Jeremy Allison [Fri, 11 Jun 2010 10:57:25 +0000 (12:57 +0200)]
s3-smbd: Fix memory corruption vulnerability.
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
(cherry picked from commit 86ab436a0da958914f99dc8b7e88b10db4692d98)
Jeremy Allison [Tue, 9 Feb 2010 23:23:38 +0000 (15:23 -0800)]
Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
Jeremy Allison [Thu, 18 Feb 2010 20:21:10 +0000 (12:21 -0800)]
Fix bug #7155 - valgrind Conditional jump or move depends on uninitialised value(s) error when "mangling method = hash"
The charset array allocated in init_chartest() is allocated
by MALLOC, but only some elements of it being set after allocation. Fix is to
memset to zero after allocation.
Jeremy Allison [Wed, 17 Feb 2010 18:46:21 +0000 (10:46 -0800)]
Fix bug #6557 - Do not work VFS full_audit
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy Allison [Fri, 12 Feb 2010 00:09:59 +0000 (16:09 -0800)]
Fixes issue with preexec scripts creating a share directory, and problems if a smb.conf reload turns wide links back on after a connection is establised.
Jeremy Allison [Sat, 6 Feb 2010 00:22:27 +0000 (16:22 -0800)]
Fix bug 7104 - "wide links" and "unix extensions" are incompatible.
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy Allison [Thu, 28 Jan 2010 01:16:04 +0000 (17:16 -0800)]
Fix bug #7072 - Accounts can't be unlocked from ldap.
Fix suggested by Andy Hanton <andyhanton@gmail.com>. The LOGIN_CACHE
struct contains two time_t entries, but was being written to and
read from via tdb_pack/tdb_unpack functions using explicit 32-bit int specifiers.
This would break on machines with a 64-bit time_t. Use correct int
sizes for tdb_pack/tdb_unpack.
Volker Lendecke [Sat, 16 Jan 2010 12:31:44 +0000 (13:31 +0100)]
s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS server
A user has sent me a sniff where the OpenSolaris CIFS server returns "32" in
totalentries, but the array in ctr only contains 15 entries. Look at the right
delimiter for walking the array.
Fix bug #7046 (libsmbclient crash against OpenSolaris CIFS server).
Jeremy Allison [Sat, 16 Jan 2010 01:52:54 +0000 (17:52 -0800)]
Fix bug 7045 - Bad (non memory copying) interfaces in smbc_setXXXX calls.
In smbc_free_context libsmbclient just called free() on the string options
so it assumes the callers have malloced them before setting them via smbc_set
calls.
Change to correctly malloc/free string options to the library.
Protect against SMB_STRDUP of null.
Jeremy Allison [Wed, 9 Sep 2009 00:22:39 +0000 (17:22 -0700)]
Second part of fix for bug 6696 - smbd 3.3.7 crashes (signal 11) in dns_register_smbd_reply. Restore the code from 3.2 that actually initializes the struct dns_reg_state handle. Jeremy.
Jeremy Allison [Fri, 8 Jan 2010 18:24:34 +0000 (10:24 -0800)]
Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes"
This bug re-occurred for 3.3.x and above.
The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.
Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.
Jeremy Allison [Wed, 16 Dec 2009 02:38:06 +0000 (18:38 -0800)]
Second part of fix for 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dial
Ensure dos_mode can return FILE_ATTRIBUTE_NORMAL, then filter the returned attributes by protocol level.
This makes us consistant in returning DOS attrs across all replies. Tested on OS/2 by Günter Kukkukk.
Jeremy.
Kai Blin [Fri, 4 Dec 2009 08:47:25 +0000 (09:47 +0100)]
s3 aclocal.m4: Fix iconv checks, clean up m4 code
The check for iconv requiring giconv.h and libgiconv as well as
the check for iconv requiring biconv.h and libbiconv were using the wrong
variable to check for previous successful test results. This caused the checks
to always fall back to libbiconv on systems where that library was available.
In the course of fixing this, I had to clean up the indentation in that piece of
code, and I also rewrote/added some comments.
Many thanks to Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> for the initial
patch and diagnosis.
