Ira Cooper [Sun, 29 Jan 2012 19:36:05 +0000 (20:36 +0100)]
s3-smbd: Fix bug #8724.
Fix bug #8724 - Memory leak in parent smbd on connection.
This is CVE-2012-0817.
Patch have been created by Ira Cooper <ira@wakeful.net> and
Jeremy Allison <jra@samba.org>.
(cherry picked from commit 964620240c83024bea8bbce0bc282b0851513808)
The last 7 patches address bug #8697 (DeletePrinterDriverEx never removes
printer driver files) and bug #4942 (DeletePrinterDriverEx deletes files
in use).
(cherry picked from commit c4a3d988a64723a51be4b3ddaddd83708d90ed13)
printer_driver_files_in_use() performs two tasks: it returns whether any
of the files in the to-be-deleted driver overlap with other drivers, it
also trims such files from the info structure passed in.
In processing a DeletePrinterDataEx request with DPD_DELETE_UNUSED_FILES
set, printer_driver_files_in_use() must be called to ensure files in
use by other drivers are not removed.
David Disseldorp [Thu, 12 Jan 2012 15:27:37 +0000 (16:27 +0100)]
s3-spoolss: fix printer driver version deletion
Spoolss delete printer driver code currently makes invalid version
assumptions based on the architecture requested by the client.
Ugly hacks are in place to cover removal of other versions (2 and 3).
This change wraps multi version deletion in a simple for loop.
(cherry picked from commit 54bc662adb24be9950c827446130b91504965c8c)
David Disseldorp [Tue, 10 Jan 2012 17:21:42 +0000 (18:21 +0100)]
spoolss: fix DPD_DELETE_ALL_FILES error return
If DeletePrinterDriverEx is called with DPD_DELETE_ALL_FILES and files
assigned to the to-be-deleted driver overlap with other drivers then an
error is returned. Change the error code here to match Windows 2k8r2.
Signed-off-by: David Disseldorp <ddiss@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 29c97b7132ac316327123f200a71e70317b2dbb9)
Jeremy Allison [Tue, 10 Jan 2012 21:49:03 +0000 (13:49 -0800)]
Third part of fix for bug #8673 - NT ACL issue.
(Not needed in master as this code has changed). Ensure we set a temp
access mask before calling open(O_RDONLY|O_DIRECTORY) on the directory.
(cherry picked from commit 6b72809b7488cc530f47ad08dfde215627681cf6)
Jeremy Allison [Tue, 10 Jan 2012 21:48:18 +0000 (13:48 -0800)]
Second part of fix for bug #8673 - NT ACL issue.
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
(cherry picked from commit 28834ee4fcfc204fa9a88459700fed212a1e9fce)
Jeremy Allison [Tue, 10 Jan 2012 21:41:55 +0000 (13:41 -0800)]
First part of fix for bug #8673 - NT ACL issue.
Simplify the logic in the unlink/rmdir calls - makes it readable
(and correct). Add some debug.
(cherry picked from commit d40006aa7f8a594273a9d0ad1fa1a87ae7b1ebb0)
Jeremy Allison [Fri, 16 Dec 2011 23:50:58 +0000 (15:50 -0800)]
Third part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share.
can_access_file_acl() - we can always delete a symlink.
can_delete_file_in_directory() - We don't need to do another STAT call
here, we know smb_fname->st is in a valid state.
smbd_check_open_rights() - we can always delete a symlink.
(cherry picked from commit c6bd2aa768ebf4308c53d057bc1db7adc2b67705)
Jeremy Allison [Fri, 16 Dec 2011 23:37:07 +0000 (15:37 -0800)]
Second part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share.
Ensure we use UCF_UNIX_NAME_LOOKUP flags on filename_convert()
when doing a restricted set of infolevels in trans2setfilepathinfo().
