Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from patch from master)
[backport by npower@samba.org as master commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and 58e9b62222ad62c81cdf11d704859a227cb2902b creates conflicts
due to rename of WBC_ID_TYPE_* -> ID_TYPE_*]
[backport by jra@samba.org to work around a compiler
bug showing this error on gcc 5.6 -> 6.x, seen on
Debian 9 and Ubuntu 16.04 under -O3:
../../source3/passdb/lookup_sid.c:1246:6: error: assuming
pointer wraparound does not occur when comparing P +- C1
with P +- C2 [-Werror=strict-overflow]]
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.
Note this is exactly the same as 4.12.13, except that it
has a dependency on ldb version 2.1.5, which is needed if
someone builds against a system libldb.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org>
Douglas Bagnall [Thu, 11 Feb 2021 03:28:43 +0000 (16:28 +1300)]
CVE-2020-27840: pytests: move Dn.validate test to ldb
We had the test in the Samba Python segfault suite because
a) the signal catching infrastructure was there, and
b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
assert the failure.
Douglas Bagnall [Fri, 11 Dec 2020 03:32:25 +0000 (16:32 +1300)]
CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.
When a DN string has a value represented with trailing spaces,
like this
"CN=foo ,DC=bar"
the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.
"CN=foo ,DC= " ==> "foo "
^ ^ ^
t p d
--l---
The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.
Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:
"CN=foo ,DC= " ==> ""
^ ^ ^
t p d
l=0
where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:
"CN=foo ,DC= " ==> ? ""
^ ^ ^
t p d
l ~= SIZE_MAX - 8
At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.
However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.
What about a longer DN with more attributes? For example,
"CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.
So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.
An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.
The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
This is done here rather than squashed in the cherry-pick of the expanded testsuite
because it allows this commit to be simply reverted for the backport of bug 14044
if this lands first, or to be dropped if bug 14044 lands first.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47)
Volker Lendecke [Wed, 3 Mar 2021 18:15:31 +0000 (19:15 +0100)]
g_lock: Fix uninitalized variable reads
If dbwrap_watched_watch_recv() returns IO_TIMEOUT, "blockerdead" might
be an uninitialized non-false, and further down we'll remove the wrong
exclusive locker.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14636 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 5 11:22:07 UTC 2021 on sn-devel-184
Trever L. Adams [Fri, 26 Feb 2021 22:52:03 +0000 (14:52 -0800)]
s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure
Recent talloc changes cause the current check for failure to allocate to be incorrectly triggered.
This patch checks to see if the original parameter to be checked for NULL if the talloc returns NULL. This allows for rapid passing in the ca
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14634
RN: Fix failure of vfs_virusfilter starting due to talloc changes
Signed-off-by: Trever L. Adams" <trever.adams@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
(cherry picked from commit 5a92810082c9a9d2833946ae0d83ce05a6bde597)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Fri Mar 5 13:17:14 UTC 2021 on sn-devel-184
Signed-off-by: Peter Eriksson <pen@lysator.liu.se> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Feb 25 20:46:02 UTC 2021 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9883ac45939f253a63f3ff312fc3912c5f02cdac)
Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Tue Feb 2 10:29:44 UTC 2021 on sn-devel-184
script/autobuild.py: allow write_system_info commands to fail
These commands are just there as hints to debug possible problems.
In order to support autobuild.py on non-linux platforms we should
just ignore errors here.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 2 07:36:07 UTC 2020 on sn-devel-184
script/autobuild.py: use more portable 'cp -R -a -l'
On platforms like FreeBSD 12 cp doesn't accept the long options,
using the one letter options works there and keeps working on Linux
as well.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0312a10e09d8dc1295a4a80493761e91031e88e7)
.git is not always a directory, with 'git worktree' it's a file.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f9374d0a4ecc11acc46884feec28d138accc6dab)
Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 10 15:06:49 UTC 2021 on sn-devel-184
Signed-off-by: Paul Wise <pabs3@bonedaddy.net> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Original-author: Nicolas Williams <nico@twosigma.com>
(cherry-picked from heimdal commit b3db07d5f0e03f6a1a0a392e70f9675e19a6d6af)
(cherry picked from commit f9ed4f7028a5ed29026ac8ef1b47b63755ba98f8)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0bdbe50fac680be3fe21043246b8c75005611351)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Fri Feb 5 12:14:09 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00543ab3b29e3fbfe8314e51919629803e14ede6)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)
Jeremy Allison [Thu, 28 Jan 2021 19:08:48 +0000 (11:08 -0800)]
s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon struct when temporarily swapping out a connection on a cli_state.