(cherry picked from commit f5aff324cb9d965bbc75634596c3c40ffc588183)
When idmap backend is specified as
idmap backend = ldap:"ldap://server1 ldap://server2"
then currently "ldap://server1 ldap://server2" was passed to
ldap_initialize including the quotes, leading to an ldap error.
Jeremy Allison [Tue, 27 Oct 2009 18:55:34 +0000 (11:55 -0700)]
Second part of the fix for bug 6828 - infinite timeout occurs when byte lock held outside of samba. Fixes case where a connection with a pending lock can me marked "idle", and ensures that the lock queue timeout is always recalculated. Jeremy.
Jeremy Allison [Mon, 9 Nov 2009 20:41:13 +0000 (12:41 -0800)]
Fix bug 6880 - cannot list workgroup servers reported by Alban Browaeys <prahal@yahoo.com> with fix. Revert 2e989bab0764c298a2530a2d4c8690258eba210c with extra comments - this broke workgroup enumeration. Jeremy.
Jeremy Allison [Thu, 22 Oct 2009 22:35:59 +0000 (15:35 -0700)]
Fix bug 6829 - smbclient does not show special characters properly. All successful calls to cli_session_setup() *must* be followed by calls to cli_init_creds() to stash the credentials we successfully connected with. There were 2 codepaths where this was missing. This caused smbclient to be unable to open the \srvsvc pipe to do an RPC netserverenum, and cause it to fall back to a RAP netserverenum, which uses DOS codepage conversion rather than the full UCS2 of RPC, so the returned characters were not correct (unless the DOS codepage was set correctly). Phew. That was fun to track down :-). Includes logic simplification in libsmb_server.c Jeremy.
Jeff Layton [Wed, 14 Oct 2009 15:06:23 +0000 (11:06 -0400)]
cifs.upcall: do a brute-force search for KRB5 credcache
A few weeks ago, I added some code to cifs.upcall to take the pid sent
by the kernel and use that to get the value of the $KRB5CCNAME
environment var for the process. That works fine on the initial mount,
but could be problematic on reconnect.
There's no guarantee on a reconnect that the process that initiates the
upcall will have $KRB5CCNAME pointed at the correct credcache. Because
of this, the current scheme isn't going to be reliable enough and we
need to use something different.
This patch replaces that scheme with one very similar to the one used by
rpc.gssd in nfs-utils. It searches the credcache dir (currently
hardcoded to /tmp) for a valid credcache for the given uid. If it finds
one then it uses that as the credentials cache. If it finds more than
one, it uses the one with the latest TGT expiration.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Addresses bug #6810.
Jeff Layton [Wed, 14 Oct 2009 15:06:21 +0000 (11:06 -0400)]
cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Jeff Layton [Wed, 14 Oct 2009 15:06:18 +0000 (11:06 -0400)]
cifs.upcall: use ip address passed by kernel to get server's hostname
Instead of using the hostname given by the upcall to get the server's
principal, take the IP address given in the upcall and reverse resolve
it to a hostname.
Jeff Layton [Wed, 14 Oct 2009 15:04:56 +0000 (11:04 -0400)]
cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.
Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.
Jeff Layton [Wed, 14 Oct 2009 15:04:55 +0000 (11:04 -0400)]
cifs.upcall: declare a structure for holding decoded args
The argument list for the decoder is becoming rather long. Declare an
args structure and use that for holding the args. This also simplifies
pointer handling a bit.
Jeff Layton [Wed, 14 Oct 2009 15:04:53 +0000 (11:04 -0400)]
cifs.upcall: clean up logging and add debug messages
Change the log levels to be more appropriate to the messages being
logged. Error messages should be LOG_ERR and not LOG_WARNING, for
instance.
Add some LOG_DEBUG messages that we can use to diagnose problems with
krb5 upcalls. With these, someone can set up syslog to log daemon.debug
and should be able to get more info when things aren't working.
Jeff Layton [Wed, 14 Oct 2009 15:04:50 +0000 (11:04 -0400)]
cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME
value out of it.
projects / thirdparty / samba.git / log