(cherry picked from commit cb5f2b3f9d5710ba66182e45bf8380c2f37b4190)
David Disseldorp [Fri, 13 Jan 2012 21:51:22 +0000 (13:51 -0800)]
idl: add to_null property
to_null specifies that character conversion should only occur until the
null pointer in an array based string.
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Jan 14 00:51:54 CET 2012 on sn-devel-104
The last 5 patches address bug #8606 (Intermittent print job failures caused by
character conversion errors).
(cherry picked from commit c92513e218432ba3fb4afe6e93c8c1fc8f684368)
David Disseldorp [Sun, 13 Nov 2011 19:40:56 +0000 (20:40 +0100)]
idl: add to_null attribute to the spoolss formname array
OpenPrinterEx requests have been observed in the wild carrying a device
mode formname "A4" followed by non-utf16 garbage after the null
terminator. Such requests currently fail during unmarshalling in the
ndr_pull_charset() codepath, causing intermittent print job failures.
This change ensures that garbage after the device mode formname null
terminator is not processed in unmarshalling.
libcli/cldap: fix a crash bug in cldap_socket_recv_dgram() (bug #8593)
After a calling any wrapper of tevent_req_notify_callback(),
e.g. tevent_req_nterror(), tevent_req_done(), tevent_req_nomem(),
a function has to return immediately otherwise it is very likely to
crash.
s3:lib/ctdbd_conn: try ctdbd_init_connection() as root (bug #8684)
ctdbd_traverse is only called if the main db_context is already
open. So if we could get to information via dbwrap_fetch,
we should also be able to traverse.
Jeremy Allison [Thu, 5 Jan 2012 21:54:29 +0000 (13:54 -0800)]
Fix bug #8687 - net memberships usage info is wrong
Typo in usage.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jan 6 00:30:20 CET 2012 on sn-devel-104
(cherry picked from commit 0453544900ef2ebff7a3c677d4048ef530713b64)
s3-libsmb: Don't duplicate kerberos service tickets.
This fixes bug #8628.
Each time we do a client connection. Each time we call to function to
get the service ticket from the cache we duplicate it. So with each
connection we end up with one or three duplicated tickets.
Jeremy Allison [Sat, 31 Dec 2011 05:19:08 +0000 (21:19 -0800)]
Final part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write.
The code to set a DOS error on short writeX return is amazingly
legacy code, and also breaks the reply as fixup_chain_error_packet()
enforces a 2-byte wct on any reply where smb_rcls != 0.
Found in testing by Andrew Bartlett. Thanks Andrew !
Jeremy Allison [Fri, 2 Dec 2011 18:55:40 +0000 (10:55 -0800)]
Fix bug #8644 - vfs_acl_xattr and vfs_acl_tdb modules can fail to add inheritable entries on a directory with no stored ACL.
If referring to an fsp sbuf can be left as an uninitialized variable,
causing the 'is_directory' variable to be false when it should be true.
(cherry picked from commit 16c0d52842386fc2ebf975166b57b888d36796c5)
Björn Jacke [Sat, 10 Dec 2011 12:53:42 +0000 (13:53 +0100)]
s3/doc: document the ignore system acls option of vfs_acl_xattr and vfs_acl_tdb
Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Sat Dec 10 15:30:46 CET 2011 on sn-devel-104
(cherry picked from commit f452add2231906742c9fd119371cd4fd81a1bdd6)
Fix bug #8652 (vfs_acl man pages miss "ignore system acls" option).
Volker Lendecke [Thu, 17 Nov 2011 21:24:24 +0000 (22:24 +0100)]
s3: Fix bug 8371
ndr_set_flag or's in the given flag (ALIGN4). At this point, ndr->flags
contains NOALIGN, which will persist. In ndr_push_DATA_BLOB NOALIGN overrides
everything else, so that the ALIGN4 is not respected.
(cherry picked from commit 6cb605364e83fe0c5562c9b0920408c697e4fc3e)
s3-winbind: Add an update function for winbind cache.