This used to make a deep copy of either
cli->smb2.tcon or cli->smb1.tcon, but this leaves
the original tcon pointer in place which will then get
TALLOC_FREE()'d when the new tree connection is made on
this cli_state.
As there may be pipes open on the old tree connection with
talloc'ed state allocated using the original tcon pointer as a
talloc parent we can't deep copy and then free this pointer
as that will fire the destructors on the pipe memory and
mark them as not connected.
This call is used to temporarily swap out a tcon pointer
(whilst keeping existing pipes open) to allow a new tcon
on the same cli_state and all users correctly call
cli_state_restore_tcon() once they are finished with
the new tree connection.
Just return the existing pointer and set the old value to NULL.
We know we MUST be calling cli_state_restore_tcon() below
to restore the original tcon tree connection pointer before
closing the session.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 2 21:05:25 UTC 2021 on sn-devel-184
Jeremy Allison [Fri, 29 Jan 2021 01:35:55 +0000 (17:35 -0800)]
s3: torture: Change the SMB1-only UID-REGRESSION-TEST to do an explicit copy of the tcon struct in use.
For this test only, explicitly copy the SMB1 tcon struct,
don't use cli_state_save_tcon()//cli_state_restore_tcon()
as these calls will soon change to just manipulate the pointer
to avoid TALLOC_FREE() on the tcon struct which calls
destructors on child pipe data.
In SMB1 this test calls cli_tdis() twice with an invalid
vuid and expects the SMB1 tcon struct to be preserved
across the calls.
SMB1 cli_tdis() frees cli->smb1.tcon so we must put back
a deep copy into cli->smb1.tcon to be able to safely call
cli_tdis() again.
This is a test-only hack. Real client code
uses cli_state_save_tcon()/cli_state_restore_tcon()
if it needs to temporarily swap out the active
tcon on a client connection.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e93e6108837eff0cebad8dc26d055c0e1386093a)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f9ca91bd293e9f2710c4449c5d4f5d016a066049)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dc701959cad7bf15aa47cad6451212606520f67f)
Jeremy Allison [Thu, 28 Jan 2021 22:07:23 +0000 (14:07 -0800)]
s3: tests: Add regression test for bug 13992.
Subtle extra test. Mark as knownfail for now.
'^ user1$' must appear MORE THAN ONCE, as it can read more than one
share. The previous test found user1, but only once as the bug only
allows reading the security descriptor for one share, and we were
unlucky that the first share security descriptor returned allows
user1 to read from it.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 068f4a977f0539f790809d580bf22d2362032e3d)
Ralph Boehme [Fri, 15 Jan 2021 11:56:25 +0000 (12:56 +0100)]
s3/auth: implement "winbind:ignore domains"
Under the following conditions a user from an ignored domain might be able to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).
All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Jan 13 18:14:31 UTC 2021 on sn-devel-184
Jeremy Allison [Wed, 6 Jan 2021 17:03:05 +0000 (09:03 -0800)]
libcli/smb: Allow smb2cli_validate_negotiate_info_done() to ignore NT_STATUS_INVALID_PARAMETER.
