From: Ralph Boehme <slow@samba.org>
Date: Sat, 13 Jan 2024 10:40:55 +0000 (+0100)
Subject: winbindd: fix listing trusted domains with NT trusts
X-Git-Tag: talloc-2.4.2~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=201edcb5c6138488959e54e7df88007d010f1cfb;p=thirdparty%2Fsamba.git

winbindd: fix listing trusted domains with NT trusts

Commit e07f8901ec95aab8c36965000de185d99e642644 broke handling of NT4 domains
which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name)
returns NULL, which causes _wbint_ListTrustedDomains to return
NT_STATUS_NO_MEMORY.

To make things worse, at that point the new struct netr_DomainTrust is not yet
initialized correctly and the "out->count = n + 1" already increased the array
counter at the start of the loop without initializing it.

Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can
crash when accesssing the ununitialized values:

2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD)
2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames:
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5]
92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045]
2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd]

Deferring assignment of r->out.domains->array and r->out.domains->count to the
end of the function ensures we don't return inconsistent state in case of an
error.

Also, r->out.domains is already set by the NDR layer, no need to create and
assign a struct netr_DomainTrustList object.

Using talloc_move() ensures we don't leave dangling pointers. Better to crash
reliably on accessing NULL, then accessing some unknown memory via a wild
pointer. As talloc_move() can't fail, there's no need to check the return value.

And using a struct initializer ensures all members are properly initialized.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224
---

diff --git a/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts b/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts
deleted file mode 100644
index 546e087b250..00000000000
--- a/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.blackbox.list_nt4_trusts.nt4trust_wbinfo_m\(ad_member_idmap_ad\)
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index f0fd18a8fa6..bbdaf6e5807 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -2055,10 +2055,11 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p,
 				   struct wbint_ListTrustedDomains *r)
 {
 	struct winbindd_domain *domain = wb_child_domain();
-	uint32_t i, n;
+	uint32_t i;
 	NTSTATUS result;
 	struct netr_DomainTrustList trusts;
-	struct netr_DomainTrustList *out = NULL;
+	uint32_t count = 0;
+	struct netr_DomainTrust *array = NULL;
 	pid_t client_pid;
 
 	if (domain == NULL) {
@@ -2082,53 +2083,44 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p,
 		return result;
 	}
 
-	out = talloc_zero(p->mem_ctx, struct netr_DomainTrustList);
-	if (out == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	r->out.domains = out;
-
 	for (i=0; i<trusts.count; i++) {
-		if (trusts.array[i].sid == NULL) {
+		struct netr_DomainTrust *st = &trusts.array[i];
+		struct netr_DomainTrust *dt = NULL;
+
+		if (st->sid == NULL) {
 			continue;
 		}
-		if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) {
+		if (dom_sid_equal(st->sid, &global_sid_NULL)) {
 			continue;
 		}
 
-		n = out->count;
-		out->array = talloc_realloc(out, out->array,
-					    struct netr_DomainTrust,
-					    n + 1);
-		if (out->array == NULL) {
+		array = talloc_realloc(r->out.domains, array,
+				       struct netr_DomainTrust,
+				       count + 1);
+		if (array == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		out->count = n + 1;
 
-		out->array[n].netbios_name = talloc_steal(
-				out->array, trusts.array[i].netbios_name);
-		if (out->array[n].netbios_name == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
+		dt = &array[count];
 
-		out->array[n].dns_name = talloc_steal(
-				out->array, trusts.array[i].dns_name);
-		if (out->array[n].dns_name == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
+		*dt = (struct netr_DomainTrust) {
+			.trust_flags = st->trust_flags,
+			.trust_type = st->trust_type,
+			.trust_attributes = st->trust_attributes,
+			.netbios_name = talloc_move(array, &st->netbios_name),
+			.dns_name = talloc_move(array, &st->dns_name),
+		};
 
-		out->array[n].sid = dom_sid_dup(out->array,
-				trusts.array[i].sid);
-		if (out->array[n].sid == NULL) {
+		dt->sid = dom_sid_dup(array, st->sid);
+		if (dt->sid == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		out->array[n].trust_flags = trusts.array[i].trust_flags;
-		out->array[n].trust_type = trusts.array[i].trust_type;
-		out->array[n].trust_attributes = trusts.array[i].trust_attributes;
+		count++;
 	}
 
+	r->out.domains->array = array;
+	r->out.domains->count = count;
 	return NT_STATUS_OK;
 }