With 57b3d32 we changed the format for the winbind cache database and
the code deleted the database for the upgrade. As this database holds
also cached credentials, removing it is not an option. We need to update
from version 1 to version 2.
Richard Sharpe [Mon, 14 Nov 2011 15:47:38 +0000 (07:47 -0800)]
Improve configure.in so it can be used outside the Samba source tree.
Autobuild-User: Richard Sharpe <sharpe@samba.org>
Autobuild-Date: Thu Nov 17 07:00:38 CET 2011 on sn-devel-104
(cherry picked from commit f50aa988c201c2fe78e467f1a419bedc741e1d31)
Fix bug #8607 (The configure.in in examples/VFS does not easily allow building
modules outside the Samba source tree).
(cherry picked from commit 7db7ea684a17b70ecae31c70c1b2e647ea0fafa1)
If you join samba with idmap_ad backend to an AD. When you try to
enumerate users with 'getent passwd' and the user doesn't have a uid
set, then getent is aborted cause of NT_STATUS_NONE_MAPPED. If we can't
map a user we should not stop but continue enumerating users.
This normally happens with the default user 'krbtgt' with idmap_ad but
could also happen with other backends.
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Nov 15 16:52:04 CET 2011 on sn-devel-104
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The last 2 patches address bug #8600 (cldap doesn't work over ipv6).
(cherry picked from commit d8bc1584df47673ba7f6933af178f8669a61262b)
Jeremy Allison [Tue, 15 Nov 2011 19:27:56 +0000 (11:27 -0800)]
Ensure we correctly calculate reply credits over all returned
SMB2 replies, and do as Windows does and return the total in the
last SMB2 reply. Fixes an issue found by Christian M Ambach <christian.ambach@de.ibm.com>
(and thanks to Christian for the initial patch this was based on).
(cherry picked from commit 65566dfa8629136eaf0dc1491502dc651d1a4858)
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Nov 14 10:01:30 CET 2011 on sn-devel-104
(cherry picked from commit 72cabbbe50a36986dde823f0ba60abf9052c535a)
Matthias, the bad effect of this change was that actually all failed password
change attempts will always return NT_STATUS_OK because the last 4 bytes (the
resulting status code) were not marshalled anymore.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Nov 9 00:41:13 CET 2011 on sn-devel-104
(cherry picked from commit 8a18edf1c2d553105cfcadec4d892e4e5a0fdba1)
Christian Ambach [Thu, 20 Oct 2011 16:44:48 +0000 (18:44 +0200)]
s3:idmap_autorid: add an allocation range to autorid
this is needed to allocate gids for BUILTIN\Users and
BUILTIN\Administrators and for local users/group that
admins might want to create
autorid will now allocate one range for this purpose
and can so give out as many uids and gids as the
configured rangesize allows
(cherry picked from commit a98095601dc585a6c49813399466a455c43fc0fc)
Christian Ambach [Thu, 20 Oct 2011 16:39:30 +0000 (18:39 +0200)]
s3:idmap_autorid: move HWM initialization into a function
we will need some more HWM soon, so move out initialization and
optimize the logic using the new interface of dbwrap_fetch_uint32
(cherry picked from commit 31593bcd74f4063217190012a83e1003e29fdba7)
Christian Ambach [Thu, 20 Oct 2011 16:22:19 +0000 (18:22 +0200)]
s3:idmap_autorid: use strings as parameter for range allocator
this prepares for allocation of non-domain ranges that cannot be
expressed by a SID (e.g. an allocation pool)
(cherry picked from commit 188a12e1df2a5a3ae39cb2e25c87ae2093a62853)
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Fri Nov 4 12:36:04 CET 2011 on sn-devel-104
(cherry picked from commit 4f3e86f62398218c454b979aaad75c7d7d3d8546)
The last 4 patches address bug #8560 (SMB2 doesn't handle compound request
headers in the same way as Windows).
(cherry picked from commit 2971e74fd522998d30b2923a2a308d8e28c04aa9)
projects / thirdparty / samba.git / log