This can be returned from NetApp Ontap 7.3.7 SMB server
implementations. Now we have ensured smb2_signing_check_pdu()
cannot return NT_STATUS_INVALID_PARAMETER on a signing error
it's safe to check this error code here. Windows 10
clients ignore this error from the NetApp.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 8 21:38:18 UTC 2021 on sn-devel-184
Ralph Boehme [Fri, 11 Dec 2020 12:00:56 +0000 (13:00 +0100)]
vfs_fruit: check fake_fd in fruit_pread_meta_stream()
Don't call into the next VFS backend if we know we still have a fake-fd. Just
return -1 and the caller has the logic to handle this, which results in
returning a AFP_AfpInfo blob initialized with some defaults.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit c5da08422990dfc1e082bc01aa10d6e415eebe3f)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit 36eb30fd7d4b82bffd0e1ab471c088f678d700a4)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit 40e70cbd3c3a1df9205a7b18d07784c1754cc340)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit 719c83b4dc4cef16429ec2803621039545f6885e)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit 8f057333466b2d9845cd8bc2b794d98252ade2a4)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 6 23:59:58 UTC 2021 on sn-devel-184
Arne Kreddig [Fri, 1 Jan 2021 21:54:22 +0000 (22:54 +0100)]
vfs_virusfilter: Allocate separate memory for config char*
Instead of using only the pointer to the configuration char* from the
global configuration, vfs_virusfilter now allocates its own memory and
copies the char* from the global configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14606 Signed-off-by: Arne Kreddig <arne@kreddig.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 7 19:25:38 UTC 2021 on sn-devel-184
Andrew Bartlett [Mon, 23 Nov 2020 06:35:37 +0000 (19:35 +1300)]
Do not create an empty DB when accessing a sam.ldb
Samba already does this for samba-tool and doing this should make
our errors more sensible, particularly in BIND9 if not provisioned
with the correct --dns-backend=DLZ_BIND9
The old error was like:
named[62954]: samba_dlz: Unable to get basedn for
/var/lib/samba/private/dns/sam.ldb
- NULL Base DN invalid for a base search.
The new error will be like (in this case from the torture test):
Failed to connect to Failed to connect to
ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb:
Unable to open tdb '/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb':
No such file or directory: Operations error
Reviewed-by: Andreas Schneider <asn@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d49e96bc45ea5e2d3364242dad36fe9094b7cc42)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Jan 7 09:50:29 UTC 2021 on sn-devel-184
Martin Schwenke [Tue, 8 Dec 2020 13:03:47 +0000 (00:03 +1100)]
bootstrap: Cope with case changes in CentOS 8 repo names
RN: Be more flexible with repository names in CentOS 8 test environments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14594 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit 1c59f49aaede8ec1662d4e49aef84fcd902a8a76)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Wed Jan 6 12:19:21 UTC 2021 on sn-devel-184
Dimitry Andric [Fri, 1 Jan 2021 17:25:48 +0000 (18:25 +0100)]
lib: Avoid declaring zero-length VLAs in various messaging functions
In messaging_rec_create(), messaging_recv_cb() and
messaging_dispatch_rec(), variable length arrays of file descriptors are
declared using an incoming num_fds parameter.
However, there are several scenarios where num_fds can be zero, and
declaring a zero-length VLA is undefined behavior. This can lead to
segmentation faults and/or other crashes when compiling with recent
versions of clang at high optimization levels.
To avoid ever using zero as the length for these declarations, use
MAX(1, length) instead.
Signed-off-by: Dimitry Andric <dimitry@andric.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 4 10:50:07 UTC 2021 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 1 20:29:34 UTC 2020 on sn-devel-184
Ralph Boehme [Thu, 26 Nov 2020 14:24:44 +0000 (15:24 +0100)]
s4/samba: call force_check_log_size() in standard_new_task()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
RN: samba process does not honor max log size
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 7 18:54:29 UTC 2020 on sn-devel-184
Ralph Boehme [Fri, 20 Nov 2020 14:21:03 +0000 (15:21 +0100)]
s4: replace low-level SIGUP handler with a tevent handler
Replace the low-level signal handler for SIGHUP with a nice tevent signal
handler. The low-level handler sig_hup() installed by setup_signals() remains
being used during early startup before a tevent context is available.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit 516c2a04a242a539f9fbddb2822295fee233644c)
[slow@samba.org: process_prefork.c has additional include in master]
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit 68f71f227b17774a12c84575c1eecd82279fac95)
[slow@samba.org: conflict due to rename source4/smbd/ -> source4/samba/ in master]
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Rowland penny <rpenny@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 4 20:54:06 UTC 2020 on sn-devel-184
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Nov 27 17:15:07 UTC 2020 on sn-devel-184
projects / thirdparty / samba.git / log
