s3:client: Use talloc to avoid memory leaks in smbspool
The function uri_unescape_alloc() is called by main() which has a talloc
stackframe.
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x7fc31351b9a0 in strdup (/lib64/libasan.so.8+0x11b9a0) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7fc3129cfb50 in smb_xstrdup ../../lib/util/util.c:760
#2 0x0000002059f8 in uri_unescape_alloc ../../source3/client/smbspool.c:888
#3 0x00000020752a in main ../../source3/client/smbspool.c:347
#4 0x7fc30f62b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#5 0x7ffd8bb806be ([stack]+0x3b6be)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 24 07:42:37 UTC 2025 on atb-devel-224
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Thu Oct 23 01:03:36 UTC 2025 on atb-devel-224
s3:passdb: Fix memory leak in pdb_default_del_groupmem()
Indirect leak of 496 byte(s) in 1 object(s) allocated from:
#0 0x7f1e45121c2b in malloc (/lib64/libasan.so.8+0x121c2b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7f1e44b586a0 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f1e44b59f75 in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f1e44b59f75 in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f1e44b59f75 in _talloc_zero ../../lib/talloc/talloc.c:2421
#5 0x7f1e42a18460 in samu_new ../../source3/passdb/passdb.c:63
#6 0x7f1e42a381ef in pdb_default_del_groupmem ../../source3/passdb/pdb_interface.c:1098
#7 0x7f1e42a364b1 in pdb_del_groupmem ../../source3/passdb/pdb_interface.c:1130
#8 0x000000388a57 in net_sam_delmem ../../source3/utils/net_sam.c:1324
#9 0x00000038ff79 in net_run_function ../../source3/utils/net_util.c:451
#10 0x00000038bfb6 in net_sam ../../source3/utils/net_sam.c:2306
#11 0x00000038ff79 in net_run_function ../../source3/utils/net_util.c:451
#12 0x0000002ea182 in main ../../source3/utils/net.c:1474
#13 0x7f1e3fc2b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#14 0x7ffe6b22b79f ([stack]+0x2079f)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Oct 22 15:21:22 UTC 2025 on atb-devel-224
lib:ldb:tools: Do not leak memory in ldb_cmdline_process_internal()
If add_control() hasn't been called before, it will be NULL. Use ret as
the context to allocate memory on.
Direct leak of 110 byte(s) in 1 object(s) allocated from:
#0 0x7fc1b5921c2b in malloc (/lib64/libasan.so.8+0x121c2b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7fc1b56ed6a0 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7fc1b56ee9e8 in __talloc ../../lib/talloc/talloc.c:825
#3 0x7fc1b56ee9e8 in __talloc_strlendup ../../lib/talloc/talloc.c:2454
#4 0x7fc1b56ee9e8 in talloc_strdup ../../lib/talloc/talloc.c:2470
#5 0x7fc1b5f1ad18 in ldb_cmdline_process_internal ../../lib/ldb/tools/cmdline.c:389
#6 0x7fc1b5f1b53c in ldb_cmdline_process ../../lib/ldb/tools/cmdline.c:544
#7 0x000000202a19 in main ../../lib/ldb/tools/ldbdel.c:97
#8 0x7fc1b542b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#9 0x7ffdced96847 ([stack]+0x38847)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 22 09:25:35 UTC 2025 on atb-devel-224
Direct leak of 376 byte(s) in 1 object(s) allocated from:
#0 0x7ff48b520b4b (/lib64/libasan.so.8+0x120b4b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7ff48bb079d3 in _talloc_realloc ../../lib/talloc/talloc.c:2035
#2 0x7ff48bb0824c in _talloc_realloc_array ../../lib/talloc/talloc.c:2810
#3 0x00000021ab91 in wbinfo_xids_to_sids ../../nsswitch/wbinfo.c:1122
#4 0x00000021ab91 in main ../../nsswitch/wbinfo.c:3065
#5 0x7ff48842b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#6 0x7ffd3dc6866e ([stack]+0x2066e)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
lib:replace: Implement setproctitle() based on PRCTL_MM_MAP
This should work on Linux. It requires CAP_SYS_RESOURCE, but our daemons
run as root anyway.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 22 08:03:35 UTC 2025 on atb-devel-224
Douglas Bagnall [Wed, 3 Sep 2025 02:20:24 +0000 (14:20 +1200)]
CVE-2025-10230: s4:wins: restrict names fed to shell
If the "wins hook" smb.conf parameter is set, the WINS server will
attempt to execute that value in a shell command line when a client
asks to modify a name. The WINS system is a trusting one, and clients
can claim any NETBIOS name they wish.
With the source3 nmbd WINS server (since the 1999 commit now called 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be
run for names that contain shell metacharacters. This restriction has
not been present on the source4 nbt WINS server, which is the WINS
server that will be used in the event that an Active Directory Domain
Controller is also running WINS.
This allowed an unauthenticated client to execute arbitrary commands
on the server.
This commit brings the nmbd check into the nbt WINS server, so that
the wins hook will only be run for names that contain only letters,
digits, hyphens, underscores and periods. This matches the behaviour
described in the smb.conf man page.
