flag for the authentication trailer so we just
dump everything left in the packet into that.

I've redacted the the sensitive parts (the actual SPNEGO exchange) and
included the ndrdump output to illustrate. 

Finally, I have a patch that should at least make the calculations
clearer, see attached. 

I've filed https://bugzilla.samba.org/show_bug.cgi?id=14356

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba


-------------- next part --------------
pull returned Success
    ncacn_packet: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x07 (7)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0852 (2130)
        auth_length              : 0x07aa (1962)
        call_id                  : 0x00000002 (2)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x16d0 (5840)
            max_recv_frag            : 0x16d0 (5840)
            assoc_group_id           : 0x00001b31 (6961)
            num_contexts             : 0x02 (2)
            ctx_list: ARRAY(2)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                        if_version               : 0x00000004 (4)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     :
8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0001 (1)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                        if_version               : 0x00000004 (4)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     :
71710533-beba-4937-8319-b5dbef9ccc36
                            if_version               : 0x00000001 (1)
            auth_info                : DATA_BLOB length=2014
[0000] 02 00 01 00 35 42 51 E3   06 4B D1 11 AB 04 00 C0   ....5BQ. .K......
[0010] 4F C2 DC D2 04 00 00 00   2C 1C B7 6C 12 98 40 45   O....... ,..l.. at E
[0020] 03 00 00 00 00 00 00 00   01 00 00 00 09 06 00 00   ........ ........
[0030] 00 00 00 00 
-------------- next part --------------
pull returned Success
    ncacn_packet: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_BIND (11)
        pfc_flags                : 0x07 (7)
               1: DCERPC_PFC_FLAG_FIRST    
               1: DCERPC_PFC_FLAG_LAST     
               1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX 
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE    
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0809 (2057)
        auth_length              : 0x0761 (1889)
        call_id                  : 0x00000003 (3)
        u                        : union dcerpc_payload(case 11)
        bind: struct dcerpc_bind
            max_xmit_frag            : 0x16d0 (5840)
            max_recv_frag            : 0x16d0 (5840)
            assoc_group_id           : 0x00000000 (0)
            num_contexts             : 0x03 (3)
            ctx_list: ARRAY(3)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0000 (0)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                        if_version               : 0x00000004 (4)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     :
8a885d04-1ceb-11c9-9fe8-08002b104860
                            if_version               : 0x00000002 (2)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0001 (1)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                        if_version               : 0x00000004 (4)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     :
71710533-beba-4937-8319-b5dbef9ccc36
                            if_version               : 0x00000001 (1)
                ctx_list: struct dcerpc_ctx_list
                    context_id               : 0x0002 (2)
                    num_transfer_syntaxes    : 0x01 (1)
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
e3514235-4b06-11d1-ab04-00c04fc2dcd2
                        if_version               : 0x00000004 (4)
                    transfer_syntaxes: ARRAY(1)
                        transfer_syntaxes: struct ndr_syntax_id
                            uuid                     :
6cb71c2c-9812-4540-0300-000000000000
                            if_version               : 0x00000001 (1)
            auth_info                : DATA_BLOB length=1897
[0000] 09 06 00 00 00 00 00 00   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-librpc-Provide-clearer-debug-messages-for-malformed-.patch
Type: text/x-patch
Size: 2658 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200424/b5e6ff15/0001-librpc-Provide-clearer-debug-messages-for-malformed-.bin>