Volker Lendecke [Tue, 4 Dec 2007 12:16:37 +0000 (13:16 +0100)]
Correctly invalidate intermediate vuids
Because of the "&& usp->server_info" test in get_valid_user_struct,
invalidate_vuid() called for an intermediate vuid would never do what it was
supposed to do. There is no server_info in the intermediate vuids.
This fixes a memleak, it was found for a client that does silly sequences of
sesssionsetup/ulogoff for every operation.
Simo Sorce [Tue, 20 Nov 2007 23:19:54 +0000 (18:19 -0500)]
32/64 bit compatibility fix
this patch fixes platform where 32 and 64 bit apps can run at the same time
fixed in and tested in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=253036
Jeremy Allison [Mon, 19 Nov 2007 23:27:11 +0000 (15:27 -0800)]
Ensure every use of push_ascii checks for error -1 condition.
Ensure that is zero termination is requested that it is
applied if there's space.
Jeremy.
Michael Adam [Sat, 20 Oct 2007 00:17:07 +0000 (02:17 +0200)]
Fix for Bug #5023 (separate access check from posix_acls code)
The three can_* access check functions in smbd/posix_acls.c that are used in
smbd/open.c and smbd/nttrans.c explicitly called check_posix_acl_group_access()
This lead to errors with nfsv4 acls (e.g. ZFS and GPFS).
This changes the can_* functions to get the nt_acl via VFS layer and call
se_access_check on that. It also removes check_posix_acl_group_access()
which has no more callers.
...
Samba developers have discovered what is believed to be
a non-exploitable buffer over in nmbd during the processing
of GETDC logon server requests. This code is only used
when the Samba server is configured as a Primary or Backup
Domain Controller.
== Subject: Remote code execution in Samba's WINS
== server daemon (nmbd) when processing name
== registration followed name query requests.
==
== CVE ID#: CVE-2007-5398
==
== Versions: Samba 3.0.0 - 3.0.26a (inclusive)
...
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
Jeremy Allison [Wed, 7 Nov 2007 05:48:01 +0000 (21:48 -0800)]
Fix bug where tdb lock call interrupted with
an alarm sig would not terminate and could lead
to runaway smbd processes.
Thanks to Dave Daugherty @ Centrify for pointing
this out to us.
Jeremy.
fix crash bug in pidl generated client code, this
could have happend with [in,out,unique] pointers
when the clients sends a valid pointer, but the server
reponse with a NULL pointer (as samba-3.0.26a do for some calls).
I've tested with midl to see how windows handles this situation
and also the reverse case where the client sends NULL and
the server reposnse with non-NULL.
It appears that midl generated code just ignores this
and only copies the result if both pointers are non-NULL.
Note: this is just cosmetic for the 3.0.x tree, as
rpccli_wkssvc_NetWkstaEnumUsers and rpccli_wkssvc_NetWkstaTransportEnum
are not used.
Michael Adam [Fri, 12 Oct 2007 11:34:09 +0000 (13:34 +0200)]
Add become_root/unbecome_root around one call of getsampwsid()
in create_token_from_username(). This caused set_nt_acl to
partially fail in certain circumstances.
This is expected to bring an improvement to bug #4308.
r25068: Older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for every opcode on the
LSARPC_DS pipe, continue with no_lsarpc_ds mode here as well to get
domain->initialized set to True. This avoids permanent scanning of Samba3 DCs
in winbindd. Thanks Michael, for pointing this out.
Michael Adam [Mon, 9 Jul 2007 15:34:46 +0000 (15:34 +0000)]
r23769: Move removal of the tdb from the generic tdb_validate function
to the caller (winbindd_validate_cache in this case).
Next, there will be a backup handling for the tdb files.
Jeremy Allison [Mon, 9 Jul 2007 00:48:07 +0000 (00:48 +0000)]
r23752: Fix bug introduced by checkin 22920, allow large
readX. Fix from Dmitry Shatrov <dhsatrov@linux.vnet.ibm.com>.
"In send_file_readX(), if startpos > sbuf.st_size, then smb_maxcnt is set
to an invalid large value due to integer overflow.
As for me, this resulted in MS Word hanging while trying to save
a 1.5Mb document."
Michael Adam [Sat, 7 Jul 2007 23:57:25 +0000 (23:57 +0000)]
r23750: Change the behaviour of net conf import when there is a global section
in the current registry and there is no global section in the input
file (or only global options with default values):
In that case the existing global section is now not touched. Before, it
would have been deleted and recreated empty. The new behaviour is how
other shares are treated too.
Note that since the input file is parsed by lp_load, there is currently
no way to distinguish between a section with only default parameters
and a non-existing section in net conf import.
Michael
PS: A couple of trailing white-spaces have been eliminated
and a line was broken to be not longer than 80 chars, too.
Michael Adam [Sat, 7 Jul 2007 22:18:54 +0000 (22:18 +0000)]
r23747: Move formatting of a parameter's value into a value string
to a function of its own. (for storing it in registry),
Eliminate the valtype variable : store everything as "sz".
Eliminate some trailing white spaces on the way.
Michael Adam [Sat, 7 Jul 2007 20:40:59 +0000 (20:40 +0000)]
r23744: Remove TODO-comment. lp_load returns False if opening
of the config file fails. That's enough of checking for
existence and readbility to my taste.
Jeremy Allison [Fri, 6 Jul 2007 21:46:43 +0000 (21:46 +0000)]
r23735: Second part of the bugfix for #4763
This should coalesce identical adjacent notify records - making the "too large"
bug very rare indeed. Please test.
Jeremy.
(a) Update the counter for the number of new groups to resolve else
we'll only expand one group member per level and drop the rest.
(b) Don't reset the num_names counter in winbindd_ads.c:lookup_groupmem()
or we'll drop the SIDs resolved to names via cache from the resulting
list.
r23727: Explicitly pass down FLAGS2 to srvstr_get_path.
Next step is to remove the bug that in the trans2 code we use the inbuf
as the base pointer to decide whether we need ucs2 alignment where we
need to use the beginning of the params buffer
r23726: Explicitly pass down the FLAGS2 field to srvstr_pull_buf. The next
checkin will pull this up to srvstr_get_path. At that point we can get more
independent of the inbuf, the base_ptr in pull_string will only be used
to satisfy UCS2 alignment constraints.
r23724: Reduce access to the global inbuf a tiny bit. Add a struct smb_request
that contains some of the fields from the SMB header, removing the need
to access inbuf directly. This right now is used only in the open file
code & friends, and creating that header is only done when needed. This
needs more work, but it is a start.
Jeremy, I'm only checking this into 3_0, please review before I merge it
to _26.
Simo Sorce [Thu, 5 Jul 2007 13:46:47 +0000 (13:46 +0000)]
r23723: Alexander Larsson pointed me at a missing mapping in clierror.c
When renaming a file across 2 filesystem a samba server returns
NT_STATUS_NOT_SAME_DEVICE but thius is not translated to EXDEV,
and the generic EINVAL is returned instead.
This should fix it, Jeremy or Derrel please check if this is ok.
projects / thirdparty / samba.git / log