The source3 nmbd WINS server has another layer of protection, in that
it uses the smb_run() exec wrapper that tries to escape arguments. We
don't do that here.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Oct 21 19:43:25 UTC 2025 on atb-devel-224
Douglas Bagnall [Tue, 9 Sep 2025 01:36:16 +0000 (13:36 +1200)]
CVE-2025-10230: s4/tests: check that wins hook sanitizes names
An smb.conf can contain a 'wins hook' parameter, which names a script
to run when a WINS name is changed. The man page says
The second argument is the NetBIOS name. If the name is not a
legal name then the wins hook is not called. Legal names contain
only letters, digits, hyphens, underscores and periods.
but it turns out the legality check is not performed if the WINS
server in question is the source4 nbt one. It is not expected that
people will run this server, but they can. This is bad because the
name is passed unescaped into a shell command line, allowing command
injection.
For this test we don't care whether the WINS server is returning an
error code, just whether it is running the wins hook. The tests show
it often runs the hook it shouldn't, though some characters are
incidentally blocked because the name has to fit in a DN before it
gets to the hook, and DNs have a few syntactic restrictions (e.g.,
blocking '<', '>', and ';').
The source3 WINS server that is used by Samba when not run as a DC is
not affected and not here tested.
We don't really need "fsp" and "smb_fname_src" arguments anymore
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 21 18:35:59 UTC 2025 on atb-devel-224
With SMB_VFS_RENAME_STREAM and the src parent fsp and src relname
available, we can save a lot of string handling in
rename_internals_fsp(). Subsequent patches will remove a lot of code
that's no longer used after this patch.
Better look at the result than the patch for review.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
[MS-FSA] 2.1.5.15.12.1 Algorithm for Performing Stream Rename
is simpler and diffent enough from renaming a file or directory that I
believe a separate VFS operation is justified instead of tunneling it
through the renameat call. For example it's only possible to rename
streams within a file, so only one stream open fsp and a newname which
is guaranteed to be a stream name is necessary.
Add stub implementations to our streams modules, to be filled later.
Signed-off-by: Volker Lendecke <vl@samba.org>
vfs_streams_xattr: rename_streams Reviewed-by: Ralph Boehme <slow@samba.org>
Avoid calling parent_pathref() in hardlink_internals. All but one
callers have the required information anyway. Unfortunately the one
that does not have it is the SMB2 one. So for SMB2+ this is not a real
optimization, but in some distant future we might have a dirfsp
attached to every fsp, so this might at some point also solve itself.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
We call filename_convert_dirfsp() on the old name. Use the parsing
done there, we don't need to scan for a ":" in reply_ntrename() where
filename_convert_dirfsp() already does it.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
See the comment at the top of this patch for a description of the data
format.
The lowerlevel xattr_multi routines now take the raw stream name
instead of the xattr name because they have to build up the real xattr
name attached to the file themselves.
The patch is a bit larger than I would like it, but the mechanics in
the _multi() routines don't make sense in isolation, and the rest is
mostly handling the raw_stream_name instead of the xattr_name.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
streams_xattr always appends a '\0'. We'll start to add meaning to
that byte and check it soon, so make the hand-crafted stream follow
that convention.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 20 10:59:03 UTC 2025 on atb-devel-224
in a Spotlight query produces the following log message:
map_fts: Mapping fts [757378800] unexpected op [~]
However, when
elasticsearch:ignore unknown attribute = yes
is set, the parser will ignore the failed expression and continue
parsing given the expression is part of a larger expression like
"subexpression1 OR subexpression2". Avoid spamming the log and reduce
the loglevel when we hit this case.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 17 12:16:23 UTC 2025 on atb-devel-224
Martin Schwenke [Thu, 16 Oct 2025 02:54:22 +0000 (13:54 +1100)]
ctdb-scripts: Avoid failing updateip when IP is not assigned
There is no use failing this when it could behave more like takeip.
Use old interface of "__none__" as a hint that ctdbd doesn't think the
IP is assigned either. In this case print a warning instead of an
error. Take some care to avoid spurious errors in updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 17 06:28:30 UTC 2025 on atb-devel-224
Martin Schwenke [Wed, 15 Oct 2025 23:42:22 +0000 (10:42 +1100)]
ctdb-tests: Add an event script unit test for updateip
This illustrates the current failure where an unassigned public IP
address causes updateip to fail.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Martin Schwenke [Wed, 15 Oct 2025 21:17:44 +0000 (08:17 +1100)]
ctdb-daemon: Fix a crash due to a failed updateip
This should really be a takeip. However, CTDB's weak check of the IP
address state (using bind(2)) incorrectly indicates that the IP
address is assigned to an interface so it is converted to an updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 16 18:42:05 UTC 2025 on atb-devel-224
If AddressSanitizer is loaded it will detect alignment issues. The tool
is not ours, so ignore it.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Oct 16 09:34:58 UTC 2025 on atb-devel-224
projects / thirdparty / samba.git / log
